From 2fa71a7650f43ff03cecba283e6f136b20a45a7c Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Wed, 27 Nov 2024 14:54:51 +0000 Subject: [PATCH 1/2] [Security Rules] Update security rules package to v8.16.2-beta.1 --- .../security_detection_engine/changelog.yml | 5 + .../000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_208.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_210.json | 1 - ...047bb-b27a-47ec-8b62-ef1a5d2c9e19_310.json | 84 +++++++++++ .../00140285-b827-4aee-aa09-8113f58a08f3.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_105.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_106.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_107.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_108.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_109.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_110.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_111.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_112.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_113.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_114.json | 1 - ...40285-b827-4aee-aa09-8113f58a08f3_314.json | 1 - .../0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_109.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_211.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_313.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_314.json | 1 - ...2d47d-39c7-4f69-a232-4fe9dc7a3acd_414.json | 1 - .../00678712-b2df-11ed-afe9-f661ea17fbcc.json | 1 - ...0678712-b2df-11ed-afe9-f661ea17fbcc_1.json | 1 - ...0678712-b2df-11ed-afe9-f661ea17fbcc_2.json | 1 - .../0136b315-b566-482f-866c-1d8e2477ba16.json | 1 - ...6b315-b566-482f-866c-1d8e2477ba16_101.json | 1 - ...6b315-b566-482f-866c-1d8e2477ba16_102.json | 1 - ...6b315-b566-482f-866c-1d8e2477ba16_103.json | 1 - ...6b315-b566-482f-866c-1d8e2477ba16_105.json | 1 - .../015cca13-8832-49ac-a01b-a396114809f6.json | 1 - ...cca13-8832-49ac-a01b-a396114809f6_102.json | 1 - ...cca13-8832-49ac-a01b-a396114809f6_103.json | 1 - ...cca13-8832-49ac-a01b-a396114809f6_104.json | 1 - ...cca13-8832-49ac-a01b-a396114809f6_205.json | 1 - .../0171f283-ade7-4f87-9521-ac346c68cc9b.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_1.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_2.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_3.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_4.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_5.json | 1 - ...171f283-ade7-4f87-9521-ac346c68cc9b_6.json | 1 - .../01c49712-25bc-49d2-a27d-d7ce52f5dc49.json | 1 - ...1c49712-25bc-49d2-a27d-d7ce52f5dc49_1.json | 1 - ...49712-25bc-49d2-a27d-d7ce52f5dc49_103.json | 88 +++++++++++ .../027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json | 1 - ...ff9ea-85e7-42e3-99d2-bbb7069e02eb_106.json | 1 - .../0294f105-d7af-4a02-ae90-35f56763ffa2.json | 1 - ...294f105-d7af-4a02-ae90-35f56763ffa2_1.json | 1 - ...4f105-d7af-4a02-ae90-35f56763ffa2_103.json | 88 +++++++++++ .../02a23ee7-c8f8-4701-b99d-e9038ce313cb.json | 1 - ...2a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json | 1 - ...2a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json | 1 - ...2a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json | 1 - .../02a4576a-7480-4284-9327-548a806b5e48.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_103.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_104.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_105.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_206.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_207.json | 1 - ...4576a-7480-4284-9327-548a806b5e48_208.json | 1 - .../02bab13d-fb14-4d7c-b6fe-4a28874d37c5.json | 1 - ...2bab13d-fb14-4d7c-b6fe-4a28874d37c5_1.json | 1 - ...2bab13d-fb14-4d7c-b6fe-4a28874d37c5_2.json | 1 - .../02ea4563-ec10-4974-b7de-12e65aa4f9b3.json | 1 - ...a4563-ec10-4974-b7de-12e65aa4f9b3_102.json | 1 - ...a4563-ec10-4974-b7de-12e65aa4f9b3_103.json | 1 - ...a4563-ec10-4974-b7de-12e65aa4f9b3_104.json | 1 - ...a4563-ec10-4974-b7de-12e65aa4f9b3_105.json | 1 - .../03024bd9-d23f-4ec1-8674-3cf1a21e130b.json | 1 - ...24bd9-d23f-4ec1-8674-3cf1a21e130b_101.json | 1 - ...24bd9-d23f-4ec1-8674-3cf1a21e130b_102.json | 1 - ...24bd9-d23f-4ec1-8674-3cf1a21e130b_103.json | 1 - ...24bd9-d23f-4ec1-8674-3cf1a21e130b_105.json | 1 - .../035889c4-2686-4583-a7df-67f89c292f2c.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_104.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_105.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_106.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_107.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_108.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_109.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_110.json | 1 - ...889c4-2686-4583-a7df-67f89c292f2c_111.json | 1 - .../035a6f21-4092-471d-9cda-9e379f459b1e.json | 1 - ...35a6f21-4092-471d-9cda-9e379f459b1e_1.json | 1 - ...35a6f21-4092-471d-9cda-9e379f459b1e_2.json | 1 - .../0369e8a6-0fa7-4e7a-961a-53180a4c966e.json | 1 - ...369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json | 1 - .../03a514d9-500e-443e-b6a9-72718c548f6c.json | 1 - ...3a514d9-500e-443e-b6a9-72718c548f6c_1.json | 1 - .../03c23d45-d3cb-4ad4-ab5d-b361ffe8724a.json | 1 - ...3c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json | 1 - ...3c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json | 1 - .../0415258b-a7b2-48a6-891a-3367cd9d4d31.json | 1 - .../0415f22a-2336-45fa-ba07-618a5942e22c.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_103.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_104.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_105.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_106.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_107.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_108.json | 1 - ...5f22a-2336-45fa-ba07-618a5942e22c_109.json | 1 - ...d80a3-c49e-43ef-9c72-1088f0c7b278_101.json | 1 - ...d80a3-c49e-43ef-9c72-1088f0c7b278_201.json | 1 - .../04c5a96f-19c5-44fd-9571-a0b033f9086f.json | 1 - ...5a96f-19c5-44fd-9571-a0b033f9086f_101.json | 1 - .../053a0387-f3b5-4ba5-8245-8002cca2bd08.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_104.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_105.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_106.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_107.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_108.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_109.json | 1 - ...a0387-f3b5-4ba5-8245-8002cca2bd08_110.json | 1 - .../054db96b-fd34-43b3-9af2-587b3bd33964.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_1.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_2.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_3.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_4.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_5.json | 1 - ...54db96b-fd34-43b3-9af2-587b3bd33964_6.json | 1 - .../0564fb9d-90b9-4234-a411-82a546dc1343.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_104.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_105.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_106.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_107.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_108.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_109.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_110.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_111.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_112.json | 1 - ...4fb9d-90b9-4234-a411-82a546dc1343_113.json | 1 - .../05b358de-aa6d-4f6c-89e6-78f74018b43b.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_104.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_105.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_106.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_107.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_108.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_109.json | 1 - ...358de-aa6d-4f6c-89e6-78f74018b43b_110.json | 1 - .../05cad2fb-200c-407f-b472-02ea8c9e5e4a.json | 1 - ...5cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json | 1 - ...5cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json | 1 - ...5cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json | 1 - .../05e5a668-7b51-4a67-93ab-e9af405c9ef3.json | 1 - ...5a668-7b51-4a67-93ab-e9af405c9ef3_103.json | 1 - ...5a668-7b51-4a67-93ab-e9af405c9ef3_104.json | 1 - ...5a668-7b51-4a67-93ab-e9af405c9ef3_105.json | 1 - ...5a668-7b51-4a67-93ab-e9af405c9ef3_106.json | 1 - ...5a668-7b51-4a67-93ab-e9af405c9ef3_107.json | 1 - .../0635c542-1b96-4335-9b47-126582d2c19a.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_105.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_106.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_107.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_108.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_109.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_110.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_111.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_112.json | 1 - ...5c542-1b96-4335-9b47-126582d2c19a_113.json | 1 - .../06568a02-af29-4f20-929c-f3af281e41aa.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_2.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_3.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_4.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_5.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_6.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_7.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_8.json | 1 - ...6568a02-af29-4f20-929c-f3af281e41aa_9.json | 1 - .../0678bc9c-b71a-433b-87e6-2f664b6b3131.json | 1 - ...678bc9c-b71a-433b-87e6-2f664b6b3131_1.json | 1 - ...678bc9c-b71a-433b-87e6-2f664b6b3131_2.json | 1 - ...678bc9c-b71a-433b-87e6-2f664b6b3131_3.json | 1 - .../06a7a03c-c735-47a6-a313-51c354aef6c3.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_2.json | 1 - ...7a03c-c735-47a6-a313-51c354aef6c3_209.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_3.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_4.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_5.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_6.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_7.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_8.json | 1 - ...6a7a03c-c735-47a6-a313-51c354aef6c3_9.json | 1 - .../06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_108.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_111.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_112.json | 1 - ...ceabf-adca-48af-ac79-ffdf4c3b1e9a_212.json | 1 - .../074464f9-f30d-4029-8c03-0ed237fffec7.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_104.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_105.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_106.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_107.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_108.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_109.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_110.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_111.json | 1 - ...464f9-f30d-4029-8c03-0ed237fffec7_311.json | 1 - .../07639887-da3a-4fbf-9532-8ce748ff8c50.json | 1 - ...7639887-da3a-4fbf-9532-8ce748ff8c50_1.json | 1 - ...39887-da3a-4fbf-9532-8ce748ff8c50_105.json | 77 ++++++++++ ...7639887-da3a-4fbf-9532-8ce748ff8c50_2.json | 1 - ...7639887-da3a-4fbf-9532-8ce748ff8c50_3.json | 1 - .../0787daa6-f8c5-453b-a4ec-048037f6c1cd.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json | 1 - ...787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json | 1 - .../07b1ef73-1fde-4a49-a34a-5dd40011b076.json | 1 - ...1ef73-1fde-4a49-a34a-5dd40011b076_109.json | 1 - ...1ef73-1fde-4a49-a34a-5dd40011b076_210.json | 1 - ...1ef73-1fde-4a49-a34a-5dd40011b076_211.json | 1 - ...1ef73-1fde-4a49-a34a-5dd40011b076_212.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_3.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_4.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_5.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_6.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_7.json | 1 - ...7b1ef73-1fde-4a49-a34a-5dd40011b076_8.json | 1 - .../07b5f85a-240f-11ed-b3d9-f661ea17fbce.json | 1 - ...5f85a-240f-11ed-b3d9-f661ea17fbce_104.json | 1 - ...5f85a-240f-11ed-b3d9-f661ea17fbce_105.json | 1 - ...5f85a-240f-11ed-b3d9-f661ea17fbce_106.json | 1 - .../080bc66a-5d56-4d1f-8071-817671716db9.json | 1 - ...bc66a-5d56-4d1f-8071-817671716db9_102.json | 1 - ...bc66a-5d56-4d1f-8071-817671716db9_103.json | 1 - ...bc66a-5d56-4d1f-8071-817671716db9_104.json | 1 - ...bc66a-5d56-4d1f-8071-817671716db9_105.json | 1 - ...bc66a-5d56-4d1f-8071-817671716db9_106.json | 1 - .../082e3f8c-6f80-485c-91eb-5b112cb79b28.json | 1 - ...e3f8c-6f80-485c-91eb-5b112cb79b28_102.json | 1 - ...e3f8c-6f80-485c-91eb-5b112cb79b28_103.json | 1 - ...e3f8c-6f80-485c-91eb-5b112cb79b28_104.json | 1 - ...e3f8c-6f80-485c-91eb-5b112cb79b28_105.json | 1 - .../083fa162-e790-4d85-9aeb-4fea04188adb.json | 1 - ...fa162-e790-4d85-9aeb-4fea04188adb_102.json | 1 - ...fa162-e790-4d85-9aeb-4fea04188adb_103.json | 1 - ...fa162-e790-4d85-9aeb-4fea04188adb_104.json | 1 - ...fa162-e790-4d85-9aeb-4fea04188adb_105.json | 1 - .../0859355c-0f08-4b43-8ff5-7d2a4789fc08.json | 1 - ...859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json | 1 - ...9355c-0f08-4b43-8ff5-7d2a4789fc08_109.json | 1 - ...859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json | 1 - ...859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json | 1 - ...859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json | 1 - ...859355c-0f08-4b43-8ff5-7d2a4789fc08_7.json | 1 - .../089db1af-740d-4d84-9a5b-babd6de143b0.json | 1 - ...89db1af-740d-4d84-9a5b-babd6de143b0_1.json | 1 - ...89db1af-740d-4d84-9a5b-babd6de143b0_2.json | 1 - ...89db1af-740d-4d84-9a5b-babd6de143b0_3.json | 1 - ...89db1af-740d-4d84-9a5b-babd6de143b0_4.json | 1 - .../092b068f-84ac-485d-8a55-7dd9e006715f.json | 1 - ...b068f-84ac-485d-8a55-7dd9e006715f_102.json | 1 - ...b068f-84ac-485d-8a55-7dd9e006715f_103.json | 1 - ...b068f-84ac-485d-8a55-7dd9e006715f_104.json | 1 - ...b068f-84ac-485d-8a55-7dd9e006715f_105.json | 1 - ...b068f-84ac-485d-8a55-7dd9e006715f_106.json | 1 - .../09443c92-46b3-45a4-8f25-383b028b258d.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_103.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_104.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_105.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_106.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_107.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_108.json | 1 - ...43c92-46b3-45a4-8f25-383b028b258d_109.json | 1 - .../095b6a58-8f88-4b59-827c-ab584ad4e759.json | 1 - ...95b6a58-8f88-4b59-827c-ab584ad4e759_1.json | 1 - ...b6a58-8f88-4b59-827c-ab584ad4e759_103.json | 68 +++++++++ .../09bc6c90-7501-494d-b015-5d988dc3f233.json | 1 - ...9bc6c90-7501-494d-b015-5d988dc3f233_1.json | 1 - ...9bc6c90-7501-494d-b015-5d988dc3f233_2.json | 1 - ...9bc6c90-7501-494d-b015-5d988dc3f233_3.json | 1 - ...9bc6c90-7501-494d-b015-5d988dc3f233_4.json | 1 - .../09d028a5-dcde-409f-8ae0-557cef1b7082.json | 1 - ...028a5-dcde-409f-8ae0-557cef1b7082_101.json | 1 - .../0a97b20f-4144-49ea-be32-b540ecc445de.json | 1 - ...7b20f-4144-49ea-be32-b540ecc445de_100.json | 1 - ...7b20f-4144-49ea-be32-b540ecc445de_101.json | 1 - ...7b20f-4144-49ea-be32-b540ecc445de_102.json | 1 - .../0ab319ef-92b8-4c7f-989b-5de93c852e93.json | 1 - ...ab319ef-92b8-4c7f-989b-5de93c852e93_1.json | 1 - ...ab319ef-92b8-4c7f-989b-5de93c852e93_2.json | 1 - ...ab319ef-92b8-4c7f-989b-5de93c852e93_3.json | 1 - ...ab319ef-92b8-4c7f-989b-5de93c852e93_4.json | 1 - .../0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json | 1 - ...f0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json | 1 - ...f0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json | 1 - ...abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json | 1 - .../0b15bcad-aff1-4250-a5be-5d1b7eb56d07.json | 1 - ...b15bcad-aff1-4250-a5be-5d1b7eb56d07_1.json | 1 - ...b15bcad-aff1-4250-a5be-5d1b7eb56d07_2.json | 1 - ...b15bcad-aff1-4250-a5be-5d1b7eb56d07_3.json | 1 - .../0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json | 1 - ...9cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107.json | 1 - .../0b2f3da5-b5ec-47d1-908b-6ebb74814289.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_105.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_106.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_107.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_108.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_109.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_110.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_111.json | 1 - ...f3da5-b5ec-47d1-908b-6ebb74814289_112.json | 1 - .../0b79f5c0-2c31-4fea-86cd-e62644278205.json | 1 - .../0b803267-74c5-444d-ae29-32b5db2d562a.json | 1 - ...b803267-74c5-444d-ae29-32b5db2d562a_1.json | 1 - ...b803267-74c5-444d-ae29-32b5db2d562a_2.json | 1 - ...b803267-74c5-444d-ae29-32b5db2d562a_3.json | 1 - ...b803267-74c5-444d-ae29-32b5db2d562a_4.json | 1 - ...b803267-74c5-444d-ae29-32b5db2d562a_5.json | 1 - ...b96dfd8-5b8c-4485-9a1c-69ff7839786a_1.json | 1 - ...6dfd8-5b8c-4485-9a1c-69ff7839786a_102.json | 1 - ...6dfd8-5b8c-4485-9a1c-69ff7839786a_103.json | 1 - ...b96dfd8-5b8c-4485-9a1c-69ff7839786a_2.json | 1 - .../0c093569-dff9-42b6-87b1-0242d9f7d9b4.json | 1 - ...c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json | 1 - .../0c41e478-5263-4c69-8f9e-7dfd2c22da64.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_5.json | 1 - ...c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json | 1 - .../0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110.json | 1 - ...ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310.json | 1 - .../0cd2f3e6-41da-40e6-b28b-466f688f00a6.json | 1 - ...cd2f3e6-41da-40e6-b28b-466f688f00a6_1.json | 1 - ...cd2f3e6-41da-40e6-b28b-466f688f00a6_2.json | 1 - ...cd2f3e6-41da-40e6-b28b-466f688f00a6_3.json | 1 - .../0ce6487d-8069-4888-9ddd-61b52490cebc.json | 1 - ...6487d-8069-4888-9ddd-61b52490cebc_101.json | 1 - ...6487d-8069-4888-9ddd-61b52490cebc_102.json | 1 - ...6487d-8069-4888-9ddd-61b52490cebc_103.json | 1 - ...6487d-8069-4888-9ddd-61b52490cebc_105.json | 1 - .../0d160033-fab7-4e72-85a3-3a9d80c8bff7.json | 1 - ...d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json | 1 - .../0d69150b-96f8-467c-a86d-a67a3378ce77.json | 1 - ...9150b-96f8-467c-a86d-a67a3378ce77_103.json | 1 - ...9150b-96f8-467c-a86d-a67a3378ce77_104.json | 1 - ...9150b-96f8-467c-a86d-a67a3378ce77_105.json | 1 - ...9150b-96f8-467c-a86d-a67a3378ce77_106.json | 1 - ...9150b-96f8-467c-a86d-a67a3378ce77_107.json | 1 - .../0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json | 1 - ...ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110.json | 1 - .../0e4367a0-a483-439d-ad2e-d90500b925fd.json | 1 - ...e4367a0-a483-439d-ad2e-d90500b925fd_1.json | 1 - ...367a0-a483-439d-ad2e-d90500b925fd_103.json | 95 ++++++++++++ .../0e52157a-8e96-4a95-a6e3-5faae5081a74.json | 1 - ...2157a-8e96-4a95-a6e3-5faae5081a74_101.json | 1 - ...2157a-8e96-4a95-a6e3-5faae5081a74_102.json | 1 - ...2157a-8e96-4a95-a6e3-5faae5081a74_103.json | 1 - ...2157a-8e96-4a95-a6e3-5faae5081a74_105.json | 1 - .../0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json | 1 - ...acaae-6a64-4bbc-adb8-27649c03f7e1_103.json | 1 - .../0e79980b-4250-4a50-a509-69294c14e84b.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_102.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_103.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_104.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_105.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_106.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_107.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_108.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_109.json | 1 - ...9980b-4250-4a50-a509-69294c14e84b_110.json | 1 - .../0f4d35e4-925e-4959-ab24-911be207ee6f.json | 1 - ...f4d35e4-925e-4959-ab24-911be207ee6f_1.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_103.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_104.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_105.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_106.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_107.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_108.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_109.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_110.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_111.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_112.json | 1 - ...d35e4-925e-4959-ab24-911be207ee6f_113.json | 1 - .../0f56369f-eb3d-459c-a00b-87c2bf7bdfc5.json | 1 - ...f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json | 1 - ...f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json | 1 - .../0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_103.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_104.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_105.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_206.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_207.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_208.json | 1 - ...3cb9a-1931-48c2-8cd0-f173fd3e5283_209.json | 1 - .../0ff84c42-873d-41a2-a4ed-08d74d352d01.json | 1 - ...84c42-873d-41a2-a4ed-08d74d352d01_102.json | 1 - ...84c42-873d-41a2-a4ed-08d74d352d01_103.json | 1 - ...84c42-873d-41a2-a4ed-08d74d352d01_104.json | 1 - ...84c42-873d-41a2-a4ed-08d74d352d01_105.json | 1 - .../10445cf0-0748-11ef-ba75-f661ea17fbcc.json | 1 - ...0445cf0-0748-11ef-ba75-f661ea17fbcc_1.json | 1 - .../10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json | 1 - ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json | 1 - ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json | 1 - ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json | 1 - ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json | 1 - ...500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json | 1 - .../11013227-0301-4a8c-b150-4db924484475.json | 1 - ...13227-0301-4a8c-b150-4db924484475_103.json | 1 - ...13227-0301-4a8c-b150-4db924484475_104.json | 1 - .../1160dcdb-0a0a-4a79-91d8-9b84616edebd.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_103.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_104.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_105.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_106.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_107.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_108.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_109.json | 1 - ...0dcdb-0a0a-4a79-91d8-9b84616edebd_110.json | 1 - .../1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json | 1 - ...8ae09-5aff-460a-9f2f-455cd0ac4d8e_112.json | 1 - .../119c8877-8613-416d-a98a-96b6664ee73a.json | 1 - ...c8877-8613-416d-a98a-96b6664ee73a_102.json | 1 - ...c8877-8613-416d-a98a-96b6664ee73a_103.json | 1 - ...c8877-8613-416d-a98a-96b6664ee73a_104.json | 1 - ...c8877-8613-416d-a98a-96b6664ee73a_205.json | 1 - .../11dd9713-0ec6-4110-9707-32daae1ee68c.json | 1 - ...dd9713-0ec6-4110-9707-32daae1ee68c_10.json | 1 - ...dd9713-0ec6-4110-9707-32daae1ee68c_11.json | 1 - ...dd9713-0ec6-4110-9707-32daae1ee68c_12.json | 1 - ...dd9713-0ec6-4110-9707-32daae1ee68c_13.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_4.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_5.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_6.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_7.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_8.json | 1 - ...1dd9713-0ec6-4110-9707-32daae1ee68c_9.json | 1 - .../11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_104.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_105.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_106.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_107.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_108.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_109.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_110.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_111.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_112.json | 1 - ...a6bec-ebde-4d71-a8e9-784948f8e3e9_113.json | 1 - .../12051077-0124-4394-9522-8f4f4db1d674.json | 1 - ...51077-0124-4394-9522-8f4f4db1d674_102.json | 1 - ...51077-0124-4394-9522-8f4f4db1d674_103.json | 1 - ...51077-0124-4394-9522-8f4f4db1d674_104.json | 1 - ...51077-0124-4394-9522-8f4f4db1d674_205.json | 1 - .../1224da6c-0326-4b4f-8454-68cdc5ae542b.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_1.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_2.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_3.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_4.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_5.json | 1 - ...224da6c-0326-4b4f-8454-68cdc5ae542b_6.json | 1 - .../1251b98a-ff45-11ee-89a1-f661ea17fbce.json | 1 - ...251b98a-ff45-11ee-89a1-f661ea17fbce_1.json | 1 - .../128468bf-cab1-4637-99ea-fdf3780a4609.json | 1 - ...468bf-cab1-4637-99ea-fdf3780a4609_105.json | 1 - ...468bf-cab1-4637-99ea-fdf3780a4609_106.json | 1 - ...468bf-cab1-4637-99ea-fdf3780a4609_107.json | 1 - ...28468bf-cab1-4637-99ea-fdf3780a4609_2.json | 1 - ...468bf-cab1-4637-99ea-fdf3780a4609_207.json | 1 - ...28468bf-cab1-4637-99ea-fdf3780a4609_3.json | 1 - ...28468bf-cab1-4637-99ea-fdf3780a4609_4.json | 1 - .../12a2f15d-597e-4334-88ff-38a02cb1330b.json | 1 - ...2f15d-597e-4334-88ff-38a02cb1330b_201.json | 1 - ...2f15d-597e-4334-88ff-38a02cb1330b_202.json | 1 - .../12cbf709-69e8-4055-94f9-24314385c27e.json | 1 - ...bf709-69e8-4055-94f9-24314385c27e_201.json | 1 - ...bf709-69e8-4055-94f9-24314385c27e_202.json | 1 - ...bf709-69e8-4055-94f9-24314385c27e_203.json | 1 - .../12de29d4-bbb0-4eef-b687-857e8a163870.json | 1 - ...2de29d4-bbb0-4eef-b687-857e8a163870_1.json | 1 - ...2de29d4-bbb0-4eef-b687-857e8a163870_2.json | 1 - ...2de29d4-bbb0-4eef-b687-857e8a163870_3.json | 1 - .../12f07955-1674-44f7-86b5-c35da0a6f41a.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_104.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_105.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_106.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_107.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_108.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_109.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_110.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_111.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_112.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_113.json | 1 - ...07955-1674-44f7-86b5-c35da0a6f41a_313.json | 1 - .../1327384f-00f3-44d5-9a8c-2373ba071e92.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_102.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_103.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_104.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_105.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_106.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_107.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_108.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_209.json | 1 - ...7384f-00f3-44d5-9a8c-2373ba071e92_310.json | 1 - .../138c5dd5-838b-446e-b1ac-c995c7f8108a.json | 1 - ...c5dd5-838b-446e-b1ac-c995c7f8108a_102.json | 1 - ...c5dd5-838b-446e-b1ac-c995c7f8108a_103.json | 1 - ...c5dd5-838b-446e-b1ac-c995c7f8108a_104.json | 1 - .../1397e1b9-0c90-4d24-8d7b-80598eb9bc9a.json | 1 - ...397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1.json | 1 - ...7e1b9-0c90-4d24-8d7b-80598eb9bc9a_107.json | 1 - ...397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2.json | 1 - ...397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5.json | 1 - .../13e908b9-7bf0-4235-abc9-b5deb500d0ad.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_2.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_5.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json | 1 - ...3e908b9-7bf0-4235-abc9-b5deb500d0ad_7.json | 1 - .../141e9b3a-ff37-4756-989d-05d7cbf35b0e.json | 1 - ...e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json | 1 - .../143cb236-0956-4f42-a706-814bcaa0cf5a.json | 1 - ...cb236-0956-4f42-a706-814bcaa0cf5a_100.json | 1 - ...cb236-0956-4f42-a706-814bcaa0cf5a_101.json | 1 - ...cb236-0956-4f42-a706-814bcaa0cf5a_102.json | 1 - ...cb236-0956-4f42-a706-814bcaa0cf5a_103.json | 1 - .../14dab405-5dd9-450c-8106-72951af2391f.json | 1 - ...4dab405-5dd9-450c-8106-72951af2391f_1.json | 1 - ...4dab405-5dd9-450c-8106-72951af2391f_2.json | 1 - ...4dab405-5dd9-450c-8106-72951af2391f_3.json | 1 - .../14de811c-d60f-11ec-9fd7-f661ea17fbce.json | 1 - ...e811c-d60f-11ec-9fd7-f661ea17fbce_201.json | 1 - ...e811c-d60f-11ec-9fd7-f661ea17fbce_202.json | 1 - .../14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_107.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_110.json | 1 - ...d1aa9-ebfd-4cf9-a463-0ac59ec55204_111.json | 1 - ...502a836-84b2-11ef-b026-f661ea17fbcc_1.json | 1 - ...2a836-84b2-11ef-b026-f661ea17fbcc_103.json | 85 +++++++++++ ...502a836-84b2-11ef-b026-f661ea17fbcc_3.json | 1 - .../151d8f72-0747-11ef-a0c2-f661ea17fbcc.json | 1 - .../1542fa53-955e-4330-8e4d-b2d812adeb5f.json | 1 - ...542fa53-955e-4330-8e4d-b2d812adeb5f_1.json | 1 - ...542fa53-955e-4330-8e4d-b2d812adeb5f_2.json | 1 - .../15a8ba77-1c13-4274-88fe-6bd14133861e.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_105.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_106.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_107.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_108.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_109.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_110.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_111.json | 1 - ...8ba77-1c13-4274-88fe-6bd14133861e_112.json | 1 - .../15c0b7a7-9c34-4869-b25b-fa6518414899.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_104.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_105.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_106.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_107.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_108.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_109.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_110.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_111.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_112.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_113.json | 1 - ...0b7a7-9c34-4869-b25b-fa6518414899_313.json | 1 - .../15dacaa0-5b90-466b-acab-63435a59701a.json | 1 - ...acaa0-5b90-466b-acab-63435a59701a_102.json | 1 - ...acaa0-5b90-466b-acab-63435a59701a_103.json | 1 - ...acaa0-5b90-466b-acab-63435a59701a_104.json | 1 - ...acaa0-5b90-466b-acab-63435a59701a_105.json | 1 - ...acaa0-5b90-466b-acab-63435a59701a_106.json | 1 - .../160896de-b66f-42cb-8fef-20f53a9006ea.json | 1 - .../16280f1e-57e6-4242-aa21-bb4d16f13b2f.json | 1 - ...80f1e-57e6-4242-aa21-bb4d16f13b2f_101.json | 1 - .../166727ab-6768-4e26-b80c-948b228ffc06.json | 1 - ...66727ab-6768-4e26-b80c-948b228ffc06_2.json | 1 - ...66727ab-6768-4e26-b80c-948b228ffc06_3.json | 1 - ...66727ab-6768-4e26-b80c-948b228ffc06_4.json | 1 - ...66727ab-6768-4e26-b80c-948b228ffc06_5.json | 1 - .../16904215-2c95-4ac8-bf5c-12354e047192.json | 1 - ...04215-2c95-4ac8-bf5c-12354e047192_102.json | 1 - ...04215-2c95-4ac8-bf5c-12354e047192_103.json | 1 - ...04215-2c95-4ac8-bf5c-12354e047192_104.json | 1 - ...04215-2c95-4ac8-bf5c-12354e047192_105.json | 1 - .../169f3a93-efc7-4df2-94d6-0d9438c310d1.json | 1 - ...f3a93-efc7-4df2-94d6-0d9438c310d1_102.json | 1 - ...f3a93-efc7-4df2-94d6-0d9438c310d1_103.json | 1 - ...f3a93-efc7-4df2-94d6-0d9438c310d1_104.json | 1 - ...f3a93-efc7-4df2-94d6-0d9438c310d1_205.json | 1 - .../16a52c14-7883-47af-8745-9357803f0d4c.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_104.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_105.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_106.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_107.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_108.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_109.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_110.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_111.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_112.json | 1 - ...52c14-7883-47af-8745-9357803f0d4c_113.json | 1 - .../16fac1a1-21ee-4ca6-b720-458e3855d046.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_105.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_106.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_107.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_108.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_109.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_110.json | 1 - ...ac1a1-21ee-4ca6-b720-458e3855d046_111.json | 1 - .../17261da3-a6d0-463c-aac8-ea1718afcd20.json | 1 - ...7261da3-a6d0-463c-aac8-ea1718afcd20_1.json | 1 - ...7261da3-a6d0-463c-aac8-ea1718afcd20_2.json | 1 - .../1781d055-5c66-4adf-9c59-fc0fa58336a5.json | 1 - ...1d055-5c66-4adf-9c59-fc0fa58336a5_102.json | 1 - ...1d055-5c66-4adf-9c59-fc0fa58336a5_103.json | 1 - ...1d055-5c66-4adf-9c59-fc0fa58336a5_104.json | 1 - ...1d055-5c66-4adf-9c59-fc0fa58336a5_105.json | 1 - ...1d055-5c66-4adf-9c59-fc0fa58336a5_106.json | 1 - .../1781d055-5c66-4adf-9c71-fc0fa58338c7.json | 1 - ...1d055-5c66-4adf-9c71-fc0fa58338c7_101.json | 1 - ...1d055-5c66-4adf-9c71-fc0fa58338c7_102.json | 1 - ...1d055-5c66-4adf-9c71-fc0fa58338c7_103.json | 1 - ...1d055-5c66-4adf-9c71-fc0fa58338c7_104.json | 1 - ...1d055-5c66-4adf-9c71-fc0fa58338c7_105.json | 1 - .../1781d055-5c66-4adf-9d60-fc0fa58337b6.json | 1 - ...1d055-5c66-4adf-9d60-fc0fa58337b6_102.json | 1 - ...1d055-5c66-4adf-9d60-fc0fa58337b6_103.json | 1 - ...1d055-5c66-4adf-9d60-fc0fa58337b6_104.json | 1 - ...1d055-5c66-4adf-9d60-fc0fa58337b6_105.json | 1 - ...1d055-5c66-4adf-9d60-fc0fa58337b6_106.json | 1 - .../1781d055-5c66-4adf-9d82-fc0fa58449c8.json | 1 - ...1d055-5c66-4adf-9d82-fc0fa58449c8_101.json | 1 - ...1d055-5c66-4adf-9d82-fc0fa58449c8_102.json | 1 - ...1d055-5c66-4adf-9d82-fc0fa58449c8_103.json | 1 - ...1d055-5c66-4adf-9d82-fc0fa58449c8_104.json | 1 - ...1d055-5c66-4adf-9d82-fc0fa58449c8_105.json | 1 - .../1781d055-5c66-4adf-9e93-fc0fa69550c9.json | 1 - ...1d055-5c66-4adf-9e93-fc0fa69550c9_101.json | 1 - ...1d055-5c66-4adf-9e93-fc0fa69550c9_102.json | 1 - ...1d055-5c66-4adf-9e93-fc0fa69550c9_103.json | 1 - ...1d055-5c66-4adf-9e93-fc0fa69550c9_104.json | 1 - ...1d055-5c66-4adf-9e93-fc0fa69550c9_105.json | 1 - .../17b0a495-4d9f-414c-8ad0-92f018b8e001.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_1.json | 1 - ...b0a495-4d9f-414c-8ad0-92f018b8e001_10.json | 1 - ...b0a495-4d9f-414c-8ad0-92f018b8e001_11.json | 1 - ...b0a495-4d9f-414c-8ad0-92f018b8e001_12.json | 1 - ...b0a495-4d9f-414c-8ad0-92f018b8e001_13.json | 1 - ...b0a495-4d9f-414c-8ad0-92f018b8e001_14.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_2.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_3.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_4.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_5.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_6.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_7.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_8.json | 1 - ...7b0a495-4d9f-414c-8ad0-92f018b8e001_9.json | 1 - .../17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json | 1 - ...7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json | 1 - .../17e68559-b274-4948-ad0b-f8415bb31126.json | 1 - ...68559-b274-4948-ad0b-f8415bb31126_101.json | 1 - ...68559-b274-4948-ad0b-f8415bb31126_102.json | 1 - ...68559-b274-4948-ad0b-f8415bb31126_103.json | 1 - ...f6b23-3799-445e-9589-0018328a9e46_101.json | 1 - .../184dfe52-2999-42d9-b9d1-d1ca54495a61.json | 1 - ...dfe52-2999-42d9-b9d1-d1ca54495a61_103.json | 1 - .../185c782e-f86a-11ee-9d9f-f661ea17fbce.json | 1 - .../18a5dd9a-e3fa-4996-99b1-ae533b8f27fc.json | 1 - ...8a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json | 1 - ...8a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2.json | 1 - ...8a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json | 1 - .../192657ba-ab0e-4901-89a2-911d611eee98.json | 1 - ...92657ba-ab0e-4901-89a2-911d611eee98_1.json | 1 - ...92657ba-ab0e-4901-89a2-911d611eee98_2.json | 1 - ...92657ba-ab0e-4901-89a2-911d611eee98_3.json | 1 - .../193549e8-bb9e-466a-a7f9-7e783f5cb5a6.json | 1 - ...93549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json | 1 - ...93549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json | 1 - ...93549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json | 1 - ...9be0164-63d2-11ef-8e38-f661ea17fbce_1.json | 1 - .../19de8096-e2b0-4bd8-80c9-34a820813fff.json | 1 - ...e8096-e2b0-4bd8-80c9-34a820813fff_104.json | 1 - ...e8096-e2b0-4bd8-80c9-34a820813fff_105.json | 1 - ...e8096-e2b0-4bd8-80c9-34a820813fff_106.json | 1 - ...e8096-e2b0-4bd8-80c9-34a820813fff_107.json | 1 - ...e8096-e2b0-4bd8-80c9-34a820813fff_208.json | 1 - .../19e9daf3-f5c5-4bc2-a9af-6b1e97098f03.json | 1 - ...9e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json | 1 - ...9e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2.json | 1 - ...9e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json | 1 - .../1a289854-5b78-49fe-9440-8a8096b1ab50.json | 1 - ...a289854-5b78-49fe-9440-8a8096b1ab50_1.json | 1 - .../1a36cace-11a7-43a8-9a10-b497c5a02cd3.json | 1 - ...6cace-11a7-43a8-9a10-b497c5a02cd3_101.json | 1 - .../1a6075b0-7479-450e-8fe7-b8b8438ac570.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_104.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_105.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_106.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_107.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_108.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_109.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_110.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_310.json | 1 - ...075b0-7479-450e-8fe7-b8b8438ac570_311.json | 1 - .../1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json | 1 - ...8fa52-44a7-4dae-b058-f3333b91c8d7_105.json | 1 - ...8fa52-44a7-4dae-b058-f3333b91c8d7_106.json | 1 - ...8fa52-44a7-4dae-b058-f3333b91c8d7_107.json | 1 - ...8fa52-44a7-4dae-b058-f3333b91c8d7_208.json | 1 - .../1aa9181a-492b-4c01-8b16-fa0735786b2b.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_104.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_105.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_106.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_107.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_108.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_109.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_110.json | 1 - ...9181a-492b-4c01-8b16-fa0735786b2b_310.json | 1 - .../1b0b4818-5655-409b-9c73-341cac4bb73f.json | 1 - ...b0b4818-5655-409b-9c73-341cac4bb73f_1.json | 1 - ...b0b4818-5655-409b-9c73-341cac4bb73f_2.json | 1 - .../1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json | 1 - ...1abcc-4d9f-4b08-a7f5-316f5f94b973_102.json | 1 - ...1abcc-4d9f-4b08-a7f5-316f5f94b973_103.json | 1 - ...1abcc-4d9f-4b08-a7f5-316f5f94b973_104.json | 1 - ...1abcc-4d9f-4b08-a7f5-316f5f94b973_105.json | 1 - ...1abcc-4d9f-4b08-a7f5-316f5f94b973_106.json | 1 - .../1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json | 1 - ...5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json | 1 - ...5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json | 1 - ...5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json | 1 - ...5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json | 1 - .../1c27fa22-7727-4dd3-81c0-de6da5555feb.json | 1 - ...27fa22-7727-4dd3-81c0-de6da5555feb_10.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_4.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_5.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_6.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_7.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_8.json | 1 - ...c27fa22-7727-4dd3-81c0-de6da5555feb_9.json | 1 - .../1c5a04ae-d034-41bf-b0d8-96439b5cc774.json | 1 - ...c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json | 1 - .../1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json | 1 - ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json | 1 - ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json | 1 - ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json | 1 - ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json | 1 - ...a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json | 1 - .../1c84dd64-7e6c-4bad-ac73-a5014ee37042.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_104.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_105.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_106.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_107.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_108.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_109.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_110.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_111.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_112.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_113.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_114.json | 1 - ...4dd64-7e6c-4bad-ac73-a5014ee37042_115.json | 1 - .../1c966416-60c1-436b-bfd0-e002fddbfd89.json | 1 - ...66416-60c1-436b-bfd0-e002fddbfd89_101.json | 1 - .../1ca62f14-4787-4913-b7af-df11745a49da.json | 1 - ...ca62f14-4787-4913-b7af-df11745a49da_1.json | 1 - ...62f14-4787-4913-b7af-df11745a49da_103.json | 65 ++++++++ .../1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_103.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_104.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_105.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_106.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_107.json | 1 - ...01db9-be24-4bef-8e7c-e923f0ff78ab_108.json | 1 - .../1ceb05c4-7d25-11ee-9562-f661ea17fbcd.json | 1 - ...ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json | 1 - ...b05c4-7d25-11ee-9562-f661ea17fbcd_105.json | 96 ++++++++++++ ...ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json | 1 - ...ceb05c4-7d25-11ee-9562-f661ea17fbcd_3.json | 1 - ...ceb05c4-7d25-11ee-9562-f661ea17fbcd_5.json | 1 - .../1d276579-3380-4095-ad38-e596a01bc64f.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_104.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_105.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_106.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_107.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_108.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_109.json | 1 - ...76579-3380-4095-ad38-e596a01bc64f_110.json | 1 - .../1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce.json | 1 - ...d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json | 1 - .../1d72d014-e2ab-4707-b056-9b96abe7b511.json | 1 - ...2d014-e2ab-4707-b056-9b96abe7b511_104.json | 1 - ...2d014-e2ab-4707-b056-9b96abe7b511_105.json | 1 - ...2d014-e2ab-4707-b056-9b96abe7b511_106.json | 1 - ...2d014-e2ab-4707-b056-9b96abe7b511_107.json | 1 - .../1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7.json | 1 - ...d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8.json | 1 - .../1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_102.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_103.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_104.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_105.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_106.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_107.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_108.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_109.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_110.json | 1 - ...c51f6-ba26-49e7-9ef4-2655abb2361e_310.json | 1 - .../1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json | 1 - ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json | 1 - ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json | 1 - ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json | 1 - ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json | 1 - ...dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json | 1 - .../1defdd62-cd8d-426e-a246-81a37751bb2b.json | 1 - ...fdd62-cd8d-426e-a246-81a37751bb2b_104.json | 1 - ...fdd62-cd8d-426e-a246-81a37751bb2b_105.json | 1 - ...fdd62-cd8d-426e-a246-81a37751bb2b_106.json | 1 - ...fdd62-cd8d-426e-a246-81a37751bb2b_107.json | 1 - ...fdd62-cd8d-426e-a246-81a37751bb2b_108.json | 1 - .../1df1152b-610a-4f48-9d7a-504f6ee5d9da.json | 1 - ...df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json | 1 - ...df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json | 1 - ...df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json | 1 - .../1e0a3f7c-21e7-4bb1-98c7-2036612fb1be.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json | 1 - ...a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json | 1 - ...a3f7c-21e7-4bb1-98c7-2036612fb1be_107.json | 1 - ...a3f7c-21e7-4bb1-98c7-2036612fb1be_108.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json | 1 - ...e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json | 1 - .../1e0b832e-957e-43ae-b319-db82d228c908.json | 1 - ...b832e-957e-43ae-b319-db82d228c908_101.json | 1 - .../1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc.json | 1 - ...e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json | 1 - ...e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2.json | 1 - ...e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3.json | 1 - .../1e6363a6-3af5-41d4-b7ea-d475389c0ceb.json | 1 - ...e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json | 1 - ...e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json | 1 - ...e6363a6-3af5-41d4-b7ea-d475389c0ceb_3.json | 1 - ...e6363a6-3af5-41d4-b7ea-d475389c0ceb_4.json | 1 - ...e6363a6-3af5-41d4-b7ea-d475389c0ceb_5.json | 1 - .../1e9b271c-8caa-4e20-aed8-e91e34de9283.json | 1 - ...e9b271c-8caa-4e20-aed8-e91e34de9283_1.json | 1 - ...b271c-8caa-4e20-aed8-e91e34de9283_103.json | 93 ++++++++++++ .../1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json | 1 - ...fc667-9ff1-4b33-9f40-fefca8537eb0_101.json | 1 - ...fc667-9ff1-4b33-9f40-fefca8537eb0_102.json | 1 - ...fc667-9ff1-4b33-9f40-fefca8537eb0_103.json | 1 - .../1f0a69c0-3392-4adf-b7d5-6012fd292da8.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json | 1 - ...f0a69c0-3392-4adf-b7d5-6012fd292da8_9.json | 1 - ...f45720e-5ea8-11ef-90d2-f661ea17fbce_1.json | 1 - .../1f460f12-a3cf-4105-9ebb-f788cc63f365.json | 1 - ...f460f12-a3cf-4105-9ebb-f788cc63f365_1.json | 1 - ...f460f12-a3cf-4105-9ebb-f788cc63f365_2.json | 1 - ...f460f12-a3cf-4105-9ebb-f788cc63f365_3.json | 1 - .../1faec04b-d902-4f89-8aff-92cd9043c16f.json | 1 - ...ec04b-d902-4f89-8aff-92cd9043c16f_101.json | 1 - ...ec04b-d902-4f89-8aff-92cd9043c16f_102.json | 1 - ...ec04b-d902-4f89-8aff-92cd9043c16f_103.json | 1 - .../1fe3b299-fbb5-4657-a937-1d746f2c711a.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_104.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_105.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_106.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_107.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_108.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_109.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_110.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_111.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_112.json | 1 - ...3b299-fbb5-4657-a937-1d746f2c711a_113.json | 1 - .../2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json | 1 - ...3cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json | 1 - ...3cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json | 1 - ...3cdc8-8d83-4aa5-b132-1f9a8eb48514_102.json | 1 - .../201200f1-a99b-43fb-88ed-f65a45c4972c.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_104.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_105.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_106.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_107.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_108.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_109.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_110.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_111.json | 1 - ...200f1-a99b-43fb-88ed-f65a45c4972c_311.json | 1 - .../202829f6-0271-4e88-b882-11a655c590d4.json | 1 - ...02829f6-0271-4e88-b882-11a655c590d4_1.json | 1 - ...02829f6-0271-4e88-b882-11a655c590d4_2.json | 1 - .../203ab79b-239b-4aa5-8e54-fc50623ee8e4.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json | 1 - ...ab79b-239b-4aa5-8e54-fc50623ee8e4_111.json | 1 - .../2045567e-b0af-444a-8c0b-0b6e2dae9e13.json | 1 - ...5567e-b0af-444a-8c0b-0b6e2dae9e13_102.json | 1 - ...5567e-b0af-444a-8c0b-0b6e2dae9e13_103.json | 1 - ...5567e-b0af-444a-8c0b-0b6e2dae9e13_104.json | 1 - ...5567e-b0af-444a-8c0b-0b6e2dae9e13_205.json | 1 - .../20457e4f-d1de-4b92-ae69-142e27a4342a.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_102.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_103.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_104.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_105.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_106.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_107.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_207.json | 1 - ...57e4f-d1de-4b92-ae69-142e27a4342a_208.json | 1 - .../205b52c4-9c28-4af4-8979-935f3278d61a.json | 1 - ...05b52c4-9c28-4af4-8979-935f3278d61a_1.json | 1 - ...05b52c4-9c28-4af4-8979-935f3278d61a_2.json | 1 - .../208dbe77-01ed-4954-8d44-1e5751cb20de.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_105.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_106.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_107.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_108.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_109.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_110.json | 1 - ...dbe77-01ed-4954-8d44-1e5751cb20de_111.json | 1 - .../210d4430-b371-470e-b879-80b7182aa75e.json | 1 - ...10d4430-b371-470e-b879-80b7182aa75e_1.json | 1 - ...10d4430-b371-470e-b879-80b7182aa75e_2.json | 1 - ...10d4430-b371-470e-b879-80b7182aa75e_3.json | 1 - .../2138bb70-5a5e-42fd-be5e-b38edf6a6777.json | 1 - ...138bb70-5a5e-42fd-be5e-b38edf6a6777_1.json | 1 - ...138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json | 1 - .../21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json | 1 - ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json | 1 - ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json | 1 - ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json | 1 - ...1bafdf0-cf17-11ed-bd57-f661ea17fbcc_4.json | 1 - .../220be143-5c67-4fdb-b6ce-dd6826d024fd.json | 1 - ...20be143-5c67-4fdb-b6ce-dd6826d024fd_3.json | 1 - ...20be143-5c67-4fdb-b6ce-dd6826d024fd_4.json | 1 - ...20be143-5c67-4fdb-b6ce-dd6826d024fd_5.json | 1 - ...20be143-5c67-4fdb-b6ce-dd6826d024fd_6.json | 1 - ...20be143-5c67-4fdb-b6ce-dd6826d024fd_7.json | 1 - .../2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json | 1 - ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json | 1 - ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json | 1 - ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json | 1 - ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json | 1 - ...5b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json | 1 - .../22599847-5d13-48cb-8872-5796fee8692b.json | 1 - ...99847-5d13-48cb-8872-5796fee8692b_104.json | 1 - ...99847-5d13-48cb-8872-5796fee8692b_105.json | 1 - ...99847-5d13-48cb-8872-5796fee8692b_106.json | 1 - ...99847-5d13-48cb-8872-5796fee8692b_107.json | 1 - .../227dc608-e558-43d9-b521-150772250bae.json | 1 - ...dc608-e558-43d9-b521-150772250bae_103.json | 1 - ...dc608-e558-43d9-b521-150772250bae_104.json | 1 - ...dc608-e558-43d9-b521-150772250bae_105.json | 1 - ...dc608-e558-43d9-b521-150772250bae_206.json | 1 - .../2326d1b2-9acf-4dee-bd21-867ea7378b4d.json | 1 - ...6d1b2-9acf-4dee-bd21-867ea7378b4d_103.json | 1 - .../2339f03c-f53f-40fa-834b-40c5983fc41f.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_103.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_104.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_105.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_106.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_107.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_108.json | 1 - ...9f03c-f53f-40fa-834b-40c5983fc41f_109.json | 1 - .../23bcd283-2bc0-4db2-81d4-273fc051e5c0.json | 1 - ...3bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json | 1 - ...3bcd283-2bc0-4db2-81d4-273fc051e5c0_2.json | 1 - .../23f18264-2d6d-11ef-9413-f661ea17fbce.json | 1 - ...3f18264-2d6d-11ef-9413-f661ea17fbce_1.json | 1 - ...18264-2d6d-11ef-9413-f661ea17fbce_103.json | 77 ++++++++++ ...3f18264-2d6d-11ef-9413-f661ea17fbce_2.json | 1 - .../24401eca-ad0b-4ff9-9431-487a8e183af9.json | 1 - ...4401eca-ad0b-4ff9-9431-487a8e183af9_1.json | 1 - ...01eca-ad0b-4ff9-9431-487a8e183af9_105.json | 78 ++++++++++ ...4401eca-ad0b-4ff9-9431-487a8e183af9_2.json | 1 - ...4401eca-ad0b-4ff9-9431-487a8e183af9_3.json | 1 - .../25224a80-5a4a-4b8a-991e-6ab390465c4f.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_102.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_103.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_104.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_105.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_106.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_107.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_108.json | 1 - ...24a80-5a4a-4b8a-991e-6ab390465c4f_109.json | 1 - .../2553a9af-52a4-4a05-bb03-85b2a479a0a0.json | 1 - ...553a9af-52a4-4a05-bb03-85b2a479a0a0_1.json | 1 - ...553a9af-52a4-4a05-bb03-85b2a479a0a0_2.json | 1 - ...553a9af-52a4-4a05-bb03-85b2a479a0a0_3.json | 1 - .../259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39.json | 1 - ...59be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json | 1 - ...59be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json | 1 - ...59be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json | 1 - .../25d917c4-aa3c-4111-974c-286c0312ff95.json | 1 - ...5d917c4-aa3c-4111-974c-286c0312ff95_1.json | 1 - ...5d917c4-aa3c-4111-974c-286c0312ff95_2.json | 1 - ...5d917c4-aa3c-4111-974c-286c0312ff95_3.json | 1 - ...5d917c4-aa3c-4111-974c-286c0312ff95_4.json | 1 - ...5d917c4-aa3c-4111-974c-286c0312ff95_5.json | 1 - .../25e7fee6-fc25-11ee-ba0f-f661ea17fbce.json | 1 - .../260486ee-7d98-11ee-9599-f661ea17fbcd.json | 1 - ...60486ee-7d98-11ee-9599-f661ea17fbcd_1.json | 1 - ...486ee-7d98-11ee-9599-f661ea17fbcd_105.json | 70 +++++++++ ...60486ee-7d98-11ee-9599-f661ea17fbcd_2.json | 1 - ...60486ee-7d98-11ee-9599-f661ea17fbcd_3.json | 1 - ...60486ee-7d98-11ee-9599-f661ea17fbcd_5.json | 1 - .../2605aa59-29ac-4662-afad-8d86257c7c91.json | 1 - ...605aa59-29ac-4662-afad-8d86257c7c91_1.json | 1 - ...605aa59-29ac-4662-afad-8d86257c7c91_2.json | 1 - ...605aa59-29ac-4662-afad-8d86257c7c91_3.json | 1 - ...605aa59-29ac-4662-afad-8d86257c7c91_4.json | 1 - ...605aa59-29ac-4662-afad-8d86257c7c91_5.json | 1 - .../263481c8-1e9b-492e-912d-d1760707f810.json | 1 - ...63481c8-1e9b-492e-912d-d1760707f810_1.json | 1 - ...63481c8-1e9b-492e-912d-d1760707f810_2.json | 1 - .../2636aa6c-88b5-4337-9c31-8d0192a8ef45.json | 1 - ...6aa6c-88b5-4337-9c31-8d0192a8ef45_101.json | 1 - .../265db8f5-fc73-4d0d-b434-6483b56372e2.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_104.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_105.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_106.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_107.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_108.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_109.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_110.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_111.json | 1 - ...db8f5-fc73-4d0d-b434-6483b56372e2_311.json | 1 - .../26b01043-4f04-4d2f-882a-5a1d2e95751b.json | 1 - ...6b01043-4f04-4d2f-882a-5a1d2e95751b_3.json | 1 - ...6b01043-4f04-4d2f-882a-5a1d2e95751b_4.json | 1 - ...6b01043-4f04-4d2f-882a-5a1d2e95751b_5.json | 1 - ...6b01043-4f04-4d2f-882a-5a1d2e95751b_6.json | 1 - .../26edba02-6979-4bce-920a-70b080a7be81.json | 1 - ...dba02-6979-4bce-920a-70b080a7be81_104.json | 1 - .../26f68dba-ce29-497b-8e13-b4fde1db5a2d.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_101.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_102.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_103.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_104.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_106.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_207.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_208.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_209.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_309.json | 1 - ...68dba-ce29-497b-8e13-b4fde1db5a2d_310.json | 1 - .../27071ea3-e806-4697-8abc-e22c92aa4293.json | 1 - ...7071ea3-e806-4697-8abc-e22c92aa4293_1.json | 1 - ...71ea3-e806-4697-8abc-e22c92aa4293_105.json | 1 - ...71ea3-e806-4697-8abc-e22c92aa4293_106.json | 1 - ...71ea3-e806-4697-8abc-e22c92aa4293_107.json | 1 - ...7071ea3-e806-4697-8abc-e22c92aa4293_2.json | 1 - ...7071ea3-e806-4697-8abc-e22c92aa4293_3.json | 1 - ...7071ea3-e806-4697-8abc-e22c92aa4293_4.json | 1 - ...7071ea3-e806-4697-8abc-e22c92aa4293_5.json | 1 - .../2724808c-ba5d-48b2-86d2-0002103df753.json | 1 - ...724808c-ba5d-48b2-86d2-0002103df753_1.json | 1 - ...724808c-ba5d-48b2-86d2-0002103df753_2.json | 1 - ...724808c-ba5d-48b2-86d2-0002103df753_3.json | 1 - ...724808c-ba5d-48b2-86d2-0002103df753_4.json | 1 - .../272a6484-2663-46db-a532-ef734bf9a796.json | 1 - ...a6484-2663-46db-a532-ef734bf9a796_101.json | 1 - ...a6484-2663-46db-a532-ef734bf9a796_102.json | 1 - ...a6484-2663-46db-a532-ef734bf9a796_103.json | 1 - ...a6484-2663-46db-a532-ef734bf9a796_105.json | 1 - .../2772264c-6fb9-4d9d-9014-b416eed21254.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_103.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_104.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_105.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_106.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_107.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_108.json | 1 - ...2264c-6fb9-4d9d-9014-b416eed21254_109.json | 1 - .../2783d84f-5091-4d7d-9319-9fceda8fa71b.json | 1 - ...3d84f-5091-4d7d-9319-9fceda8fa71b_103.json | 1 - .../27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json | 1 - ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json | 1 - ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json | 1 - ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json | 1 - ...7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json | 1 - .../2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_108.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_114.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_115.json | 1 - ...0c9c2-bcd7-4d6e-9eba-faf3891ba450_116.json | 1 - .../28371aa1-14ed-46cf-ab5b-2fc7d1942278.json | 1 - ...8371aa1-14ed-46cf-ab5b-2fc7d1942278_1.json | 1 - .../2856446a-34e6-435b-9fb5-f8f040bfa7ed.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_104.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_105.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_106.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_107.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_108.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_109.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_110.json | 1 - ...6446a-34e6-435b-9fb5-f8f040bfa7ed_111.json | 1 - .../2863ffeb-bf77-44dd-b7a5-93ef94b72036.json | 1 - ...3ffeb-bf77-44dd-b7a5-93ef94b72036_100.json | 1 - ...3ffeb-bf77-44dd-b7a5-93ef94b72036_101.json | 1 - ...3ffeb-bf77-44dd-b7a5-93ef94b72036_102.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_1.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_2.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_3.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_4.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_5.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_6.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_7.json | 1 - ...8738f9f-7427-4d23-bc69-756708b5f624_8.json | 1 - .../28bc620d-b2f7-4132-b372-f77953881d05.json | 1 - ...8bc620d-b2f7-4132-b372-f77953881d05_1.json | 1 - .../28d39238-0c01-420a-b77a-24e5a7378663.json | 1 - ...8d39238-0c01-420a-b77a-24e5a7378663_1.json | 1 - ...8d39238-0c01-420a-b77a-24e5a7378663_2.json | 1 - ...8d39238-0c01-420a-b77a-24e5a7378663_3.json | 1 - ...8d39238-0c01-420a-b77a-24e5a7378663_4.json | 1 - ...8d39238-0c01-420a-b77a-24e5a7378663_5.json | 1 - .../28eb3afe-131d-48b0-a8fc-9784f3d54f3c.json | 1 - ...8eb3afe-131d-48b0-a8fc-9784f3d54f3c_1.json | 1 - ...8eb3afe-131d-48b0-a8fc-9784f3d54f3c_2.json | 1 - .../28f6f34b-8e16-487a-b5fd-9d22eb903db8.json | 1 - ...8f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json | 1 - ...8f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json | 1 - ...8f6f34b-8e16-487a-b5fd-9d22eb903db8_3.json | 1 - ...8f6f34b-8e16-487a-b5fd-9d22eb903db8_4.json | 1 - .../29052c19-ff3e-42fd-8363-7be14d7c5469.json | 1 - ...52c19-ff3e-42fd-8363-7be14d7c5469_102.json | 1 - ...52c19-ff3e-42fd-8363-7be14d7c5469_103.json | 1 - ...52c19-ff3e-42fd-8363-7be14d7c5469_104.json | 1 - ...52c19-ff3e-42fd-8363-7be14d7c5469_205.json | 1 - ...52c19-ff3e-42fd-8363-7be14d7c5469_206.json | 1 - .../290aca65-e94d-403b-ba0f-62f320e63f51.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_104.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_105.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_106.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_107.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_108.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_109.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_110.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_111.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_112.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_113.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_114.json | 1 - ...aca65-e94d-403b-ba0f-62f320e63f51_314.json | 1 - .../2917d495-59bd-4250-b395-c29409b76086.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_104.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_105.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_106.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_107.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_108.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_109.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_110.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_111.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_212.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_313.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_314.json | 1 - ...7d495-59bd-4250-b395-c29409b76086_415.json | 1 - .../291a0de9-937a-4189-94c0-3e847c8b13e4.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_105.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_106.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_107.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_108.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_208.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_209.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_210.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_211.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_311.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_312.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_313.json | 1 - ...a0de9-937a-4189-94c0-3e847c8b13e4_314.json | 1 - .../29b53942-7cd4-11ee-b70e-f661ea17fbcd.json | 1 - ...9b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json | 1 - ...53942-7cd4-11ee-b70e-f661ea17fbcd_104.json | 88 +++++++++++ ...9b53942-7cd4-11ee-b70e-f661ea17fbcd_2.json | 1 - ...9b53942-7cd4-11ee-b70e-f661ea17fbcd_4.json | 1 - .../29ef5686-9b93-433e-91b5-683911094698.json | 1 - .../29f0cf93-d17c-4b12-b4f3-a433800539fa.json | 1 - ...9f0cf93-d17c-4b12-b4f3-a433800539fa_1.json | 1 - ...9f0cf93-d17c-4b12-b4f3-a433800539fa_2.json | 1 - ...9f0cf93-d17c-4b12-b4f3-a433800539fa_3.json | 1 - .../2a692072-d78d-42f3-a48a-775677d79c4e.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_1.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_2.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_3.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_4.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_5.json | 1 - ...a692072-d78d-42f3-a48a-775677d79c4e_6.json | 1 - .../2abda169-416b-4bb3-9a6b-f8d239fd78ba.json | 1 - ...da169-416b-4bb3-9a6b-f8d239fd78ba_201.json | 1 - ...da169-416b-4bb3-9a6b-f8d239fd78ba_202.json | 1 - ...da169-416b-4bb3-9a6b-f8d239fd78ba_203.json | 1 - .../2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json | 1 - ...b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json | 1 - .../2bf78aa2-9c56-48de-b139-f169bf99cf86.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_104.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_105.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_106.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_107.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_108.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_109.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_110.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_111.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_212.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_313.json | 1 - ...78aa2-9c56-48de-b139-f169bf99cf86_314.json | 1 - .../2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_104.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_105.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_106.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_107.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_108.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_109.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_110.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_111.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_112.json | 1 - ...7e5d7-08b9-43b2-b58a-0270d65ac85b_312.json | 1 - .../2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json | 1 - ...c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json | 1 - ...a6acf-0dcb-404d-89fb-6b0327294cfa_101.json | 1 - ...a6acf-0dcb-404d-89fb-6b0327294cfa_201.json | 1 - ...2889e-e758-4c5e-b57e-c735914ee32a_101.json | 1 - .../2d8043ed-5bda-4caf-801c-c1feb7410504.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_103.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_104.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_204.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_205.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_206.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_207.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_208.json | 1 - ...043ed-5bda-4caf-801c-c1feb7410504_209.json | 1 - .../2dd480be-1263-4d9c-8672-172928f6789a.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_104.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_105.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_106.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_107.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_208.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_209.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_210.json | 1 - ...480be-1263-4d9c-8672-172928f6789a_211.json | 1 - .../2ddc468e-b39b-4f5b-9825-f3dcb0e998ea.json | 1 - ...ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json | 1 - ...ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json | 1 - .../2de10e77-c144-4e69-afb7-344e7127abd0.json | 1 - ...10e77-c144-4e69-afb7-344e7127abd0_101.json | 1 - ...10e77-c144-4e69-afb7-344e7127abd0_102.json | 1 - ...10e77-c144-4e69-afb7-344e7127abd0_103.json | 1 - ...10e77-c144-4e69-afb7-344e7127abd0_104.json | 1 - ...10e77-c144-4e69-afb7-344e7127abd0_106.json | 1 - .../2de87d72-ee0c-43e2-b975-5f0b029ac600.json | 1 - ...87d72-ee0c-43e2-b975-5f0b029ac600_209.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_3.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_4.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_5.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_6.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_7.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_8.json | 1 - ...de87d72-ee0c-43e2-b975-5f0b029ac600_9.json | 1 - .../2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_104.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_105.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_106.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_107.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_108.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_109.json | 1 - ...e835d-01e5-48ca-b9fc-7a61f7f11902_110.json | 1 - .../2e29e96a-b67c-455a-afe4-de6183431d0d.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_105.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_106.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_107.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_108.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_109.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_110.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_111.json | 1 - ...9e96a-b67c-455a-afe4-de6183431d0d_112.json | 1 - .../2e311539-cd88-4a85-a301-04f38795007c.json | 1 - ...e311539-cd88-4a85-a301-04f38795007c_1.json | 1 - ...e311539-cd88-4a85-a301-04f38795007c_2.json | 1 - ...e311539-cd88-4a85-a301-04f38795007c_3.json | 1 - ...e311539-cd88-4a85-a301-04f38795007c_4.json | 1 - .../2e56e1bc-867a-11ee-b13e-f661ea17fbcd.json | 1 - ...e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json | 1 - ...6e1bc-867a-11ee-b13e-f661ea17fbcd_101.json | 1 - ...6e1bc-867a-11ee-b13e-f661ea17fbcd_102.json | 1 - ...6e1bc-867a-11ee-b13e-f661ea17fbcd_203.json | 62 ++++++++ .../2e580225-2a58-48ef-938b-572933be06fe.json | 1 - ...80225-2a58-48ef-938b-572933be06fe_101.json | 1 - ...80225-2a58-48ef-938b-572933be06fe_102.json | 1 - ...80225-2a58-48ef-938b-572933be06fe_103.json | 1 - .../2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_104.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_105.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_106.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_107.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_108.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_109.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_110.json | 1 - ...c8076-291e-41e9-81e4-e3fcbc97ae5e_111.json | 1 - .../2f2f4939-0b34-40c2-a0a3-844eb7889f43.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_105.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_106.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_107.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_108.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_109.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_110.json | 1 - ...f4939-0b34-40c2-a0a3-844eb7889f43_111.json | 1 - .../2f8a1226-5720-437d-9c20-e0029deb6194.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_103.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_104.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_105.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_106.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_107.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_108.json | 1 - ...a1226-5720-437d-9c20-e0029deb6194_109.json | 1 - .../2f95540c-923e-4f57-9dae-de30169c68b9.json | 1 - ...f95540c-923e-4f57-9dae-de30169c68b9_1.json | 1 - .../2fba96c0-ade5-4bce-b92f-a5df2509da3f.json | 1 - ...a96c0-ade5-4bce-b92f-a5df2509da3f_104.json | 1 - ...a96c0-ade5-4bce-b92f-a5df2509da3f_105.json | 1 - ...a96c0-ade5-4bce-b92f-a5df2509da3f_106.json | 1 - ...a96c0-ade5-4bce-b92f-a5df2509da3f_107.json | 1 - ...a96c0-ade5-4bce-b92f-a5df2509da3f_108.json | 1 - .../2ffa1f1e-b6db-47fa-994b-1512743847eb.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_104.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_105.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_106.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_107.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_108.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_109.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_110.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_111.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_112.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_113.json | 1 - ...a1f1e-b6db-47fa-994b-1512743847eb_114.json | 1 - .../30562697-9859-4ae0-a8c5-dab45d664170.json | 1 - ...62697-9859-4ae0-a8c5-dab45d664170_103.json | 1 - .../30b5bb96-c7db-492c-80e9-1eab00db580b.json | 1 - ...0b5bb96-c7db-492c-80e9-1eab00db580b_1.json | 1 - .../30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json | 1 - ...0bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json | 1 - .../30e1e9f2-eb9c-439f-aff6-1e3068e99384.json | 1 - ...0e1e9f2-eb9c-439f-aff6-1e3068e99384_1.json | 1 - ...0e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json | 1 - .../30fbf4db-c502-4e68-a239-2e99af0f70da.json | 1 - ...0fbf4db-c502-4e68-a239-2e99af0f70da_1.json | 1 - ...0fbf4db-c502-4e68-a239-2e99af0f70da_2.json | 1 - .../3115bd2c-0baa-4df0-80ea-45e474b5ef93.json | 1 - ...5bd2c-0baa-4df0-80ea-45e474b5ef93_100.json | 1 - ...5bd2c-0baa-4df0-80ea-45e474b5ef93_101.json | 1 - .../31295df3-277b-4c56-a1fb-84e31b4222a9.json | 1 - ...95df3-277b-4c56-a1fb-84e31b4222a9_101.json | 1 - ...95df3-277b-4c56-a1fb-84e31b4222a9_102.json | 1 - ...95df3-277b-4c56-a1fb-84e31b4222a9_103.json | 1 - .../31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_110.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_113.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_114.json | 1 - ...4c719-f2b4-41f6-a9bd-fce93c2eaf62_314.json | 1 - .../3202e172-01b1-4738-a932-d024c514ba72.json | 1 - ...2e172-01b1-4738-a932-d024c514ba72_103.json | 1 - .../32300431-c2d5-432d-8ec8-0e03f9924756.json | 1 - ...2300431-c2d5-432d-8ec8-0e03f9924756_1.json | 1 - ...2300431-c2d5-432d-8ec8-0e03f9924756_2.json | 1 - .../323cb487-279d-4218-bcbd-a568efe930c6.json | 1 - ...cb487-279d-4218-bcbd-a568efe930c6_101.json | 1 - .../32923416-763a-4531-bb35-f33b9232ecdb.json | 1 - ...23416-763a-4531-bb35-f33b9232ecdb_100.json | 1 - ...23416-763a-4531-bb35-f33b9232ecdb_101.json | 1 - ...23416-763a-4531-bb35-f33b9232ecdb_102.json | 1 - ...23416-763a-4531-bb35-f33b9232ecdb_103.json | 1 - .../32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111.json | 1 - ...5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311.json | 1 - ...2d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1.json | 1 - .../32f4675e-6c49-4ace-80f9-97c9259dca2e.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_104.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_105.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_106.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_107.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_108.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_109.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_110.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_111.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_212.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_313.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_314.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_315.json | 1 - ...4675e-6c49-4ace-80f9-97c9259dca2e_415.json | 1 - .../333de828-8190-4cf5-8d7c-7575846f6fe0.json | 1 - ...de828-8190-4cf5-8d7c-7575846f6fe0_105.json | 1 - ...de828-8190-4cf5-8d7c-7575846f6fe0_106.json | 1 - ...de828-8190-4cf5-8d7c-7575846f6fe0_107.json | 1 - ...de828-8190-4cf5-8d7c-7575846f6fe0_208.json | 1 - .../33a6752b-da5e-45f8-b13a-5f094c09522f.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_1.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_2.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_3.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_4.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_5.json | 1 - ...3a6752b-da5e-45f8-b13a-5f094c09522f_6.json | 1 - .../33f306e8-417c-411b-965c-c2812d6d3f4d.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_104.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_105.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_106.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_107.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_108.json | 1 - ...306e8-417c-411b-965c-c2812d6d3f4d_109.json | 1 - .../342f834b-21a6-41bf-878c-87d116eba3ee.json | 1 - .../345889c4-23a8-4bc0-b7ca-756bd17ce83b.json | 1 - ...45889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json | 1 - ...889c4-23a8-4bc0-b7ca-756bd17ce83b_102.json | 60 ++++++++ .../34fde489-94b0-4500-a76f-b8a157cf9269.json | 1 - ...de489-94b0-4500-a76f-b8a157cf9269_102.json | 1 - ...de489-94b0-4500-a76f-b8a157cf9269_103.json | 1 - ...de489-94b0-4500-a76f-b8a157cf9269_104.json | 1 - ...de489-94b0-4500-a76f-b8a157cf9269_105.json | 1 - .../35330ba2-c859-4c98-8b7f-c19159ea0e58.json | 1 - ...30ba2-c859-4c98-8b7f-c19159ea0e58_102.json | 1 - ...30ba2-c859-4c98-8b7f-c19159ea0e58_103.json | 1 - ...30ba2-c859-4c98-8b7f-c19159ea0e58_104.json | 1 - ...30ba2-c859-4c98-8b7f-c19159ea0e58_105.json | 1 - .../3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_211.json | 1 - ...5c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json | 1 - .../35a3b253-eea8-46f0-abd3-68bdd47e6e3d.json | 1 - ...5a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json | 1 - ...5a3b253-eea8-46f0-abd3-68bdd47e6e3d_2.json | 1 - ...5a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json | 1 - ...5ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1.json | 1 - .../35df0dd8-092d-4a83-88c1-5151a804f31b.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_104.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_105.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_106.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_107.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_108.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_109.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_110.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_111.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_112.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_113.json | 1 - ...f0dd8-092d-4a83-88c1-5151a804f31b_313.json | 1 - .../35f86980-1fb1-4dff-b311-3be941549c8d.json | 1 - ...86980-1fb1-4dff-b311-3be941549c8d_101.json | 1 - ...86980-1fb1-4dff-b311-3be941549c8d_102.json | 1 - ...86980-1fb1-4dff-b311-3be941549c8d_103.json | 1 - .../3688577a-d196-11ec-90b0-f661ea17fbce.json | 1 - ...8577a-d196-11ec-90b0-f661ea17fbce_104.json | 1 - ...8577a-d196-11ec-90b0-f661ea17fbce_105.json | 1 - ...8577a-d196-11ec-90b0-f661ea17fbce_106.json | 1 - ...8577a-d196-11ec-90b0-f661ea17fbce_107.json | 1 - ...8577a-d196-11ec-90b0-f661ea17fbce_108.json | 1 - .../36a8e048-d888-4f61-a8b9-0f9e2e40f317.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_102.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_103.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_104.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_105.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_106.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_107.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_108.json | 1 - ...8e048-d888-4f61-a8b9-0f9e2e40f317_109.json | 1 - .../36c48a0c-c63a-4cbc-aee1-8cac87db31a9.json | 1 - ...6c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json | 1 - ...6c48a0c-c63a-4cbc-aee1-8cac87db31a9_2.json | 1 - ...6c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json | 1 - .../3728c08d-9b70-456b-b6b8-007c7d246128.json | 1 - ...728c08d-9b70-456b-b6b8-007c7d246128_1.json | 1 - ...728c08d-9b70-456b-b6b8-007c7d246128_2.json | 1 - ...728c08d-9b70-456b-b6b8-007c7d246128_3.json | 1 - ...728c08d-9b70-456b-b6b8-007c7d246128_4.json | 1 - .../378f9024-8a0c-46a5-aa08-ce147ac73a4e.json | 1 - ...f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json | 1 - ...f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json | 1 - ...f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json | 1 - ...f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json | 1 - .../37994bca-0611-4500-ab67-5588afe73b77.json | 1 - ...94bca-0611-4500-ab67-5588afe73b77_104.json | 1 - .../37b211e8-4e2f-440f-86d8-06cc8f158cfa.json | 1 - ...211e8-4e2f-440f-86d8-06cc8f158cfa_105.json | 1 - ...211e8-4e2f-440f-86d8-06cc8f158cfa_106.json | 1 - ...211e8-4e2f-440f-86d8-06cc8f158cfa_107.json | 1 - ...211e8-4e2f-440f-86d8-06cc8f158cfa_208.json | 1 - ...211e8-4e2f-440f-86d8-06cc8f158cfa_209.json | 1 - .../37f638ea-909d-4f94-9248-edd21e4a9906.json | 1 - ...638ea-909d-4f94-9248-edd21e4a9906_102.json | 1 - ...638ea-909d-4f94-9248-edd21e4a9906_103.json | 1 - ...638ea-909d-4f94-9248-edd21e4a9906_104.json | 1 - ...638ea-909d-4f94-9248-edd21e4a9906_105.json | 1 - ...638ea-909d-4f94-9248-edd21e4a9906_106.json | 1 - .../3805c3dc-f82c-4f8d-891e-63c24d3102b0.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_102.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_103.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_104.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_105.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_106.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_207.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_208.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_210.json | 1 - ...5c3dc-f82c-4f8d-891e-63c24d3102b0_310.json | 74 +++++++++ .../3838e0e3-1850-4850-a411-2e8c5ba40ba8.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_104.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_105.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_106.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_107.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_108.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_109.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_110.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_111.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_112.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_113.json | 1 - ...8e0e3-1850-4850-a411-2e8c5ba40ba8_114.json | 1 - .../38948d29-3d5d-42e3-8aec-be832aaaf8eb.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_102.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_103.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_104.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_105.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_106.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_107.json | 1 - ...48d29-3d5d-42e3-8aec-be832aaaf8eb_207.json | 1 - ...896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1.json | 1 - .../38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json | 1 - ...5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json | 1 - .../38f384e0-aef8-11ed-9a38-f661ea17fbcc.json | 1 - ...8f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json | 1 - ...8f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json | 1 - .../39144f38-5284-4f8e-a2ae-e3fd628d90b0.json | 1 - ...44f38-5284-4f8e-a2ae-e3fd628d90b0_102.json | 1 - ...44f38-5284-4f8e-a2ae-e3fd628d90b0_103.json | 1 - ...44f38-5284-4f8e-a2ae-e3fd628d90b0_104.json | 1 - ...44f38-5284-4f8e-a2ae-e3fd628d90b0_205.json | 1 - .../39157d52-4035-44a8-9d1a-6f8c5f580a07.json | 1 - ...9157d52-4035-44a8-9d1a-6f8c5f580a07_1.json | 1 - ...9157d52-4035-44a8-9d1a-6f8c5f580a07_2.json | 1 - ...93ef120-63d1-11ef-8e38-f661ea17fbce_1.json | 1 - ...93ef120-63d1-11ef-8e38-f661ea17fbce_2.json | 1 - .../397945f3-d39a-4e6f-8bcb-9656c2031438.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_102.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_103.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_104.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_105.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_106.json | 1 - ...945f3-d39a-4e6f-8bcb-9656c2031438_107.json | 1 - .../39c06367-b700-4380-848a-cab06e7afede.json | 1 - ...9c06367-b700-4380-848a-cab06e7afede_1.json | 1 - ...9c06367-b700-4380-848a-cab06e7afede_2.json | 1 - .../3a59fc81-99d3-47ea-8cd6-d48d561fca20.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_104.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_105.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_106.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_107.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_108.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_109.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_110.json | 1 - ...9fc81-99d3-47ea-8cd6-d48d561fca20_111.json | 1 - .../3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_6.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json | 1 - ...a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json | 1 - .../3a657da0-1df2-11ef-a327-f661ea17fbcc.json | 1 - ...a657da0-1df2-11ef-a327-f661ea17fbcc_1.json | 1 - ...a657da0-1df2-11ef-a327-f661ea17fbcc_2.json | 1 - .../3ad49c61-7adc-42c1-b788-732eda2f5abf.json | 1 - ...49c61-7adc-42c1-b788-732eda2f5abf_101.json | 1 - ...49c61-7adc-42c1-b788-732eda2f5abf_102.json | 1 - ...49c61-7adc-42c1-b788-732eda2f5abf_103.json | 1 - ...49c61-7adc-42c1-b788-732eda2f5abf_104.json | 1 - .../3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json | 1 - ...77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json | 1 - ...77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json | 1 - .../3af4cb9b-973f-4c54-be2b-7623c0e21b2b.json | 1 - ...af4cb9b-973f-4c54-be2b-7623c0e21b2b_1.json | 1 - ...4cb9b-973f-4c54-be2b-7623c0e21b2b_103.json | 90 +++++++++++ .../3b382770-efbb-44f4-beed-f5e0a051b895.json | 1 - ...82770-efbb-44f4-beed-f5e0a051b895_100.json | 1 - ...82770-efbb-44f4-beed-f5e0a051b895_101.json | 1 - ...82770-efbb-44f4-beed-f5e0a051b895_102.json | 1 - .../3b47900d-e793-49e8-968f-c90dc3526aa1.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_104.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_105.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_106.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_107.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_108.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_109.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_110.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_211.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_312.json | 1 - ...7900d-e793-49e8-968f-c90dc3526aa1_313.json | 1 - .../3bc6deaa-fbd4-433a-ae21-3e892f95624f.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_104.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_105.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_106.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_107.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_108.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_109.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_110.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_111.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_112.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_113.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_114.json | 1 - ...6deaa-fbd4-433a-ae21-3e892f95624f_314.json | 1 - .../3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json | 1 - ...e32e6-6104-46d9-a06e-da0f8b5795a0_101.json | 1 - ...e32e6-6104-46d9-a06e-da0f8b5795a0_102.json | 1 - ...e32e6-6104-46d9-a06e-da0f8b5795a0_103.json | 1 - .../3d00feab-e203-4acc-a463-c3e15b7e9a73.json | 1 - ...d00feab-e203-4acc-a463-c3e15b7e9a73_1.json | 1 - ...d00feab-e203-4acc-a463-c3e15b7e9a73_2.json | 1 - ...0feab-e203-4acc-a463-c3e15b7e9a73_202.json | 1 - .../3d3aa8f9-12af-441f-9344-9f31053e316d.json | 1 - ...d3aa8f9-12af-441f-9344-9f31053e316d_1.json | 1 - ...aa8f9-12af-441f-9344-9f31053e316d_105.json | 1 - ...aa8f9-12af-441f-9344-9f31053e316d_106.json | 1 - ...aa8f9-12af-441f-9344-9f31053e316d_107.json | 1 - ...d3aa8f9-12af-441f-9344-9f31053e316d_2.json | 1 - ...d3aa8f9-12af-441f-9344-9f31053e316d_3.json | 1 - ...d3aa8f9-12af-441f-9344-9f31053e316d_4.json | 1 - ...d3aa8f9-12af-441f-9344-9f31053e316d_5.json | 1 - .../3e002465-876f-4f04-b016-84ef48ce7e5d.json | 1 - ...02465-876f-4f04-b016-84ef48ce7e5d_105.json | 1 - ...02465-876f-4f04-b016-84ef48ce7e5d_106.json | 1 - ...02465-876f-4f04-b016-84ef48ce7e5d_107.json | 1 - ...02465-876f-4f04-b016-84ef48ce7e5d_208.json | 1 - .../3e0561b5-3fac-4461-84cc-19163b9aaa61.json | 1 - ...e0561b5-3fac-4461-84cc-19163b9aaa61_1.json | 1 - ...e0561b5-3fac-4461-84cc-19163b9aaa61_2.json | 1 - ...e0561b5-3fac-4461-84cc-19163b9aaa61_3.json | 1 - .../3e0eeb75-16e8-4f2f-9826-62461ca128b7.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_5.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json | 1 - ...e0eeb75-16e8-4f2f-9826-62461ca128b7_7.json | 1 - .../3e12a439-d002-4944-bc42-171c0dcb9b96.json | 1 - ...e12a439-d002-4944-bc42-171c0dcb9b96_1.json | 1 - ...e12a439-d002-4944-bc42-171c0dcb9b96_2.json | 1 - ...e12a439-d002-4944-bc42-171c0dcb9b96_3.json | 1 - .../3e3d15c6-1509-479a-b125-21718372157e.json | 1 - ...d15c6-1509-479a-b125-21718372157e_102.json | 1 - ...d15c6-1509-479a-b125-21718372157e_103.json | 1 - ...d15c6-1509-479a-b125-21718372157e_104.json | 1 - ...d15c6-1509-479a-b125-21718372157e_105.json | 1 - ...d15c6-1509-479a-b125-21718372157e_106.json | 1 - .../3e441bdb-596c-44fd-8628-2cfdf4516ada.json | 1 - ...e441bdb-596c-44fd-8628-2cfdf4516ada_1.json | 1 - ...e441bdb-596c-44fd-8628-2cfdf4516ada_2.json | 1 - .../3ecbdc9e-e4f2-43fa-8cca-63802125e582.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_103.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_104.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_105.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_106.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_107.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_108.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_109.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_110.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_111.json | 1 - ...bdc9e-e4f2-43fa-8cca-63802125e582_311.json | 1 - .../3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json | 1 - ...032b2-45d8-4406-bc79-7ad1eabb2c72_104.json | 1 - ...032b2-45d8-4406-bc79-7ad1eabb2c72_105.json | 1 - ...032b2-45d8-4406-bc79-7ad1eabb2c72_106.json | 1 - ...032b2-45d8-4406-bc79-7ad1eabb2c72_207.json | 1 - ...032b2-45d8-4406-bc79-7ad1eabb2c72_208.json | 1 - .../3efee4f0-182a-40a8-a835-102c68a4175d.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_101.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_102.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_103.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_104.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_106.json | 1 - ...ee4f0-182a-40a8-a835-102c68a4175d_207.json | 1 - .../3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json | 1 - ...e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json | 1 - .../3f12325a-4cc6-410b-8d4c-9fbbeb744cfd.json | 1 - ...f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json | 1 - ...f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json | 1 - ...f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json | 1 - ...f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4.json | 1 - ...f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json | 1 - .../3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_104.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_105.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_106.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_107.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_108.json | 1 - ...f9fe2-d095-11ec-95dc-f661ea17fbce_109.json | 1 - .../3f4d7734-2151-4481-b394-09d7c6c91f75.json | 1 - ...f4d7734-2151-4481-b394-09d7c6c91f75_1.json | 1 - ...f4d7734-2151-4481-b394-09d7c6c91f75_2.json | 1 - .../3f4e2dba-828a-452a-af35-fe29c5e78969.json | 1 - ...f4e2dba-828a-452a-af35-fe29c5e78969_1.json | 1 - ...f4e2dba-828a-452a-af35-fe29c5e78969_2.json | 1 - ...f4e2dba-828a-452a-af35-fe29c5e78969_3.json | 1 - .../3fe4e20c-a600-4a86-9d98-3ecb1ef23550.json | 1 - ...fe4e20c-a600-4a86-9d98-3ecb1ef23550_1.json | 1 - ...fe4e20c-a600-4a86-9d98-3ecb1ef23550_2.json | 1 - .../40155ee4-1e6a-4e4d-a63b-e8ba16980cfb.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5.json | 1 - ...0155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6.json | 1 - .../4030c951-448a-4017-a2da-ed60f6d14f4f.json | 1 - ...030c951-448a-4017-a2da-ed60f6d14f4f_1.json | 1 - ...0c951-448a-4017-a2da-ed60f6d14f4f_103.json | 68 +++++++++ .../403ef0d3-8259-40c9-a5b6-d48354712e49.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_102.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_103.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_104.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_105.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_106.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_107.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_108.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_109.json | 1 - ...ef0d3-8259-40c9-a5b6-d48354712e49_110.json | 1 - .../40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json | 1 - ...0ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json | 1 - ...dbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json | 1 - ...dbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json | 1 - ...dbcc8-6561-44d9-afc8-eefdbfe0cccd_105.json | 1 - ...dbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json | 1 - ...dbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json | 1 - ...0ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json | 1 - ...0ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json | 1 - .../41284ba3-ed1a-4598-bfba-a97f75d9aba2.json | 1 - ...1284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json | 1 - ...1284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json | 1 - .../416697ae-e468-4093-a93d-59661fa619ec.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_104.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_105.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_106.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_107.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_108.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_109.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_110.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_111.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_112.json | 1 - ...697ae-e468-4093-a93d-59661fa619ec_312.json | 1 - .../41761cd3-380f-4d4d-89f3-46d6853ee35d.json | 1 - ...1761cd3-380f-4d4d-89f3-46d6853ee35d_1.json | 1 - ...61cd3-380f-4d4d-89f3-46d6853ee35d_103.json | 90 +++++++++++ .../41824afb-d68c-4d0e-bfee-474dac1fa56e.json | 1 - ...24afb-d68c-4d0e-bfee-474dac1fa56e_101.json | 1 - ...24afb-d68c-4d0e-bfee-474dac1fa56e_102.json | 1 - .../4182e486-fc61-11ee-a05d-f661ea17fbce.json | 1 - ...182e486-fc61-11ee-a05d-f661ea17fbce_1.json | 1 - .../41b638a1-8ab6-4f8e-86d9-466317ef2db5.json | 1 - ...638a1-8ab6-4f8e-86d9-466317ef2db5_102.json | 1 - ...638a1-8ab6-4f8e-86d9-466317ef2db5_103.json | 1 - ...638a1-8ab6-4f8e-86d9-466317ef2db5_104.json | 1 - ...638a1-8ab6-4f8e-86d9-466317ef2db5_105.json | 1 - .../41f7da9e-4e9f-4a81-9b58-40d725d83bc0.json | 1 - .../420e5bb4-93bf-40a3-8f4a-4cc1af90eca1.json | 1 - ...20e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json | 1 - .../42bf698b-4738-445b-8231-c834ddefd8a0.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_102.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_103.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_104.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_105.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_106.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_207.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_208.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_209.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_211.json | 1 - ...f698b-4738-445b-8231-c834ddefd8a0_311.json | 87 +++++++++++ .../42eeee3d-947f-46d3-a14d-7036b962c266.json | 1 - ...eeee3d-947f-46d3-a14d-7036b962c266_10.json | 1 - ...2eeee3d-947f-46d3-a14d-7036b962c266_5.json | 1 - ...2eeee3d-947f-46d3-a14d-7036b962c266_6.json | 1 - ...2eeee3d-947f-46d3-a14d-7036b962c266_7.json | 1 - ...2eeee3d-947f-46d3-a14d-7036b962c266_8.json | 1 - ...2eeee3d-947f-46d3-a14d-7036b962c266_9.json | 1 - .../4330272b-9724-4bc6-a3ca-f1532b81e5c2.json | 1 - ...0272b-9724-4bc6-a3ca-f1532b81e5c2_101.json | 1 - ...0272b-9724-4bc6-a3ca-f1532b81e5c2_102.json | 1 - ...0272b-9724-4bc6-a3ca-f1532b81e5c2_103.json | 1 - .../43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json | 1 - ...3d6ec12-2b1c-47b5-8f35-e9de65551d3b_7.json | 1 - .../440e2db4-bc7f-4c96-a068-65b78da59bde.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_104.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_105.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_106.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_107.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_108.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_109.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_110.json | 1 - ...e2db4-bc7f-4c96-a068-65b78da59bde_111.json | 1 - .../445a342e-03fb-42d0-8656-0367eb2dead5.json | 1 - ...a342e-03fb-42d0-8656-0367eb2dead5_102.json | 1 - ...a342e-03fb-42d0-8656-0367eb2dead5_103.json | 1 - ...a342e-03fb-42d0-8656-0367eb2dead5_104.json | 1 - ...a342e-03fb-42d0-8656-0367eb2dead5_105.json | 1 - ...a342e-03fb-42d0-8656-0367eb2dead5_106.json | 1 - .../4494c14f-5ff8-4ed2-8e99-bf816a1642fc.json | 1 - ...494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json | 1 - ...494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json | 1 - ...494c14f-5ff8-4ed2-8e99-bf816a1642fc_3.json | 1 - .../44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json | 1 - ...fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json | 1 - ...fc462c-1159-4fa8-b1b7-9b6296ab4f96_11.json | 1 - ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json | 1 - ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json | 1 - ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json | 1 - ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json | 1 - ...4fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json | 1 - .../453183fa-f903-11ee-8e88-f661ea17fbce.json | 1 - ...53183fa-f903-11ee-8e88-f661ea17fbce_1.json | 1 - .../453f659e-0429-40b1-bfdb-b6957286e04b.json | 1 - ...f659e-0429-40b1-bfdb-b6957286e04b_100.json | 1 - ...f659e-0429-40b1-bfdb-b6957286e04b_101.json | 1 - ...f659e-0429-40b1-bfdb-b6957286e04b_102.json | 1 - .../4577ef08-61d1-4458-909f-25a4b10c87fe.json | 1 - ...577ef08-61d1-4458-909f-25a4b10c87fe_1.json | 1 - .../45ac4800-840f-414c-b221-53dd36a5aaf7.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_105.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_106.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_107.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_108.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_109.json | 1 - ...c4800-840f-414c-b221-53dd36a5aaf7_110.json | 1 - .../45d273fb-1dca-457d-9855-bcb302180c21.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_105.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_106.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_107.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_108.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_109.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_110.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_111.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_112.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_113.json | 1 - ...273fb-1dca-457d-9855-bcb302180c21_213.json | 1 - .../4630d948-40d4-4cef-ac69-4002e29bc3db.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_104.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_105.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_106.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_107.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_108.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_109.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_110.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_111.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_112.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_113.json | 1 - ...0d948-40d4-4cef-ac69-4002e29bc3db_313.json | 1 - .../4682fd2c-cfae-47ed-a543-9bed37657aa6.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_104.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_105.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_106.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_107.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_108.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_109.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_110.json | 1 - ...2fd2c-cfae-47ed-a543-9bed37657aa6_310.json | 1 - .../46f804f5-b289-43d6-a881-9387cf594f75.json | 1 - ...804f5-b289-43d6-a881-9387cf594f75_102.json | 1 - ...804f5-b289-43d6-a881-9387cf594f75_103.json | 1 - ...804f5-b289-43d6-a881-9387cf594f75_104.json | 1 - .../474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json | 1 - ...4fd20e-14cc-49c5-8160-d9ab4ba16c8b_10.json | 1 - ...4fd20e-14cc-49c5-8160-d9ab4ba16c8b_11.json | 1 - ...4fd20e-14cc-49c5-8160-d9ab4ba16c8b_12.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_8.json | 1 - ...74fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json | 1 - .../475b42f0-61fb-4ef0-8a85-597458bfb0a1.json | 1 - ...75b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json | 1 - ...76267ff-e44f-476e-99c1-04c78cb3769d_1.json | 1 - .../47e22836-4a16-4b35-beee-98f6c4ee9bf2.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_105.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_106.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_107.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_108.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_109.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_110.json | 1 - ...22836-4a16-4b35-beee-98f6c4ee9bf2_111.json | 1 - .../47f76567-d58a-4fed-b32b-21f571e28910.json | 1 - ...76567-d58a-4fed-b32b-21f571e28910_102.json | 1 - ...76567-d58a-4fed-b32b-21f571e28910_103.json | 1 - ...76567-d58a-4fed-b32b-21f571e28910_104.json | 1 - ...76567-d58a-4fed-b32b-21f571e28910_105.json | 1 - .../483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_107.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_110.json | 1 - ...c4daf-b0c6-49e0-adf3-0bfa93231d6b_310.json | 1 - .../48819484-9826-4083-9eba-1da74cd0eaf2.json | 1 - ...8819484-9826-4083-9eba-1da74cd0eaf2_1.json | 1 - ...19484-9826-4083-9eba-1da74cd0eaf2_105.json | 1 - ...19484-9826-4083-9eba-1da74cd0eaf2_106.json | 1 - ...8819484-9826-4083-9eba-1da74cd0eaf2_2.json | 1 - ...8819484-9826-4083-9eba-1da74cd0eaf2_4.json | 1 - .../48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_7.json | 1 - ...8b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json | 1 - .../48b6edfc-079d-4907-b43c-baffa243270d.json | 1 - ...b6edfc-079d-4907-b43c-baffa243270d_10.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_4.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_5.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_6.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_7.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_8.json | 1 - ...8b6edfc-079d-4907-b43c-baffa243270d_9.json | 1 - .../48d7f54d-c29e-4430-93a9-9db6b5892270.json | 1 - ...7f54d-c29e-4430-93a9-9db6b5892270_102.json | 1 - ...7f54d-c29e-4430-93a9-9db6b5892270_103.json | 1 - ...7f54d-c29e-4430-93a9-9db6b5892270_104.json | 1 - ...7f54d-c29e-4430-93a9-9db6b5892270_105.json | 1 - ...7f54d-c29e-4430-93a9-9db6b5892270_106.json | 1 - .../48ec9452-e1fd-4513-a376-10a1a26d2c83.json | 1 - ...c9452-e1fd-4513-a376-10a1a26d2c83_102.json | 1 - ...c9452-e1fd-4513-a376-10a1a26d2c83_103.json | 1 - ...c9452-e1fd-4513-a376-10a1a26d2c83_104.json | 1 - ...c9452-e1fd-4513-a376-10a1a26d2c83_105.json | 1 - .../48f657ee-de4f-477c-aa99-ed88ee7af97a.json | 1 - ...8f657ee-de4f-477c-aa99-ed88ee7af97a_1.json | 1 - ...8f657ee-de4f-477c-aa99-ed88ee7af97a_2.json | 1 - .../493834ca-f861-414c-8602-150d5505b777.json | 1 - ...834ca-f861-414c-8602-150d5505b777_100.json | 1 - ...834ca-f861-414c-8602-150d5505b777_101.json | 1 - .../494ebba4-ecb7-4be4-8c6f-654c686549ad.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_1.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_2.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_3.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_4.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_5.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_6.json | 1 - ...94ebba4-ecb7-4be4-8c6f-654c686549ad_7.json | 1 - .../495e5f2e-2480-11ed-bea8-f661ea17fbce.json | 1 - ...e5f2e-2480-11ed-bea8-f661ea17fbce_104.json | 1 - ...e5f2e-2480-11ed-bea8-f661ea17fbce_105.json | 1 - ...e5f2e-2480-11ed-bea8-f661ea17fbce_106.json | 1 - .../4982ac3e-d0ee-4818-b95d-d9522d689259.json | 1 - ...982ac3e-d0ee-4818-b95d-d9522d689259_1.json | 1 - ...982ac3e-d0ee-4818-b95d-d9522d689259_2.json | 1 - ...982ac3e-d0ee-4818-b95d-d9522d689259_3.json | 1 - ...982ac3e-d0ee-4818-b95d-d9522d689259_4.json | 1 - ...982ac3e-d0ee-4818-b95d-d9522d689259_5.json | 1 - .../4a4e23cf-78a2-449c-bac3-701924c269d3.json | 1 - ...e23cf-78a2-449c-bac3-701924c269d3_101.json | 1 - ...e23cf-78a2-449c-bac3-701924c269d3_102.json | 1 - ...e23cf-78a2-449c-bac3-701924c269d3_103.json | 1 - ...e23cf-78a2-449c-bac3-701924c269d3_104.json | 1 - ...e23cf-78a2-449c-bac3-701924c269d3_105.json | 1 - .../4a99ac6f-9a54-4ba5-a64f-6eb65695841b.json | 1 - ...a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json | 1 - ...a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json | 1 - ...a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json | 1 - ...a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json | 1 - .../4aa58ac6-4dc0-4d18-b713-f58bf8bd015c.json | 1 - ...aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json | 1 - .../4b438734-3793-4fda-bd42-ceeada0be8f9.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_104.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_105.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_106.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_107.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_108.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_109.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_110.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_111.json | 1 - ...38734-3793-4fda-bd42-ceeada0be8f9_311.json | 1 - .../4b4e9c99-27ea-4621-95c8-82341bc6e512.json | 1 - ...b4e9c99-27ea-4621-95c8-82341bc6e512_1.json | 1 - ...b4e9c99-27ea-4621-95c8-82341bc6e512_2.json | 1 - ...b4e9c99-27ea-4621-95c8-82341bc6e512_3.json | 1 - .../4b868f1f-15ff-4ba3-8c11-d5a7a6356d37.json | 1 - ...b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json | 1 - ...b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2.json | 1 - ...b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json | 1 - .../4b95ecea-7225-4690-9938-2a2c0bad9c99.json | 1 - ...b95ecea-7225-4690-9938-2a2c0bad9c99_1.json | 1 - ...b95ecea-7225-4690-9938-2a2c0bad9c99_2.json | 1 - ...b95ecea-7225-4690-9938-2a2c0bad9c99_3.json | 1 - .../4bd1c1af-79d4-4d37-9efa-6e0240640242.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_103.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_104.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_105.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_106.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_107.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_108.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_109.json | 1 - ...1c1af-79d4-4d37-9efa-6e0240640242_309.json | 1 - .../4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json | 1 - ...59cff1-b78a-41b8-a9f1-4231984d1fb6_10.json | 1 - ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json | 1 - ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json | 1 - ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json | 1 - ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json | 1 - ...c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json | 1 - .../4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json | 1 - ...d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json | 1 - .../4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json | 1 - ...0a94f-2844-43fa-8395-6afbd5e1c5ef_102.json | 1 - ...0a94f-2844-43fa-8395-6afbd5e1c5ef_103.json | 1 - ...0a94f-2844-43fa-8395-6afbd5e1c5ef_104.json | 1 - ...0a94f-2844-43fa-8395-6afbd5e1c5ef_205.json | 1 - ...0a94f-2844-43fa-8395-6afbd5e1c5ef_206.json | 1 - .../4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json | 1 - ...13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json | 1 - ...13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json | 1 - ...13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json | 1 - ...13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json | 1 - .../4de76544-f0e5-486a-8f84-eae0b6063cdc.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_105.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_106.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_107.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_108.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_109.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_110.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_111.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_112.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_113.json | 1 - ...76544-f0e5-486a-8f84-eae0b6063cdc_313.json | 1 - .../4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json | 1 - ...85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json | 1 - ...85dc8a-3e41-40d8-bc28-91af7ac6cf60_11.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json | 1 - ...e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9.json | 1 - .../4ec47004-b34a-42e6-8003-376a123ea447.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_1.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_2.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_3.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_4.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_5.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_6.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_7.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_8.json | 1 - ...ec47004-b34a-42e6-8003-376a123ea447_9.json | 1 - .../4ed493fc-d637-4a36-80ff-ac84937e5461.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_104.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_105.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_106.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_107.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_108.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_109.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_110.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_111.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_112.json | 1 - ...493fc-d637-4a36-80ff-ac84937e5461_312.json | 1 - .../4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_106.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json | 1 - ...678a9-3a4f-41fb-9fea-f85a6e0a0dff_108.json | 1 - .../4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_102.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_103.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_104.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_105.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_206.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_207.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_209.json | 1 - ...d3e1a-3aa0-499b-8147-4d2ea43b1613_309.json | 101 +++++++++++++ .../4f855297-c8e0-4097-9d97-d653f7e471c4.json | 1 - ...f855297-c8e0-4097-9d97-d653f7e471c4_1.json | 1 - ...f855297-c8e0-4097-9d97-d653f7e471c4_2.json | 1 - ...f855297-c8e0-4097-9d97-d653f7e471c4_3.json | 1 - .../4fe9d835-40e1-452d-8230-17c147cafad8.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_103.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_104.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_105.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_106.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_107.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_108.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_109.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_110.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_111.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_311.json | 1 - ...9d835-40e1-452d-8230-17c147cafad8_312.json | 1 - .../50887ba8-7ff7-11ee-a038-f661ea17fbcd.json | 1 - ...0887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json | 1 - ...87ba8-7ff7-11ee-a038-f661ea17fbcd_105.json | 126 ++++++++++++++++ ...0887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json | 1 - ...0887ba8-7ff7-11ee-a038-f661ea17fbcd_3.json | 1 - ...0887ba8-7ff7-11ee-a038-f661ea17fbcd_5.json | 1 - .../51176ed2-2d90-49f2-9f3d-17196428b169.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_1.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_2.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_3.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_4.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_5.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_6.json | 1 - ...1176ed2-2d90-49f2-9f3d-17196428b169_7.json | 1 - .../5124e65f-df97-4471-8dcb-8e3953b3ea97.json | 1 - ...124e65f-df97-4471-8dcb-8e3953b3ea97_1.json | 1 - ...124e65f-df97-4471-8dcb-8e3953b3ea97_2.json | 1 - .../513f0ffd-b317-4b9c-9494-92ce861f22c7.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_102.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_103.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_104.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_105.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_106.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_107.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_108.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_209.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_310.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_311.json | 1 - ...f0ffd-b317-4b9c-9494-92ce861f22c7_312.json | 1 - .../514121ce-c7b6-474a-8237-68ff71672379.json | 1 - ...121ce-c7b6-474a-8237-68ff71672379_101.json | 1 - ...121ce-c7b6-474a-8237-68ff71672379_102.json | 1 - ...121ce-c7b6-474a-8237-68ff71672379_103.json | 1 - ...121ce-c7b6-474a-8237-68ff71672379_105.json | 1 - .../51859fa0-d86b-4214-bf48-ebb30ed91305.json | 1 - ...59fa0-d86b-4214-bf48-ebb30ed91305_103.json | 1 - .../5188c68e-d3de-4e96-994d-9e242269446f.json | 1 - ...8c68e-d3de-4e96-994d-9e242269446f_103.json | 1 - ...188c68e-d3de-4e96-994d-9e242269446f_2.json | 1 - ...8c68e-d3de-4e96-994d-9e242269446f_203.json | 1 - .../51a09737-80f7-4551-a3be-dac8ef5d181a.json | 1 - ...1a09737-80f7-4551-a3be-dac8ef5d181a_1.json | 1 - .../51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_103.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_104.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_105.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_106.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_107.json | 1 - ...e96fb-9e52-4dad-b0ba-99b54440fc9a_108.json | 1 - .../521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json | 1 - ...21fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json | 1 - .../523116c0-d89d-4d7c-82c2-39e6845a78ef.json | 1 - ...116c0-d89d-4d7c-82c2-39e6845a78ef_102.json | 1 - ...116c0-d89d-4d7c-82c2-39e6845a78ef_103.json | 1 - ...116c0-d89d-4d7c-82c2-39e6845a78ef_104.json | 1 - ...116c0-d89d-4d7c-82c2-39e6845a78ef_205.json | 1 - .../52376a86-ee86-4967-97ae-1a05f55816f0.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_103.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_104.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_105.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_106.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_107.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_108.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_109.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_110.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_111.json | 1 - ...76a86-ee86-4967-97ae-1a05f55816f0_112.json | 1 - .../5297b7f1-bccd-4611-93fa-ea342a01ff84.json | 1 - .../52aaab7b-b51c-441a-89ce-4387b3aea886.json | 1 - ...aab7b-b51c-441a-89ce-4387b3aea886_105.json | 1 - ...aab7b-b51c-441a-89ce-4387b3aea886_106.json | 1 - ...aab7b-b51c-441a-89ce-4387b3aea886_107.json | 1 - ...aab7b-b51c-441a-89ce-4387b3aea886_108.json | 1 - ...aab7b-b51c-441a-89ce-4387b3aea886_109.json | 1 - .../52afbdc5-db15-485e-bc24-f5707f820c4b.json | 1 - ...fbdc5-db15-485e-bc24-f5707f820c4b_101.json | 1 - ...fbdc5-db15-485e-bc24-f5707f820c4b_102.json | 1 - ...fbdc5-db15-485e-bc24-f5707f820c4b_103.json | 1 - .../530178da-92ea-43ce-94c2-8877a826783d.json | 1 - ...178da-92ea-43ce-94c2-8877a826783d_102.json | 1 - ...178da-92ea-43ce-94c2-8877a826783d_103.json | 1 - ...178da-92ea-43ce-94c2-8877a826783d_104.json | 1 - ...178da-92ea-43ce-94c2-8877a826783d_105.json | 1 - .../53617418-17b4-4e9c-8a2c-8deb8086ca4b.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json | 1 - ...617418-17b4-4e9c-8a2c-8deb8086ca4b_10.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_6.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_7.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json | 1 - ...3617418-17b4-4e9c-8a2c-8deb8086ca4b_9.json | 1 - .../536997f7-ae73-447d-a12d-bff1e8f5f0a0.json | 1 - ...997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json | 1 - ...997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json | 1 - ...997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json | 1 - ...997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json | 1 - .../5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json | 1 - ...0d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json | 1 - .../5397080f-34e5-449b-8e9c-4c8083d7ccc6.json | 1 - ...397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json | 1 - ...397080f-34e5-449b-8e9c-4c8083d7ccc6_2.json | 1 - ...397080f-34e5-449b-8e9c-4c8083d7ccc6_3.json | 1 - ...397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json | 1 - ...397080f-34e5-449b-8e9c-4c8083d7ccc6_5.json | 1 - .../53a26770-9cbd-40c5-8b57-61d01a325e14.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_104.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_105.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_106.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_107.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_108.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_109.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_110.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_111.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_311.json | 1 - ...26770-9cbd-40c5-8b57-61d01a325e14_312.json | 1 - .../53dedd83-1be7-430f-8026-363256395c8b.json | 1 - ...3dedd83-1be7-430f-8026-363256395c8b_1.json | 1 - ...3dedd83-1be7-430f-8026-363256395c8b_2.json | 1 - ...3dedd83-1be7-430f-8026-363256395c8b_3.json | 1 - ...3dedd83-1be7-430f-8026-363256395c8b_4.json | 1 - ...3dedd83-1be7-430f-8026-363256395c8b_5.json | 1 - .../54902e45-3467-49a4-8abc-529f2c8cfb80.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_102.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_103.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_104.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_105.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_106.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_107.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_108.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_109.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_110.json | 1 - ...02e45-3467-49a4-8abc-529f2c8cfb80_210.json | 1 - .../54a81f68-5f2a-421e-8eed-f888278bb712.json | 1 - ...81f68-5f2a-421e-8eed-f888278bb712_108.json | 1 - ...81f68-5f2a-421e-8eed-f888278bb712_109.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_2.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_3.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_4.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_5.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_6.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_7.json | 1 - ...4a81f68-5f2a-421e-8eed-f888278bb712_8.json | 1 - .../54c3d186-0461-4dc3-9b33-2dc5c7473936.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_103.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_104.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_105.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_106.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_107.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_108.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_109.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_110.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_111.json | 1 - ...3d186-0461-4dc3-9b33-2dc5c7473936_212.json | 1 - .../55c2bf58-2a39-4c58-a384-c8b1978153c2.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_103.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_104.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_105.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_106.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_107.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_108.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_109.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_110.json | 1 - ...2bf58-2a39-4c58-a384-c8b1978153c2_111.json | 1 - .../55d551c6-333b-4665-ab7e-5d14a59715ce.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_104.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_105.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_106.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_107.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_108.json | 1 - ...551c6-333b-4665-ab7e-5d14a59715ce_109.json | 1 - .../55f07d1b-25bc-4a0f-aa0c-05323c1319d0.json | 1 - ...5f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json | 1 - .../56004189-4e69-4a39-b4a9-195329d226e9.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_1.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_2.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_3.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_4.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_5.json | 1 - ...6004189-4e69-4a39-b4a9-195329d226e9_6.json | 1 - .../5610b192-7f18-11ee-825b-f661ea17fbcd.json | 1 - ...610b192-7f18-11ee-825b-f661ea17fbcd_1.json | 1 - ...0b192-7f18-11ee-825b-f661ea17fbcd_104.json | 110 ++++++++++++++ ...610b192-7f18-11ee-825b-f661ea17fbcd_2.json | 1 - ...610b192-7f18-11ee-825b-f661ea17fbcd_4.json | 1 - .../56557cde-d923-4b88-adee-c61b3f3b5dc3.json | 1 - ...57cde-d923-4b88-adee-c61b3f3b5dc3_102.json | 1 - ...57cde-d923-4b88-adee-c61b3f3b5dc3_103.json | 1 - ...57cde-d923-4b88-adee-c61b3f3b5dc3_104.json | 1 - ...57cde-d923-4b88-adee-c61b3f3b5dc3_105.json | 1 - ...57cde-d923-4b88-adee-c61b3f3b5dc3_106.json | 1 - .../565c2b44-7a21-4818-955f-8d4737967d2e.json | 1 - ...c2b44-7a21-4818-955f-8d4737967d2e_102.json | 1 - ...c2b44-7a21-4818-955f-8d4737967d2e_103.json | 1 - ...c2b44-7a21-4818-955f-8d4737967d2e_104.json | 1 - ...c2b44-7a21-4818-955f-8d4737967d2e_105.json | 1 - ...c2b44-7a21-4818-955f-8d4737967d2e_106.json | 1 - .../565d6ca5-75ba-4c82-9b13-add25353471c.json | 1 - ...d6ca5-75ba-4c82-9b13-add25353471c_102.json | 1 - ...d6ca5-75ba-4c82-9b13-add25353471c_103.json | 1 - ...d6ca5-75ba-4c82-9b13-add25353471c_104.json | 1 - ...d6ca5-75ba-4c82-9b13-add25353471c_105.json | 1 - ...d6ca5-75ba-4c82-9b13-add25353471c_106.json | 1 - .../5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json | 1 - ...3b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json | 1 - .../56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_211.json | 1 - ...2e9b5-4803-4e44-a0a4-a52dc79d57fe_212.json | 1 - .../56fdfcf1-ca7c-4fd9-951d-e215ee26e404.json | 1 - ...6fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json | 1 - ...dfcf1-ca7c-4fd9-951d-e215ee26e404_102.json | 1 - ...dfcf1-ca7c-4fd9-951d-e215ee26e404_103.json | 1 - ...dfcf1-ca7c-4fd9-951d-e215ee26e404_104.json | 1 - ...6fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json | 1 - .../5700cb81-df44-46aa-a5d7-337798f53eb8.json | 1 - ...0cb81-df44-46aa-a5d7-337798f53eb8_101.json | 1 - ...0cb81-df44-46aa-a5d7-337798f53eb8_102.json | 1 - ...0cb81-df44-46aa-a5d7-337798f53eb8_103.json | 1 - ...0cb81-df44-46aa-a5d7-337798f53eb8_104.json | 1 - .../571afc56-5ed9-465d-a2a9-045f099f6e7e.json | 1 - ...afc56-5ed9-465d-a2a9-045f099f6e7e_100.json | 1 - ...afc56-5ed9-465d-a2a9-045f099f6e7e_101.json | 1 - ...afc56-5ed9-465d-a2a9-045f099f6e7e_102.json | 1 - .../573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json | 1 - ...f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json | 1 - .../577ec21e-56fe-4065-91d8-45eb8224fe77.json | 1 - ...ec21e-56fe-4065-91d8-45eb8224fe77_105.json | 1 - ...ec21e-56fe-4065-91d8-45eb8224fe77_106.json | 1 - ...ec21e-56fe-4065-91d8-45eb8224fe77_107.json | 1 - ...ec21e-56fe-4065-91d8-45eb8224fe77_108.json | 1 - ...ec21e-56fe-4065-91d8-45eb8224fe77_109.json | 1 - .../57bccf1d-daf5-4e1a-9049-ff79b5254704.json | 1 - ...7bccf1d-daf5-4e1a-9049-ff79b5254704_1.json | 1 - ...7bccf1d-daf5-4e1a-9049-ff79b5254704_2.json | 1 - ...7bccf1d-daf5-4e1a-9049-ff79b5254704_3.json | 1 - ...7bccf1d-daf5-4e1a-9049-ff79b5254704_4.json | 1 - ...7bccf1d-daf5-4e1a-9049-ff79b5254704_5.json | 1 - .../57bfa0a9-37c0-44d6-b724-54bf16787492.json | 1 - ...7bfa0a9-37c0-44d6-b724-54bf16787492_1.json | 1 - ...7bfa0a9-37c0-44d6-b724-54bf16787492_2.json | 1 - ...7bfa0a9-37c0-44d6-b724-54bf16787492_3.json | 1 - .../581add16-df76-42bb-af8e-c979bfb39a59.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_104.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_105.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_106.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_107.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_108.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_109.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_110.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_111.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_112.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_113.json | 1 - ...add16-df76-42bb-af8e-c979bfb39a59_313.json | 1 - .../58aa72ca-d968-4f34-b9f7-bea51d75eb50.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_104.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_105.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_106.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_107.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_108.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_109.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_110.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_111.json | 1 - ...a72ca-d968-4f34-b9f7-bea51d75eb50_112.json | 1 - .../58ac2aa5-6718-427c-a845-5f3ac5af00ba.json | 1 - ...c2aa5-6718-427c-a845-5f3ac5af00ba_100.json | 1 - ...c2aa5-6718-427c-a845-5f3ac5af00ba_101.json | 1 - ...c2aa5-6718-427c-a845-5f3ac5af00ba_102.json | 1 - .../58bc134c-e8d2-4291-a552-b4b3e537c60b.json | 1 - ...c134c-e8d2-4291-a552-b4b3e537c60b_104.json | 1 - ...c134c-e8d2-4291-a552-b4b3e537c60b_105.json | 1 - ...c134c-e8d2-4291-a552-b4b3e537c60b_106.json | 1 - ...c134c-e8d2-4291-a552-b4b3e537c60b_107.json | 1 - ...c134c-e8d2-4291-a552-b4b3e537c60b_108.json | 1 - .../58c6d58b-a0d3-412d-b3b8-0981a9400607.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_104.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_105.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_106.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_107.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_108.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_109.json | 1 - ...6d58b-a0d3-412d-b3b8-0981a9400607_110.json | 1 - .../5919988c-29e1-4908-83aa-1f087a838f63.json | 1 - ...919988c-29e1-4908-83aa-1f087a838f63_1.json | 1 - ...919988c-29e1-4908-83aa-1f087a838f63_2.json | 1 - .../5930658c-2107-4afc-91af-e0e55b7f7184.json | 1 - ...0658c-2107-4afc-91af-e0e55b7f7184_101.json | 1 - ...0658c-2107-4afc-91af-e0e55b7f7184_102.json | 1 - ...0658c-2107-4afc-91af-e0e55b7f7184_103.json | 1 - ...0658c-2107-4afc-91af-e0e55b7f7184_105.json | 1 - .../594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json | 1 - ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json | 1 - ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json | 1 - ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json | 1 - ...e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json | 1 - .../59756272-1998-4b8c-be14-e287035c4d10.json | 1 - ...56272-1998-4b8c-be14-e287035c4d10_101.json | 1 - ...56272-1998-4b8c-be14-e287035c4d10_102.json | 1 - ...56272-1998-4b8c-be14-e287035c4d10_103.json | 1 - ...56272-1998-4b8c-be14-e287035c4d10_104.json | 1 - .../5a14d01d-7ac8-4545-914c-b687c2cf66b3.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_103.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_104.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_105.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_106.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_107.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_108.json | 1 - ...4d01d-7ac8-4545-914c-b687c2cf66b3_109.json | 1 - .../5a3d5447-31c9-409a-aed1-72f9921594fd.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_1.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_2.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_3.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_4.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_5.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_6.json | 1 - ...a3d5447-31c9-409a-aed1-72f9921594fd_7.json | 1 - .../5ae02ebc-a5de-4eac-afe6-c88de696477d.json | 1 - ...ae02ebc-a5de-4eac-afe6-c88de696477d_1.json | 1 - .../5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json | 1 - ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json | 1 - ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json | 1 - ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json | 1 - ...4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json | 1 - .../5aee924b-6ceb-4633-980e-1bde8cdb40c5.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_103.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_104.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_105.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_106.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_107.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_108.json | 1 - ...e924b-6ceb-4633-980e-1bde8cdb40c5_109.json | 1 - .../5b03c9fb-9945-4d2f-9568-fd690fee3fba.json | 1 - ...3c9fb-9945-4d2f-9568-fd690fee3fba_103.json | 1 - ...3c9fb-9945-4d2f-9568-fd690fee3fba_104.json | 1 - ...3c9fb-9945-4d2f-9568-fd690fee3fba_105.json | 1 - ...3c9fb-9945-4d2f-9568-fd690fee3fba_106.json | 1 - ...3c9fb-9945-4d2f-9568-fd690fee3fba_107.json | 1 - .../5b06a27f-ad72-4499-91db-0c69667bffa5.json | 1 - ...b06a27f-ad72-4499-91db-0c69667bffa5_1.json | 1 - ...b06a27f-ad72-4499-91db-0c69667bffa5_2.json | 1 - ...b06a27f-ad72-4499-91db-0c69667bffa5_3.json | 1 - ...b06a27f-ad72-4499-91db-0c69667bffa5_4.json | 1 - ...b06a27f-ad72-4499-91db-0c69667bffa5_5.json | 1 - .../5b18eef4-842c-4b47-970f-f08d24004bde.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_1.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_2.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_3.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_4.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_5.json | 1 - ...b18eef4-842c-4b47-970f-f08d24004bde_6.json | 1 - .../5b9eb30f-87d6-45f4-9289-2bf2024f0376.json | 1 - ...b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json | 1 - ...b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json | 1 - ...b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json | 1 - ...b9eb30f-87d6-45f4-9289-2bf2024f0376_4.json | 1 - .../5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_106.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_109.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_112.json | 1 - ...4a95d-5a08-48eb-80db-4c3a63ec78a8_214.json | 1 - .../5beaebc1-cc13-4bfc-9949-776f9e0dc318.json | 1 - ...aebc1-cc13-4bfc-9949-776f9e0dc318_102.json | 1 - ...aebc1-cc13-4bfc-9949-776f9e0dc318_103.json | 1 - ...aebc1-cc13-4bfc-9949-776f9e0dc318_104.json | 1 - ...aebc1-cc13-4bfc-9949-776f9e0dc318_205.json | 1 - .../5c351f54-4187-4ad8-abc8-29b0cfbef8b1.json | 1 - ...c351f54-4187-4ad8-abc8-29b0cfbef8b1_1.json | 1 - .../5c602cba-ae00-4488-845d-24de2b6d8055.json | 1 - ...c602cba-ae00-4488-845d-24de2b6d8055_1.json | 1 - ...c602cba-ae00-4488-845d-24de2b6d8055_2.json | 1 - .../5c6f4c58-b381-452a-8976-f1b1c6aa0def.json | 1 - ...6f4c58-b381-452a-8976-f1b1c6aa0def_10.json | 1 - ...6f4c58-b381-452a-8976-f1b1c6aa0def_11.json | 1 - ...6f4c58-b381-452a-8976-f1b1c6aa0def_12.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json | 1 - ...c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json | 1 - .../5c81fc9d-1eae-437f-ba07-268472967013.json | 1 - .../5c895b4f-9133-4e68-9e23-59902175355c.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_1.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_2.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_3.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_4.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_5.json | 1 - ...c895b4f-9133-4e68-9e23-59902175355c_6.json | 1 - .../5c983105-4681-46c3-9890-0c66d05e776b.json | 1 - ...83105-4681-46c3-9890-0c66d05e776b_101.json | 1 - ...83105-4681-46c3-9890-0c66d05e776b_102.json | 1 - ...83105-4681-46c3-9890-0c66d05e776b_103.json | 1 - .../5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json | 1 - ...c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json | 1 - .../5cd55388-a19c-47c7-8ec4-f41656c2fded.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_102.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_103.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_104.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_105.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_106.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_107.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_108.json | 1 - ...55388-a19c-47c7-8ec4-f41656c2fded_109.json | 1 - .../5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json | 1 - ...8e1f7-0050-4afc-b2df-904e40b2f5ae_111.json | 1 - .../5cf6397e-eb91-4f31-8951-9f0eaa755a31.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_7.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json | 1 - ...cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json | 1 - .../5d0265bf-dea9-41a9-92ad-48a8dcd05080.json | 1 - ...265bf-dea9-41a9-92ad-48a8dcd05080_102.json | 1 - ...265bf-dea9-41a9-92ad-48a8dcd05080_103.json | 1 - ...265bf-dea9-41a9-92ad-48a8dcd05080_104.json | 1 - ...265bf-dea9-41a9-92ad-48a8dcd05080_105.json | 1 - ...265bf-dea9-41a9-92ad-48a8dcd05080_106.json | 1 - .../5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_102.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_103.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_104.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_105.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_106.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_107.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_108.json | 1 - ...d6907-0747-4d5d-9b24-e4a18853dc0a_109.json | 1 - .../5d676480-9655-4507-adc6-4eec311efff8.json | 1 - ...d676480-9655-4507-adc6-4eec311efff8_1.json | 1 - ...76480-9655-4507-adc6-4eec311efff8_102.json | 1 - ...d676480-9655-4507-adc6-4eec311efff8_2.json | 1 - .../5d9f8cfc-0d03-443e-a167-2b0597ce0965.json | 1 - ...f8cfc-0d03-443e-a167-2b0597ce0965_102.json | 1 - ...f8cfc-0d03-443e-a167-2b0597ce0965_103.json | 1 - ...f8cfc-0d03-443e-a167-2b0597ce0965_104.json | 1 - ...f8cfc-0d03-443e-a167-2b0597ce0965_105.json | 1 - .../5e161522-2545-11ed-ac47-f661ea17fbce.json | 1 - ...61522-2545-11ed-ac47-f661ea17fbce_104.json | 1 - ...61522-2545-11ed-ac47-f661ea17fbce_105.json | 1 - ...61522-2545-11ed-ac47-f661ea17fbce_106.json | 1 - .../5e552599-ddec-4e14-bad1-28aa42404388.json | 1 - ...52599-ddec-4e14-bad1-28aa42404388_101.json | 1 - ...52599-ddec-4e14-bad1-28aa42404388_102.json | 1 - ...52599-ddec-4e14-bad1-28aa42404388_103.json | 1 - ...52599-ddec-4e14-bad1-28aa42404388_105.json | 1 - .../5f0234fd-7f21-42af-8391-511d5fd11d5c.json | 1 - ...f0234fd-7f21-42af-8391-511d5fd11d5c_1.json | 1 - ...f0234fd-7f21-42af-8391-511d5fd11d5c_2.json | 1 - ...f0234fd-7f21-42af-8391-511d5fd11d5c_3.json | 1 - .../5f2f463e-6997-478c-8405-fb41cc283281.json | 1 - ...f2f463e-6997-478c-8405-fb41cc283281_1.json | 1 - ...f2f463e-6997-478c-8405-fb41cc283281_2.json | 1 - ...f463e-6997-478c-8405-fb41cc283281_202.json | 1 - .../5f3ab3ce-7b41-4168-a06a-68d2af8ebc88.json | 1 - .../60884af6-f553-4a6c-af13-300047455491.json | 1 - ...84af6-f553-4a6c-af13-300047455491_101.json | 1 - .../60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json | 1 - ...6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json | 1 - .../60f3adec-1df9-4104-9c75-b97d9f078b25.json | 1 - ...3adec-1df9-4104-9c75-b97d9f078b25_101.json | 1 - ...3adec-1df9-4104-9c75-b97d9f078b25_102.json | 1 - ...3adec-1df9-4104-9c75-b97d9f078b25_103.json | 1 - ...3adec-1df9-4104-9c75-b97d9f078b25_105.json | 1 - .../610949a1-312f-4e04-bb55-3a79b8c95267.json | 1 - ...949a1-312f-4e04-bb55-3a79b8c95267_104.json | 1 - ...949a1-312f-4e04-bb55-3a79b8c95267_105.json | 1 - ...949a1-312f-4e04-bb55-3a79b8c95267_106.json | 1 - ...949a1-312f-4e04-bb55-3a79b8c95267_107.json | 1 - ...949a1-312f-4e04-bb55-3a79b8c95267_108.json | 1 - .../61336fe6-c043-4743-ab6e-41292f439603.json | 1 - ...1336fe6-c043-4743-ab6e-41292f439603_1.json | 1 - ...36fe6-c043-4743-ab6e-41292f439603_103.json | 75 ++++++++++ .../61766ef9-48a5-4247-ad74-3349de7eb2ad.json | 1 - ...1766ef9-48a5-4247-ad74-3349de7eb2ad_1.json | 1 - ...1766ef9-48a5-4247-ad74-3349de7eb2ad_2.json | 1 - ...1766ef9-48a5-4247-ad74-3349de7eb2ad_3.json | 1 - ...1766ef9-48a5-4247-ad74-3349de7eb2ad_4.json | 1 - .../61ac3638-40a3-44b2-855a-985636ca985e.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_106.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_107.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_108.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_109.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_110.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_111.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_112.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_113.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_213.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_214.json | 1 - ...c3638-40a3-44b2-855a-985636ca985e_215.json | 1 - .../61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111.json | 1 - ...29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112.json | 1 - .../621e92b6-7e54-11ee-bdc0-f661ea17fbcd.json | 1 - ...21e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json | 1 - ...e92b6-7e54-11ee-bdc0-f661ea17fbcd_105.json | 113 ++++++++++++++ ...21e92b6-7e54-11ee-bdc0-f661ea17fbcd_2.json | 1 - ...21e92b6-7e54-11ee-bdc0-f661ea17fbcd_3.json | 1 - ...21e92b6-7e54-11ee-bdc0-f661ea17fbcd_5.json | 1 - .../622ecb68-fa81-4601-90b5-f8cd661e4520.json | 1 - ...ecb68-fa81-4601-90b5-f8cd661e4520_103.json | 1 - ...ecb68-fa81-4601-90b5-f8cd661e4520_104.json | 1 - ...ecb68-fa81-4601-90b5-f8cd661e4520_105.json | 1 - ...ecb68-fa81-4601-90b5-f8cd661e4520_106.json | 1 - ...ecb68-fa81-4601-90b5-f8cd661e4520_107.json | 1 - .../62a70f6f-3c37-43df-a556-f64fa475fba2.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_105.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_106.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_107.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_108.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_109.json | 1 - ...70f6f-3c37-43df-a556-f64fa475fba2_110.json | 1 - .../62b68eb2-1e47-4da7-85b6-8f478db5b272.json | 1 - ...2b68eb2-1e47-4da7-85b6-8f478db5b272_1.json | 1 - ...2b68eb2-1e47-4da7-85b6-8f478db5b272_2.json | 1 - ...2b68eb2-1e47-4da7-85b6-8f478db5b272_3.json | 1 - ...2b68eb2-1e47-4da7-85b6-8f478db5b272_4.json | 1 - .../63431796-f813-43af-820b-492ee2efec8e.json | 1 - ...3431796-f813-43af-820b-492ee2efec8e_1.json | 1 - ...3431796-f813-43af-820b-492ee2efec8e_2.json | 1 - .../63c05204-339a-11ed-a261-0242ac120002.json | 1 - ...3c05204-339a-11ed-a261-0242ac120002_4.json | 1 - ...3c05204-339a-11ed-a261-0242ac120002_5.json | 1 - .../63c056a0-339a-11ed-a261-0242ac120002.json | 1 - ...3c056a0-339a-11ed-a261-0242ac120002_3.json | 1 - ...3c056a0-339a-11ed-a261-0242ac120002_4.json | 1 - .../63c057cc-339a-11ed-a261-0242ac120002.json | 1 - ...3c057cc-339a-11ed-a261-0242ac120002_3.json | 1 - ...3c057cc-339a-11ed-a261-0242ac120002_4.json | 1 - ...3c057cc-339a-11ed-a261-0242ac120002_5.json | 1 - .../63e381a6-0ffe-4afb-9a26-72a59ad16d7b.json | 1 - ...3e381a6-0ffe-4afb-9a26-72a59ad16d7b_1.json | 1 - .../63e65ec3-43b1-45b0-8f2d-45b34291dc44.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_102.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_103.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_104.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_105.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_106.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_107.json | 1 - ...65ec3-43b1-45b0-8f2d-45b34291dc44_108.json | 1 - .../640f79d1-571d-4f96-a9af-1194fc8cf763.json | 1 - ...40f79d1-571d-4f96-a9af-1194fc8cf763_1.json | 1 - .../647fc812-7996-4795-8869-9c4ea595fe88.json | 1 - ...fc812-7996-4795-8869-9c4ea595fe88_102.json | 1 - ...fc812-7996-4795-8869-9c4ea595fe88_103.json | 1 - ...fc812-7996-4795-8869-9c4ea595fe88_104.json | 1 - .../6482255d-f468-45ea-a5b3-d3a7de1331ae.json | 1 - ...2255d-f468-45ea-a5b3-d3a7de1331ae_102.json | 1 - ...2255d-f468-45ea-a5b3-d3a7de1331ae_103.json | 1 - ...2255d-f468-45ea-a5b3-d3a7de1331ae_104.json | 1 - ...2255d-f468-45ea-a5b3-d3a7de1331ae_105.json | 1 - .../64cfca9e-0f6f-4048-8251-9ec56a055e9e.json | 1 - ...4cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json | 1 - ...4cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json | 1 - ...4cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json | 1 - ...4cfca9e-0f6f-4048-8251-9ec56a055e9e_4.json | 1 - ...4cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json | 1 - ...32f4a-e716-4cc1-ab11-931c4966da2d_101.json | 1 - .../65f9bccd-510b-40df-8263-334f03174fed.json | 1 - ...9bccd-510b-40df-8263-334f03174fed_201.json | 1 - ...9bccd-510b-40df-8263-334f03174fed_202.json | 1 - .../661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json | 1 - ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json | 1 - ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json | 1 - ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json | 1 - ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json | 1 - ...545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json | 1 - .../6641a5af-fb7e-487a-adc4-9e6503365318.json | 1 - ...641a5af-fb7e-487a-adc4-9e6503365318_1.json | 1 - ...641a5af-fb7e-487a-adc4-9e6503365318_2.json | 1 - ...641a5af-fb7e-487a-adc4-9e6503365318_3.json | 1 - ...641a5af-fb7e-487a-adc4-9e6503365318_4.json | 1 - ...641a5af-fb7e-487a-adc4-9e6503365318_5.json | 1 - ...649e656-6f85-11ef-8876-f661ea17fbcc_1.json | 1 - ...9e656-6f85-11ef-8876-f661ea17fbcc_104.json | 119 +++++++++++++++ ...649e656-6f85-11ef-8876-f661ea17fbcc_2.json | 1 - ...649e656-6f85-11ef-8876-f661ea17fbcc_4.json | 1 - .../665e7a4f-c58e-4fc6-bc83-87a7572670ac.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json | 1 - ...e7a4f-c58e-4fc6-bc83-87a7572670ac_106.json | 1 - .../66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json | 1 - ...6712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json | 1 - .../66883649-f908-4a5b-a1e0-54090a1d3a32.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_104.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_105.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_106.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_107.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_108.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_109.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_110.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_111.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_112.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_113.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_114.json | 1 - ...83649-f908-4a5b-a1e0-54090a1d3a32_115.json | 1 - .../66c058f3-99f4-4d18-952b-43348f2577a0.json | 1 - ...6c058f3-99f4-4d18-952b-43348f2577a0_1.json | 1 - ...6c058f3-99f4-4d18-952b-43348f2577a0_2.json | 1 - .../66da12b1-ac83-40eb-814c-07ed1d82b7b9.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_102.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_103.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_104.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_105.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_106.json | 1 - ...a12b1-ac83-40eb-814c-07ed1d82b7b9_206.json | 1 - .../670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json | 1 - ...0b3b5a-35e5-42db-bd36-6c5b9b4b7313_10.json | 1 - ...0b3b5a-35e5-42db-bd36-6c5b9b4b7313_11.json | 1 - ...0b3b5a-35e5-42db-bd36-6c5b9b4b7313_12.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json | 1 - ...70b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json | 1 - .../6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_207.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_209.json | 1 - ...1fbf2-8f28-49ed-9ab9-9a918ceb5a45_309.json | 83 +++++++++++ .../675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json | 1 - ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json | 1 - ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json | 1 - ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json | 1 - ...239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json | 1 - .../676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209.json | 1 - ...cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309.json | 76 ++++++++++ .../67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json | 1 - ...8443a-4ff3-4a70-916d-3cfa3ae9f02b_111.json | 1 - .../6839c821-011d-43bd-bd5b-acff00257226.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_102.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_103.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_104.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_105.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_106.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_107.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_108.json | 1 - ...9c821-011d-43bd-bd5b-acff00257226_109.json | 1 - .../684554fc-0777-47ce-8c9b-3d01f198d7f8.json | 1 - ...554fc-0777-47ce-8c9b-3d01f198d7f8_101.json | 1 - ...554fc-0777-47ce-8c9b-3d01f198d7f8_102.json | 1 - ...554fc-0777-47ce-8c9b-3d01f198d7f8_103.json | 1 - ...554fc-0777-47ce-8c9b-3d01f198d7f8_105.json | 1 - ...554fc-0777-47ce-8c9b-3d01f198d7f8_206.json | 1 - .../6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_104.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_205.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_206.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_208.json | 1 - ...5d2ae-e008-4762-b98a-e8e1cd3a81e9_308.json | 82 ++++++++++ .../68921d85-d0dc-48b3-865f-43291ca2c4f2.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_103.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_104.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_105.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_106.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_107.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_108.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_109.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_110.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_111.json | 1 - ...21d85-d0dc-48b3-865f-43291ca2c4f2_311.json | 1 - .../68994a6c-c7ba-4e82-b476-26a26877adf6.json | 1 - ...94a6c-c7ba-4e82-b476-26a26877adf6_204.json | 1 - ...94a6c-c7ba-4e82-b476-26a26877adf6_205.json | 1 - ...94a6c-c7ba-4e82-b476-26a26877adf6_206.json | 1 - .../689b9d57-e4d5-4357-ad17-9c334609d79a.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_102.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_103.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_104.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_105.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_106.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_107.json | 1 - ...b9d57-e4d5-4357-ad17-9c334609d79a_108.json | 1 - .../68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json | 1 - ...7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json | 1 - ...7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json | 1 - ...7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json | 1 - ...7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json | 1 - .../68ad737b-f90a-4fe5-bda6-a68fa460044e.json | 1 - ...8ad737b-f90a-4fe5-bda6-a68fa460044e_1.json | 1 - ...8ad737b-f90a-4fe5-bda6-a68fa460044e_2.json | 1 - .../68c5c9d1-38e5-48bb-b1b2-8b5951d39738.json | 1 - .../68d56fdc-7ffa-4419-8e95-81641bd6f845.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_103.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_104.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_105.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_106.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_107.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_108.json | 1 - ...56fdc-7ffa-4419-8e95-81641bd6f845_109.json | 1 - .../6951f15e-533c-4a60-8014-a3c3ab851a1b.json | 1 - ...1f15e-533c-4a60-8014-a3c3ab851a1b_105.json | 1 - ...951f15e-533c-4a60-8014-a3c3ab851a1b_2.json | 1 - ...951f15e-533c-4a60-8014-a3c3ab851a1b_3.json | 1 - ...951f15e-533c-4a60-8014-a3c3ab851a1b_4.json | 1 - .../696015ef-718e-40ff-ac4a-cc2ba88dbeeb.json | 1 - ...96015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json | 1 - ...96015ef-718e-40ff-ac4a-cc2ba88dbeeb_2.json | 1 - ...96015ef-718e-40ff-ac4a-cc2ba88dbeeb_3.json | 1 - .../69c116bb-d86f-48b0-857d-3648511a6cac.json | 1 - ...9c116bb-d86f-48b0-857d-3648511a6cac_1.json | 1 - .../69c251fb-a5d6-4035-b5ec-40438bd829ff.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_104.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_105.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_106.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_107.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_108.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_109.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_110.json | 1 - ...251fb-a5d6-4035-b5ec-40438bd829ff_310.json | 1 - .../69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json | 1 - ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json | 1 - ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json | 1 - ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json | 1 - ...420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json | 1 - .../6a309864-fc3f-11ee-b8cc-f661ea17fbce.json | 1 - ...a309864-fc3f-11ee-b8cc-f661ea17fbce_1.json | 1 - .../6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_108.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json | 1 - ...ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json | 1 - .../6aace640-e631-4870-ba8e-5fdda09325db.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_105.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_106.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_107.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_108.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_109.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_110.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_111.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_212.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_313.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_314.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_315.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_316.json | 1 - ...ce640-e631-4870-ba8e-5fdda09325db_416.json | 1 - .../6ace94ba-f02c-4d55-9f53-87d99b6f9af4.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_4.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json | 1 - ...ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json | 1 - .../6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json | 1 - ...4d470-9036-4cc0-a27c-6d90bbfe81ab_103.json | 1 - ...4d470-9036-4cc0-a27c-6d90bbfe81ab_104.json | 1 - ...4d470-9036-4cc0-a27c-6d90bbfe81ab_105.json | 1 - ...4d470-9036-4cc0-a27c-6d90bbfe81ab_206.json | 1 - ...4d470-9036-4cc0-a27c-6d90bbfe81ab_207.json | 1 - .../6bed021a-0afb-461c-acbe-ffdb9574d3f3.json | 1 - ...d021a-0afb-461c-acbe-ffdb9574d3f3_104.json | 1 - ...d021a-0afb-461c-acbe-ffdb9574d3f3_105.json | 1 - ...d021a-0afb-461c-acbe-ffdb9574d3f3_106.json | 1 - ...d021a-0afb-461c-acbe-ffdb9574d3f3_107.json | 1 - ...d021a-0afb-461c-acbe-ffdb9574d3f3_108.json | 1 - .../6c6bb7ea-0636-44ca-b541-201478ef6b50.json | 1 - ...c6bb7ea-0636-44ca-b541-201478ef6b50_1.json | 1 - .../6cd1779c-560f-4b68-a8f1-11009b27fe63.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_102.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_103.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_104.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_105.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_106.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_107.json | 1 - ...1779c-560f-4b68-a8f1-11009b27fe63_108.json | 1 - .../6cea88e4-6ce2-4238-9981-a54c140d6336.json | 1 - ...cea88e4-6ce2-4238-9981-a54c140d6336_1.json | 1 - ...a88e4-6ce2-4238-9981-a54c140d6336_103.json | 68 +++++++++ .../6d448b96-c922-4adb-b51c-b767f1ea5b76.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_104.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_105.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_106.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_107.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_108.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_109.json | 1 - ...48b96-c922-4adb-b51c-b767f1ea5b76_110.json | 1 - .../6d8685a1-94fa-4ef7-83de-59302e7c4ca8.json | 1 - ...d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json | 1 - ...d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json | 1 - ...d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json | 1 - ...ded0996-7d4b-40f2-bf4a-6913e7591795_1.json | 1 - .../6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_6.json | 1 - ...e1a2cc4-d260-11ed-8829-f661ea17fbcc_7.json | 1 - .../6e40d56f-5c0e-4ac6-aece-bee96645b172.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_102.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_103.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_104.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_105.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_106.json | 1 - ...0d56f-5c0e-4ac6-aece-bee96645b172_107.json | 1 - .../6e9130a5-9be6-48e5-943a-9628bfc74b18.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_103.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_104.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_105.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_106.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_107.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_108.json | 1 - ...130a5-9be6-48e5-943a-9628bfc74b18_109.json | 1 - .../6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_102.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_103.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_104.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_105.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_106.json | 1 - ...b351e-a531-4bdc-b73e-7034d6eed7ff_107.json | 1 - .../6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_102.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_103.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_104.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_105.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_106.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_107.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_108.json | 1 - ...41894-66c3-4df7-ad6b-2c5074eb3df8_109.json | 1 - .../6ea55c81-e2ba-42f2-a134-bccf857ba922.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_104.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_105.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_106.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_107.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_108.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_109.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_110.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_111.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_112.json | 1 - ...55c81-e2ba-42f2-a134-bccf857ba922_113.json | 1 - .../6ee947e9-de7e-4281-a55d-09289bdf947e.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_1.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_2.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_3.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_4.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_5.json | 1 - ...ee947e9-de7e-4281-a55d-09289bdf947e_6.json | 1 - .../6f024bde-7085-489b-8250-5957efdf1caf.json | 1 - ...f024bde-7085-489b-8250-5957efdf1caf_1.json | 1 - ...f024bde-7085-489b-8250-5957efdf1caf_2.json | 1 - .../6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd.json | 1 - ...f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json | 1 - ...bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104.json | 90 +++++++++++ ...f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2.json | 1 - ...f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4.json | 1 - .../6f435062-b7fc-4af9-acea-5b1ead65c5a5.json | 1 - ...35062-b7fc-4af9-acea-5b1ead65c5a5_203.json | 1 - ...35062-b7fc-4af9-acea-5b1ead65c5a5_204.json | 1 - ...35062-b7fc-4af9-acea-5b1ead65c5a5_205.json | 1 - .../7024e2a0-315d-4334-bb1a-441c593e16ab.json | 1 - ...4e2a0-315d-4334-bb1a-441c593e16ab_105.json | 1 - ...4e2a0-315d-4334-bb1a-441c593e16ab_106.json | 1 - ...4e2a0-315d-4334-bb1a-441c593e16ab_107.json | 1 - ...4e2a0-315d-4334-bb1a-441c593e16ab_208.json | 1 - ...4e2a0-315d-4334-bb1a-441c593e16ab_209.json | 1 - .../7024e2a0-315d-4334-bb1a-552d604f27bc.json | 1 - ...4e2a0-315d-4334-bb1a-552d604f27bc_105.json | 1 - ...4e2a0-315d-4334-bb1a-552d604f27bc_106.json | 1 - ...4e2a0-315d-4334-bb1a-552d604f27bc_107.json | 1 - ...4e2a0-315d-4334-bb1a-552d604f27bc_208.json | 1 - .../708c9d92-22a3-4fe0-b6b9-1f861c55502d.json | 1 - ...08c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json | 1 - ...08c9d92-22a3-4fe0-b6b9-1f861c55502d_2.json | 1 - .../70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json | 1 - ...12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json | 1 - .../70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json | 1 - ...a1af4-27fd-4f26-bd03-50b6af6b9e24_102.json | 1 - ...a1af4-27fd-4f26-bd03-50b6af6b9e24_103.json | 1 - ...a1af4-27fd-4f26-bd03-50b6af6b9e24_104.json | 1 - ...a1af4-27fd-4f26-bd03-50b6af6b9e24_105.json | 1 - .../7164081a-3930-11ed-a261-0242ac120002.json | 1 - ...164081a-3930-11ed-a261-0242ac120002_2.json | 1 - ...164081a-3930-11ed-a261-0242ac120002_3.json | 1 - ...164081a-3930-11ed-a261-0242ac120002_4.json | 1 - .../717f82c2-7741-4f9b-85b8-d06aeb853f4f.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json | 1 - ...f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json | 1 - .../71bccb61-e19b-452f-b104-79a60e546a95.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_105.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_106.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_107.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_108.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_109.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_110.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_111.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_112.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_113.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_114.json | 1 - ...ccb61-e19b-452f-b104-79a60e546a95_115.json | 1 - .../71c5cb27-eca5-4151-bb47-64bc3f883270.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_102.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_103.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_104.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_105.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_106.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_107.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_108.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_109.json | 1 - ...5cb27-eca5-4151-bb47-64bc3f883270_110.json | 1 - .../71d6a53d-abbd-40df-afee-c21fff6aafb0.json | 1 - ...1d6a53d-abbd-40df-afee-c21fff6aafb0_1.json | 1 - ...1d6a53d-abbd-40df-afee-c21fff6aafb0_2.json | 1 - .../71de53ea-ff3b-11ee-b572-f661ea17fbce.json | 1 - ...1de53ea-ff3b-11ee-b572-f661ea17fbce_1.json | 1 - .../721999d0-7ab2-44bf-b328-6e63367b9b29.json | 1 - ...999d0-7ab2-44bf-b328-6e63367b9b29_101.json | 1 - ...999d0-7ab2-44bf-b328-6e63367b9b29_102.json | 1 - ...999d0-7ab2-44bf-b328-6e63367b9b29_103.json | 1 - ...999d0-7ab2-44bf-b328-6e63367b9b29_105.json | 1 - ...25a048a-88c5-4fc7-8677-a44fc0031822_1.json | 1 - ...25a048a-88c5-4fc7-8677-a44fc0031822_2.json | 1 - .../729aa18d-06a6-41c7-b175-b65b739b1181.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_102.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_103.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_104.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_105.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_206.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_207.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_209.json | 1 - ...aa18d-06a6-41c7-b175-b65b739b1181_309.json | 77 ++++++++++ .../72ed9140-fe9d-4a34-a026-75b50e484b17.json | 1 - ...2ed9140-fe9d-4a34-a026-75b50e484b17_1.json | 1 - .../730ed57d-ae0f-444f-af50-78708b57edd5.json | 1 - ...30ed57d-ae0f-444f-af50-78708b57edd5_1.json | 1 - ...30ed57d-ae0f-444f-af50-78708b57edd5_2.json | 1 - ...30ed57d-ae0f-444f-af50-78708b57edd5_3.json | 1 - .../7318affb-bfe8-4d50-a425-f617833be160.json | 1 - ...318affb-bfe8-4d50-a425-f617833be160_1.json | 1 - .../7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json | 1 - ...5ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json | 1 - .../7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json | 1 - ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json | 1 - ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json | 1 - ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json | 1 - ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json | 1 - ...3e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json | 1 - .../745b0119-0560-43ba-860a-7235dd8cee8d.json | 1 - ...b0119-0560-43ba-860a-7235dd8cee8d_102.json | 1 - ...b0119-0560-43ba-860a-7235dd8cee8d_103.json | 1 - ...b0119-0560-43ba-860a-7235dd8cee8d_104.json | 1 - .../746edc4c-c54c-49c6-97a1-651223819448.json | 1 - ...edc4c-c54c-49c6-97a1-651223819448_101.json | 1 - ...edc4c-c54c-49c6-97a1-651223819448_102.json | 1 - ...edc4c-c54c-49c6-97a1-651223819448_103.json | 1 - .../7592c127-89fb-4209-a8f6-f9944dfd7e02.json | 1 - ...592c127-89fb-4209-a8f6-f9944dfd7e02_1.json | 1 - ...2c127-89fb-4209-a8f6-f9944dfd7e02_103.json | 1 - ...2c127-89fb-4209-a8f6-f9944dfd7e02_104.json | 1 - ...2c127-89fb-4209-a8f6-f9944dfd7e02_105.json | 1 - ...2c127-89fb-4209-a8f6-f9944dfd7e02_106.json | 1 - ...2c127-89fb-4209-a8f6-f9944dfd7e02_107.json | 1 - ...592c127-89fb-4209-a8f6-f9944dfd7e02_2.json | 1 - ...592c127-89fb-4209-a8f6-f9944dfd7e02_3.json | 1 - .../75dcb176-a575-4e33-a020-4a52aaa1b593.json | 1 - ...5dcb176-a575-4e33-a020-4a52aaa1b593_1.json | 1 - ...5dcb176-a575-4e33-a020-4a52aaa1b593_2.json | 1 - .../75ee75d8-c180-481c-ba88-ee50129a6aef.json | 1 - ...e75d8-c180-481c-ba88-ee50129a6aef_101.json | 1 - .../76152ca1-71d0-4003-9e37-0983e12832da.json | 1 - ...52ca1-71d0-4003-9e37-0983e12832da_101.json | 1 - ...52ca1-71d0-4003-9e37-0983e12832da_102.json | 1 - ...52ca1-71d0-4003-9e37-0983e12832da_103.json | 1 - .../764c8437-a581-4537-8060-1fdb0e92c92d.json | 1 - ...c8437-a581-4537-8060-1fdb0e92c92d_201.json | 1 - ...c8437-a581-4537-8060-1fdb0e92c92d_202.json | 1 - ...c8437-a581-4537-8060-1fdb0e92c92d_203.json | 1 - .../764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json | 1 - ...4c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json | 1 - ...4c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11.json | 1 - ...4c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json | 1 - ...64c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json | 1 - .../766d3f91-3f12-448c-b65f-20123e9e9e8c.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_103.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_104.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_105.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_106.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_107.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_108.json | 1 - ...d3f91-3f12-448c-b65f-20123e9e9e8c_109.json | 1 - .../76ddb638-abf7-42d5-be22-4a70b0bf7241.json | 1 - ...db638-abf7-42d5-be22-4a70b0bf7241_103.json | 1 - ...db638-abf7-42d5-be22-4a70b0bf7241_104.json | 1 - ...db638-abf7-42d5-be22-4a70b0bf7241_105.json | 1 - ...db638-abf7-42d5-be22-4a70b0bf7241_106.json | 1 - .../76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_7.json | 1 - ...6e4d92b-61c1-4a95-ab61-5fd94179a1ee_8.json | 1 - .../76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_211.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_313.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_314.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_414.json | 1 - ...d43b7-3480-4dd9-8ad7-8bd36bfad92f_415.json | 1 - .../770e0c4d-b998-41e5-a62e-c7901fd7f470.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_104.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_105.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_106.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_107.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_108.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_109.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_110.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_111.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_112.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_113.json | 1 - ...e0c4d-b998-41e5-a62e-c7901fd7f470_313.json | 1 - .../774f5e28-7b75-4a58-b94e-41bf060fdd86.json | 1 - ...f5e28-7b75-4a58-b94e-41bf060fdd86_101.json | 1 - .../7787362c-90ff-4b1a-b313-8808b1020e64.json | 1 - ...787362c-90ff-4b1a-b313-8808b1020e64_1.json | 1 - ...787362c-90ff-4b1a-b313-8808b1020e64_2.json | 1 - ...787362c-90ff-4b1a-b313-8808b1020e64_3.json | 1 - .../77a3c3df-8ec4-4da4-b758-878f551dee69.json | 1 - ...3c3df-8ec4-4da4-b758-878f551dee69_101.json | 1 - ...3c3df-8ec4-4da4-b758-878f551dee69_102.json | 1 - ...3c3df-8ec4-4da4-b758-878f551dee69_103.json | 1 - .../781f8746-2180-4691-890c-4c96d11ca91d.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_1.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_2.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_3.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_4.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_5.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_6.json | 1 - ...81f8746-2180-4691-890c-4c96d11ca91d_7.json | 1 - .../78390eb5-c838-4c1d-8240-69dd7397cfb7.json | 1 - ...8390eb5-c838-4c1d-8240-69dd7397cfb7_1.json | 1 - .../785a404b-75aa-4ffd-8be5-3334a5a544dd.json | 1 - ...a404b-75aa-4ffd-8be5-3334a5a544dd_203.json | 1 - ...a404b-75aa-4ffd-8be5-3334a5a544dd_204.json | 1 - ...a404b-75aa-4ffd-8be5-3334a5a544dd_205.json | 1 - .../7882cebf-6cf1-4de3-9662-213aa13e8b80.json | 1 - ...2cebf-6cf1-4de3-9662-213aa13e8b80_104.json | 1 - .../78d3d8d9-b476-451d-a9e0-7a5addd70670.json | 1 - ...3d8d9-b476-451d-a9e0-7a5addd70670_104.json | 1 - ...3d8d9-b476-451d-a9e0-7a5addd70670_105.json | 1 - ...3d8d9-b476-451d-a9e0-7a5addd70670_106.json | 1 - ...3d8d9-b476-451d-a9e0-7a5addd70670_107.json | 1 - ...3d8d9-b476-451d-a9e0-7a5addd70670_208.json | 1 - .../78de1aeb-5225-4067-b8cc-f4a1de8a8546.json | 1 - ...8de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_102.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_203.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_204.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_205.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_305.json | 1 - ...e1aeb-5225-4067-b8cc-f4a1de8a8546_306.json | 1 - .../78e9b5d5-7c07-40a7-a591-3dbbf464c386.json | 1 - ...8e9b5d5-7c07-40a7-a591-3dbbf464c386_1.json | 1 - ...8e9b5d5-7c07-40a7-a591-3dbbf464c386_2.json | 1 - .../78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json | 1 - ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json | 1 - ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json | 1 - ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json | 1 - ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json | 1 - ...8ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json | 1 - .../79124edf-30a8-4d48-95c4-11522cad94b1.json | 1 - ...9124edf-30a8-4d48-95c4-11522cad94b1_1.json | 1 - ...9124edf-30a8-4d48-95c4-11522cad94b1_2.json | 1 - ...9124edf-30a8-4d48-95c4-11522cad94b1_3.json | 1 - ...9124edf-30a8-4d48-95c4-11522cad94b1_4.json | 1 - .../792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json | 1 - ...dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json | 1 - .../79ce2c96-72f7-44f9-88ef-60fa1ac2ce47.json | 1 - ...9ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json | 1 - ...9ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json | 1 - ...9ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json | 1 - ...9ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4.json | 1 - .../79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json | 1 - ...0a1f7-ed6b-471c-8eb1-23abd6470b1c_209.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json | 1 - ...9f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9.json | 1 - .../79f97b31-480e-4e63-a7f4-ede42bf2c6de.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_104.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_105.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_106.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_107.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_108.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_109.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_110.json | 1 - ...97b31-480e-4e63-a7f4-ede42bf2c6de_111.json | 1 - .../7acb2de3-8465-472a-8d9c-ccd7b73d0ed8.json | 1 - ...acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json | 1 - ...acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json | 1 - ...acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json | 1 - ...acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json | 1 - .../7afc6cc9-8800-4c7f-be6b-b688d2dea248.json | 1 - ...afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json | 1 - ...afc6cc9-8800-4c7f-be6b-b688d2dea248_2.json | 1 - ...afc6cc9-8800-4c7f-be6b-b688d2dea248_3.json | 1 - .../7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json | 1 - ...da11a-60a2-412e-8aa7-011e1eb9ed47_102.json | 1 - ...da11a-60a2-412e-8aa7-011e1eb9ed47_103.json | 1 - ...da11a-60a2-412e-8aa7-011e1eb9ed47_104.json | 1 - ...da11a-60a2-412e-8aa7-011e1eb9ed47_205.json | 1 - .../7b8bfc26-81d2-435e-965c-d722ee397ef1.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_104.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_105.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_106.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_107.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_108.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_109.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_110.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_111.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_112.json | 1 - ...bfc26-81d2-435e-965c-d722ee397ef1_113.json | 1 - .../7ba58110-ae13-439b-8192-357b0fcfa9d7.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_103.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_104.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_105.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_206.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_207.json | 1 - ...58110-ae13-439b-8192-357b0fcfa9d7_208.json | 1 - .../7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_101.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_102.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_103.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_104.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_105.json | 1 - ...bb3ac-e533-41ad-a612-d6c3bf666aba_106.json | 1 - .../7c2e1297-7664-42bc-af11-6d5d35220b6b.json | 1 - ...c2e1297-7664-42bc-af11-6d5d35220b6b_1.json | 1 - ...c2e1297-7664-42bc-af11-6d5d35220b6b_2.json | 1 - ...c2e1297-7664-42bc-af11-6d5d35220b6b_3.json | 1 - .../7caa8e60-2df0-11ed-b814-f661ea17fbce.json | 1 - ...a8e60-2df0-11ed-b814-f661ea17fbce_104.json | 1 - ...a8e60-2df0-11ed-b814-f661ea17fbce_105.json | 1 - ...a8e60-2df0-11ed-b814-f661ea17fbce_106.json | 1 - .../7ce5e1c7-6a49-45e6-a101-0720d185667f.json | 1 - ...ce5e1c7-6a49-45e6-a101-0720d185667f_1.json | 1 - .../7ceb2216-47dd-4e64-9433-cddc99727623.json | 1 - ...b2216-47dd-4e64-9433-cddc99727623_103.json | 1 - .../7d091a76-0737-11ef-8469-f661ea17fbcc.json | 1 - ...d091a76-0737-11ef-8469-f661ea17fbcc_1.json | 1 - .../7df3cb8b-5c0c-4228-b772-bb6cd619053c.json | 1 - ...df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json | 1 - ...df3cb8b-5c0c-4228-b772-bb6cd619053c_2.json | 1 - .../7dfaaa17-425c-4fe7-bd36-83705fde7c2b.json | 1 - ...dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json | 1 - .../7e23dfef-da2c-4d64-b11d-5f285b638853.json | 1 - ...3dfef-da2c-4d64-b11d-5f285b638853_103.json | 1 - ...e23dfef-da2c-4d64-b11d-5f285b638853_2.json | 1 - ...3dfef-da2c-4d64-b11d-5f285b638853_204.json | 1 - ...3dfef-da2c-4d64-b11d-5f285b638853_205.json | 1 - ...3dfef-da2c-4d64-b11d-5f285b638853_305.json | 1 - ...3dfef-da2c-4d64-b11d-5f285b638853_306.json | 1 - .../7f370d54-c0eb-4270-ac5a-9a6020585dc6.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_103.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_104.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_105.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_106.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_107.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_108.json | 1 - ...70d54-c0eb-4270-ac5a-9a6020585dc6_109.json | 1 - .../7f89afef-9fc5-4e7b-bf16-75ffdf27f8db.json | 1 - ...f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json | 1 - ...9afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json | 1 - .../7fb500fa-8e24-4bd1-9480-2a819352602c.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_1.json | 1 - ...b500fa-8e24-4bd1-9480-2a819352602c_10.json | 1 - ...b500fa-8e24-4bd1-9480-2a819352602c_11.json | 1 - ...b500fa-8e24-4bd1-9480-2a819352602c_12.json | 1 - ...b500fa-8e24-4bd1-9480-2a819352602c_13.json | 1 - ...b500fa-8e24-4bd1-9480-2a819352602c_14.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_2.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_3.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_4.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_5.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_6.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_7.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_8.json | 1 - ...fb500fa-8e24-4bd1-9480-2a819352602c_9.json | 1 - .../7fda9bb2-fd28-11ee-85f9-f661ea17fbce.json | 1 - ...fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json | 1 - ...fda9bb2-fd28-11ee-85f9-f661ea17fbce_2.json | 1 - .../80084fa9-8677-4453-8680-b891d3c0c778.json | 1 - ...0084fa9-8677-4453-8680-b891d3c0c778_1.json | 1 - ...84fa9-8677-4453-8680-b891d3c0c778_103.json | 1 - ...84fa9-8677-4453-8680-b891d3c0c778_104.json | 1 - ...84fa9-8677-4453-8680-b891d3c0c778_105.json | 1 - ...84fa9-8677-4453-8680-b891d3c0c778_106.json | 1 - ...0084fa9-8677-4453-8680-b891d3c0c778_2.json | 1 - ...0084fa9-8677-4453-8680-b891d3c0c778_3.json | 1 - .../800e01be-a7a4-46d0-8de9-69f3c9582b44.json | 1 - ...00e01be-a7a4-46d0-8de9-69f3c9582b44_1.json | 1 - ...00e01be-a7a4-46d0-8de9-69f3c9582b44_2.json | 1 - ...00e01be-a7a4-46d0-8de9-69f3c9582b44_3.json | 1 - .../8025db49-c57c-4fc0-bd86-7ccd6d10a35a.json | 1 - ...025db49-c57c-4fc0-bd86-7ccd6d10a35a_1.json | 1 - ...025db49-c57c-4fc0-bd86-7ccd6d10a35a_2.json | 1 - .../804a7ac8-fc00-11ee-924b-f661ea17fbce.json | 1 - .../808291d3-e918-4a3a-86cd-73052a0c9bdc.json | 1 - ...08291d3-e918-4a3a-86cd-73052a0c9bdc_1.json | 1 - ...08291d3-e918-4a3a-86cd-73052a0c9bdc_2.json | 1 - ...08291d3-e918-4a3a-86cd-73052a0c9bdc_3.json | 1 - .../809b70d3-e2c3-455e-af1b-2626a5a1a276.json | 1 - ...b70d3-e2c3-455e-af1b-2626a5a1a276_104.json | 1 - ...b70d3-e2c3-455e-af1b-2626a5a1a276_105.json | 1 - ...b70d3-e2c3-455e-af1b-2626a5a1a276_106.json | 1 - ...b70d3-e2c3-455e-af1b-2626a5a1a276_107.json | 1 - ...b70d3-e2c3-455e-af1b-2626a5a1a276_208.json | 1 - .../80c52164-c82a-402c-9964-852533d58be1.json | 1 - ...52164-c82a-402c-9964-852533d58be1_100.json | 1 - ...52164-c82a-402c-9964-852533d58be1_101.json | 1 - ...52164-c82a-402c-9964-852533d58be1_102.json | 1 - .../814d96c7-2068-42aa-ba8e-fe0ddd565e2e.json | 1 - ...14d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json | 1 - ...14d96c7-2068-42aa-ba8e-fe0ddd565e2e_2.json | 1 - ...14d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json | 1 - .../818e23e6-2094-4f0e-8c01-22d30f3506c6.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_104.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_105.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_106.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_107.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_108.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_109.json | 1 - ...e23e6-2094-4f0e-8c01-22d30f3506c6_110.json | 1 - .../81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_105.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_106.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_107.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_108.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_109.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_110.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_111.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_211.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_212.json | 1 - ...e9dc6-a2d7-4192-a2d8-eed98afc766a_213.json | 1 - .../81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json | 1 - ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json | 1 - ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json | 1 - ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json | 1 - ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json | 1 - ...1ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8.json | 1 - .../827f8d8f-4117-4ae4-b551-f56d54b9da6b.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json | 1 - ...f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json | 1 - .../835c0622-114e-40b5-a346-f843ea5d01f1.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_1.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_2.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_3.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_4.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_5.json | 1 - ...35c0622-114e-40b5-a346-f843ea5d01f1_6.json | 1 - .../83a1931d-8136-46fc-b7b9-2db4f639e014.json | 1 - ...1931d-8136-46fc-b7b9-2db4f639e014_101.json | 1 - ...f249e-4348-47ba-9741-1202a09556ad_101.json | 1 - ...f249e-4348-47ba-9741-1202a09556ad_201.json | 1 - .../83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json | 1 - ...3e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8.json | 1 - .../8446517c-f789-11ee-8ad0-f661ea17fbce.json | 1 - ...446517c-f789-11ee-8ad0-f661ea17fbce_2.json | 1 - .../846fe13f-6772-4c83-bd39-9d16d4ad1a81.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_5.json | 1 - ...46fe13f-6772-4c83-bd39-9d16d4ad1a81_6.json | 1 - .../84755a05-78c8-4430-8681-89cd6c857d71.json | 1 - ...4755a05-78c8-4430-8681-89cd6c857d71_1.json | 1 - .../84d1f8db-207f-45ab-a578-921d91c23eb2.json | 1 - ...4d1f8db-207f-45ab-a578-921d91c23eb2_1.json | 1 - ...4d1f8db-207f-45ab-a578-921d91c23eb2_2.json | 1 - .../84da2554-e12a-11ec-b896-f661ea17fbcd.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_104.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_105.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_106.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_107.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_108.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_109.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_110.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_111.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_112.json | 1 - ...a2554-e12a-11ec-b896-f661ea17fbcd_213.json | 1 - .../850d901a-2a3c-46c6-8b22-55398a01aad8.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_105.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_106.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_107.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_108.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_109.json | 1 - ...d901a-2a3c-46c6-8b22-55398a01aad8_110.json | 1 - .../852c1f19-68e8-43a6-9dce-340771fe1be3.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_104.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_105.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_106.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_107.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_108.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_208.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_209.json | 1 - ...c1f19-68e8-43a6-9dce-340771fe1be3_210.json | 1 - .../8623535c-1e17-44e1-aa97-7a0699c3037d.json | 1 - ...3535c-1e17-44e1-aa97-7a0699c3037d_102.json | 1 - ...3535c-1e17-44e1-aa97-7a0699c3037d_103.json | 1 - ...3535c-1e17-44e1-aa97-7a0699c3037d_104.json | 1 - ...3535c-1e17-44e1-aa97-7a0699c3037d_205.json | 1 - .../863cdf31-7fd3-41cf-a185-681237ea277b.json | 1 - ...cdf31-7fd3-41cf-a185-681237ea277b_102.json | 1 - ...cdf31-7fd3-41cf-a185-681237ea277b_103.json | 1 - ...cdf31-7fd3-41cf-a185-681237ea277b_104.json | 1 - ...cdf31-7fd3-41cf-a185-681237ea277b_205.json | 1 - .../867616ec-41e5-4edc-ada2-ab13ab45de8a.json | 1 - ...616ec-41e5-4edc-ada2-ab13ab45de8a_102.json | 1 - ...616ec-41e5-4edc-ada2-ab13ab45de8a_103.json | 1 - ...616ec-41e5-4edc-ada2-ab13ab45de8a_104.json | 1 - ...616ec-41e5-4edc-ada2-ab13ab45de8a_205.json | 1 - .../870aecc0-cea4-4110-af3f-e02e9b373655.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_103.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_104.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_105.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_106.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_107.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_108.json | 1 - ...aecc0-cea4-4110-af3f-e02e9b373655_109.json | 1 - .../871ea072-1b71-4def-b016-6278b505138d.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_105.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_106.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_107.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_108.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_109.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_110.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_111.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_112.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_113.json | 1 - ...ea072-1b71-4def-b016-6278b505138d_214.json | 1 - .../873b5452-074e-11ef-852e-f661ea17fbcc.json | 1 - .../87594192-4539-4bc4-8543-23bc3d5bd2b4.json | 1 - ...94192-4539-4bc4-8543-23bc3d5bd2b4_102.json | 1 - ...94192-4539-4bc4-8543-23bc3d5bd2b4_103.json | 1 - ...94192-4539-4bc4-8543-23bc3d5bd2b4_104.json | 1 - ...94192-4539-4bc4-8543-23bc3d5bd2b4_205.json | 1 - .../884e87cc-c67b-4c90-a4ed-e1e24a940c82.json | 1 - ...84e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json | 1 - ...84e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json | 1 - ...84e87cc-c67b-4c90-a4ed-e1e24a940c82_3.json | 1 - ...84e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json | 1 - .../88671231-6626-4e1b-abb7-6e361a171fbb.json | 1 - ...71231-6626-4e1b-abb7-6e361a171fbb_101.json | 1 - ...71231-6626-4e1b-abb7-6e361a171fbb_102.json | 1 - ...71231-6626-4e1b-abb7-6e361a171fbb_103.json | 1 - ...71231-6626-4e1b-abb7-6e361a171fbb_105.json | 1 - .../88817a33-60d3-411f-ba79-7c905d865b2a.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_102.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_103.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_104.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_105.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_106.json | 1 - ...17a33-60d3-411f-ba79-7c905d865b2a_107.json | 1 - .../88fdcb8c-60e5-46ee-9206-2663adf1b1ce.json | 1 - ...8fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json | 1 - ...dcb8c-60e5-46ee-9206-2663adf1b1ce_103.json | 1 - ...dcb8c-60e5-46ee-9206-2663adf1b1ce_104.json | 1 - ...dcb8c-60e5-46ee-9206-2663adf1b1ce_105.json | 1 - ...dcb8c-60e5-46ee-9206-2663adf1b1ce_106.json | 1 - ...8fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json | 1 - .../891cb88e-441a-4c3e-be2d-120d99fe7b0d.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json | 1 - ...cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json | 1 - .../894326d2-56c0-4342-b553-4abfaf421b5b.json | 1 - ...94326d2-56c0-4342-b553-4abfaf421b5b_1.json | 1 - ...94326d2-56c0-4342-b553-4abfaf421b5b_2.json | 1 - ...94326d2-56c0-4342-b553-4abfaf421b5b_3.json | 1 - .../897dc6b5-b39f-432a-8d75-d3730d50c782.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_104.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_105.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_106.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_107.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_108.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_109.json | 1 - ...dc6b5-b39f-432a-8d75-d3730d50c782_110.json | 1 - .../89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_106.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json | 1 - ...9a4b0-9f8f-4ee0-8823-c4751a6d6696_108.json | 1 - .../89fa6cb7-6b53-4de2-b604-648488841ab8.json | 1 - ...a6cb7-6b53-4de2-b604-648488841ab8_102.json | 1 - ...a6cb7-6b53-4de2-b604-648488841ab8_103.json | 1 - ...a6cb7-6b53-4de2-b604-648488841ab8_104.json | 1 - ...a6cb7-6b53-4de2-b604-648488841ab8_105.json | 1 - .../8a024633-c444-45c0-a4fe-78128d8c1ab6.json | 1 - ...a024633-c444-45c0-a4fe-78128d8c1ab6_1.json | 1 - ...a024633-c444-45c0-a4fe-78128d8c1ab6_2.json | 1 - ...a024633-c444-45c0-a4fe-78128d8c1ab6_3.json | 1 - ...a024633-c444-45c0-a4fe-78128d8c1ab6_4.json | 1 - ...a024633-c444-45c0-a4fe-78128d8c1ab6_5.json | 1 - .../8a0fbd26-867f-11ee-947c-f661ea17fbcd.json | 1 - ...a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json | 1 - ...fbd26-867f-11ee-947c-f661ea17fbcd_106.json | 84 +++++++++++ ...a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json | 1 - ...a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json | 1 - ...a0fbd26-867f-11ee-947c-f661ea17fbcd_4.json | 1 - ...a0fbd26-867f-11ee-947c-f661ea17fbcd_6.json | 1 - .../8a0fd93a-7df8-410d-8808-4cc5e340f2b9.json | 1 - ...a0fd93a-7df8-410d-8808-4cc5e340f2b9_1.json | 1 - ...fd93a-7df8-410d-8808-4cc5e340f2b9_103.json | 68 +++++++++ .../8a1b0278-0f9a-487d-96bd-d4833298e87a.json | 1 - ...b0278-0f9a-487d-96bd-d4833298e87a_101.json | 1 - ...b0278-0f9a-487d-96bd-d4833298e87a_102.json | 1 - ...b0278-0f9a-487d-96bd-d4833298e87a_103.json | 1 - ...b0278-0f9a-487d-96bd-d4833298e87a_104.json | 1 - .../8a1d4831-3ce6-4859-9891-28931fa6101d.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_102.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_103.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_104.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_105.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_106.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_107.json | 1 - ...d4831-3ce6-4859-9891-28931fa6101d_108.json | 1 - .../8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_102.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_103.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_104.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_105.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_206.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_207.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_209.json | 1 - ...c1e5f-ad63-481e-b53a-ef959230f7f1_309.json | 85 +++++++++++ .../8acb7614-1d92-4359-bfcf-478b6d9de150.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_103.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_104.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_105.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_205.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_206.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_207.json | 1 - ...b7614-1d92-4359-bfcf-478b6d9de150_208.json | 1 - .../8af5b42f-8d74-48c8-a8d0-6d14b4197288.json | 1 - ...af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json | 1 - ...af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json | 1 - ...af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json | 1 - .../8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_103.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_104.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_105.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_106.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_107.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_108.json | 1 - ...b3a62-a598-4293-bc14-3d5fa22bb98f_109.json | 1 - .../8b4f0816-6a65-4630-86a6-c21c179c0d09.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_104.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_105.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_106.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_107.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_108.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_109.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_110.json | 1 - ...f0816-6a65-4630-86a6-c21c179c0d09_310.json | 1 - .../8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json | 1 - ...4d36a-1307-4b2e-a77b-a0027e4d27c8_101.json | 1 - .../8c1bdde8-4204-45c0-9e0c-c85ca3902488.json | 1 - ...bdde8-4204-45c0-9e0c-c85ca3902488_100.json | 1 - ...bdde8-4204-45c0-9e0c-c85ca3902488_101.json | 1 - ...bdde8-4204-45c0-9e0c-c85ca3902488_102.json | 1 - ...bdde8-4204-45c0-9e0c-c85ca3902488_103.json | 1 - .../8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_111.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_311.json | 1 - ...7dc0e-e3ac-4c97-8aa0-cf6a9122de45_312.json | 1 - .../8c81e506-6e82-4884-9b9a-75d3d252f967.json | 1 - ...1e506-6e82-4884-9b9a-75d3d252f967_103.json | 1 - ...1e506-6e82-4884-9b9a-75d3d252f967_104.json | 1 - ...1e506-6e82-4884-9b9a-75d3d252f967_105.json | 1 - ...1e506-6e82-4884-9b9a-75d3d252f967_106.json | 1 - ...1e506-6e82-4884-9b9a-75d3d252f967_107.json | 1 - .../8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json | 1 - ...4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json | 1 - ...4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json | 1 - ...4f625-7743-4dfb-ae1b-ad92be9df7bd_102.json | 1 - .../8cb84371-d053-4f4f-bce0-c74990e28f28.json | 1 - ...b84371-d053-4f4f-bce0-c74990e28f28_10.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_4.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_5.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_6.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_7.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_8.json | 1 - ...cb84371-d053-4f4f-bce0-c74990e28f28_9.json | 1 - .../8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf.json | 1 - ...cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1.json | 1 - .../8d366588-cbd6-43ba-95b4-0971c3f906e5.json | 1 - ...d366588-cbd6-43ba-95b4-0971c3f906e5_1.json | 1 - ...d366588-cbd6-43ba-95b4-0971c3f906e5_2.json | 1 - .../8d3d0794-c776-476b-8674-ee2e685f6470.json | 1 - ...d3d0794-c776-476b-8674-ee2e685f6470_1.json | 1 - .../8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json | 1 - ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json | 1 - ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json | 1 - ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json | 1 - ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json | 1 - ...41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json | 1 - .../8ddab73b-3d15-4e5d-9413-47f05553c1d7.json | 1 - ...ab73b-3d15-4e5d-9413-47f05553c1d7_101.json | 1 - .../8e2485b6-a74f-411b-bf7f-38b819f3a846.json | 1 - ...485b6-a74f-411b-bf7f-38b819f3a846_103.json | 1 - ...485b6-a74f-411b-bf7f-38b819f3a846_104.json | 1 - ...e2485b6-a74f-411b-bf7f-38b819f3a846_2.json | 1 - ...485b6-a74f-411b-bf7f-38b819f3a846_204.json | 1 - .../8e39f54e-910b-4adb-a87e-494fbba5fb65.json | 1 - ...e39f54e-910b-4adb-a87e-494fbba5fb65_1.json | 1 - ...e39f54e-910b-4adb-a87e-494fbba5fb65_2.json | 1 - ...e39f54e-910b-4adb-a87e-494fbba5fb65_3.json | 1 - .../8eec4df1-4b4b-4502-b6c3-c788714604c9.json | 1 - ...eec4df1-4b4b-4502-b6c3-c788714604c9_1.json | 1 - ...eec4df1-4b4b-4502-b6c3-c788714604c9_2.json | 1 - ...eec4df1-4b4b-4502-b6c3-c788714604c9_3.json | 1 - ...eec4df1-4b4b-4502-b6c3-c788714604c9_4.json | 1 - .../8f242ffb-b191-4803-90ec-0f19942e17fd.json | 1 - ...f242ffb-b191-4803-90ec-0f19942e17fd_1.json | 1 - ...f242ffb-b191-4803-90ec-0f19942e17fd_2.json | 1 - ...f242ffb-b191-4803-90ec-0f19942e17fd_3.json | 1 - .../8f3e91c7-d791-4704-80a1-42c160d7aa27.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_102.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_103.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_104.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_105.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_106.json | 1 - ...e91c7-d791-4704-80a1-42c160d7aa27_107.json | 1 - .../8f919d4b-a5af-47ca-a594-6be59cd924a4.json | 1 - ...19d4b-a5af-47ca-a594-6be59cd924a4_103.json | 1 - ...19d4b-a5af-47ca-a594-6be59cd924a4_104.json | 1 - ...19d4b-a5af-47ca-a594-6be59cd924a4_105.json | 1 - ...19d4b-a5af-47ca-a594-6be59cd924a4_106.json | 1 - ...19d4b-a5af-47ca-a594-6be59cd924a4_107.json | 1 - .../8fb75dda-c47a-4e34-8ecd-34facf7aad13.json | 1 - ...75dda-c47a-4e34-8ecd-34facf7aad13_103.json | 1 - .../90169566-2260-4824-b8e4-8615c3b4ed52.json | 1 - ...69566-2260-4824-b8e4-8615c3b4ed52_103.json | 1 - ...69566-2260-4824-b8e4-8615c3b4ed52_104.json | 1 - ...69566-2260-4824-b8e4-8615c3b4ed52_105.json | 1 - ...69566-2260-4824-b8e4-8615c3b4ed52_106.json | 1 - ...69566-2260-4824-b8e4-8615c3b4ed52_107.json | 1 - .../9055ece6-2689-4224-a0e0-b04881e1f8ad.json | 1 - ...5ece6-2689-4224-a0e0-b04881e1f8ad_102.json | 1 - ...5ece6-2689-4224-a0e0-b04881e1f8ad_103.json | 1 - ...5ece6-2689-4224-a0e0-b04881e1f8ad_104.json | 1 - ...5ece6-2689-4224-a0e0-b04881e1f8ad_205.json | 1 - .../9092cd6c-650f-4fa3-8a8a-28256c7489c9.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_102.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_103.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_104.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_105.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_106.json | 1 - ...2cd6c-650f-4fa3-8a8a-28256c7489c9_107.json | 1 - .../90babaa8-5216-4568-992d-d4a01a105d98.json | 1 - ...0babaa8-5216-4568-992d-d4a01a105d98_1.json | 1 - ...0babaa8-5216-4568-992d-d4a01a105d98_2.json | 1 - ...0babaa8-5216-4568-992d-d4a01a105d98_3.json | 1 - .../9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json | 1 - ...0ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json | 1 - .../91d04cd4-47a9-4334-ab14-084abe274d49.json | 1 - ...04cd4-47a9-4334-ab14-084abe274d49_102.json | 1 - ...04cd4-47a9-4334-ab14-084abe274d49_103.json | 1 - ...04cd4-47a9-4334-ab14-084abe274d49_104.json | 1 - ...04cd4-47a9-4334-ab14-084abe274d49_205.json | 1 - .../91f02f01-969f-4167-8d77-07827ac4cee0.json | 1 - ...02f01-969f-4167-8d77-07827ac4cee0_101.json | 1 - ...02f01-969f-4167-8d77-07827ac4cee0_102.json | 1 - ...02f01-969f-4167-8d77-07827ac4cee0_103.json | 1 - .../91f02f01-969f-4167-8f55-07827ac3acc9.json | 1 - ...02f01-969f-4167-8f55-07827ac3acc9_101.json | 1 - ...02f01-969f-4167-8f55-07827ac3acc9_102.json | 1 - ...02f01-969f-4167-8f55-07827ac3acc9_103.json | 1 - .../91f02f01-969f-4167-8f66-07827ac3bdd9.json | 1 - ...02f01-969f-4167-8f66-07827ac3bdd9_101.json | 1 - ...02f01-969f-4167-8f66-07827ac3bdd9_102.json | 1 - ...02f01-969f-4167-8f66-07827ac3bdd9_103.json | 1 - .../929223b4-fba3-4a1c-a943-ec4716ad23ec.json | 1 - .../92984446-aefb-4d5e-ad12-598042ca80ba.json | 1 - ...84446-aefb-4d5e-ad12-598042ca80ba_108.json | 1 - ...84446-aefb-4d5e-ad12-598042ca80ba_109.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_2.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_3.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_4.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_5.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_6.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_7.json | 1 - ...2984446-aefb-4d5e-ad12-598042ca80ba_8.json | 1 - .../92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json | 1 - ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json | 1 - ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json | 1 - ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json | 1 - ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_8.json | 1 - ...2a6faf5-78ec-4e25-bea1-73bacc9b59d9_9.json | 1 - .../92d3a04e-6487-4b62-892d-70e640a590dc.json | 1 - ...2d3a04e-6487-4b62-892d-70e640a590dc_1.json | 1 - ...2d3a04e-6487-4b62-892d-70e640a590dc_2.json | 1 - ...2d3a04e-6487-4b62-892d-70e640a590dc_3.json | 1 - ...2d3a04e-6487-4b62-892d-70e640a590dc_4.json | 1 - .../93075852-b0f5-4b8b-89c3-a226efae5726.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_102.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_103.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_104.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_205.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_206.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_207.json | 1 - ...75852-b0f5-4b8b-89c3-a226efae5726_208.json | 1 - .../931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json | 1 - ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json | 1 - ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json | 1 - ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json | 1 - ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json | 1 - ...e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204.json | 1 - .../9395fd2c-9947-4472-86ef-4aceb2f7e872.json | 1 - ...5fd2c-9947-4472-86ef-4aceb2f7e872_105.json | 1 - ...5fd2c-9947-4472-86ef-4aceb2f7e872_106.json | 1 - ...5fd2c-9947-4472-86ef-4aceb2f7e872_107.json | 1 - ...5fd2c-9947-4472-86ef-4aceb2f7e872_208.json | 1 - .../93b22c0a-06a0-4131-b830-b10d5e166ff4.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_104.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_105.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_106.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_107.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_108.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_109.json | 1 - ...22c0a-06a0-4131-b830-b10d5e166ff4_110.json | 1 - .../93c1ce76-494c-4f01-8167-35edfb52f7b1.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_103.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_104.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_105.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_106.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_107.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_208.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_309.json | 1 - ...1ce76-494c-4f01-8167-35edfb52f7b1_310.json | 1 - .../93e63c3e-4154-4fc6-9f86-b411e0987bbf.json | 1 - ...63c3e-4154-4fc6-9f86-b411e0987bbf_203.json | 1 - ...63c3e-4154-4fc6-9f86-b411e0987bbf_204.json | 1 - ...63c3e-4154-4fc6-9f86-b411e0987bbf_205.json | 1 - .../93f47b6f-5728-4004-ba00-625083b3dcb0.json | 1 - ...47b6f-5728-4004-ba00-625083b3dcb0_101.json | 1 - ...47b6f-5728-4004-ba00-625083b3dcb0_102.json | 1 - ...47b6f-5728-4004-ba00-625083b3dcb0_103.json | 1 - ...47b6f-5728-4004-ba00-625083b3dcb0_104.json | 1 - .../94418745-529f-4259-8d25-a713a6feb6ae.json | 1 - ...4418745-529f-4259-8d25-a713a6feb6ae_1.json | 1 - ...4418745-529f-4259-8d25-a713a6feb6ae_2.json | 1 - ...4418745-529f-4259-8d25-a713a6feb6ae_3.json | 1 - .../947827c6-9ed6-4dec-903e-c856c86e72f3.json | 1 - ...47827c6-9ed6-4dec-903e-c856c86e72f3_1.json | 1 - ...47827c6-9ed6-4dec-903e-c856c86e72f3_2.json | 1 - .../94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json | 1 - ...401ba-4fa2-455c-b7ae-b6e037afc0b7_209.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_6.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json | 1 - ...4a401ba-4fa2-455c-b7ae-b6e037afc0b7_9.json | 1 - .../94e734c0-2cda-11ef-84e1-f661ea17fbce.json | 1 - ...4e734c0-2cda-11ef-84e1-f661ea17fbce_1.json | 1 - ...734c0-2cda-11ef-84e1-f661ea17fbce_103.json | 77 ++++++++++ ...4e734c0-2cda-11ef-84e1-f661ea17fbce_2.json | 1 - .../9510add4-3392-11ed-bd01-f661ea17fbce.json | 1 - ...0add4-3392-11ed-bd01-f661ea17fbce_104.json | 1 - ...0add4-3392-11ed-bd01-f661ea17fbce_105.json | 1 - ...0add4-3392-11ed-bd01-f661ea17fbce_106.json | 1 - .../951779c2-82ad-4a6c-82b8-296c1f691449.json | 1 - ...51779c2-82ad-4a6c-82b8-296c1f691449_1.json | 1 - ...51779c2-82ad-4a6c-82b8-296c1f691449_2.json | 1 - ...51779c2-82ad-4a6c-82b8-296c1f691449_3.json | 1 - .../954ee7c8-5437-49ae-b2d6-2960883898e9.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_104.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_105.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_106.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_107.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_108.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_109.json | 1 - ...ee7c8-5437-49ae-b2d6-2960883898e9_110.json | 1 - .../959a7353-1129-4aa7-9084-30746b256a70.json | 1 - ...a7353-1129-4aa7-9084-30746b256a70_105.json | 1 - ...a7353-1129-4aa7-9084-30746b256a70_106.json | 1 - ...a7353-1129-4aa7-9084-30746b256a70_107.json | 1 - ...a7353-1129-4aa7-9084-30746b256a70_108.json | 1 - ...a7353-1129-4aa7-9084-30746b256a70_109.json | 1 - .../95b99adc-2cda-11ef-84e1-f661ea17fbce.json | 1 - ...5b99adc-2cda-11ef-84e1-f661ea17fbce_1.json | 1 - ...99adc-2cda-11ef-84e1-f661ea17fbce_103.json | 77 ++++++++++ ...5b99adc-2cda-11ef-84e1-f661ea17fbce_2.json | 1 - ...62a71ae-aac9-11ef-9348-f661ea17fbce_1.json | 141 ++++++++++++++++++ .../9661ed8b-001c-40dc-a777-0983b7b0c91a.json | 1 - ...661ed8b-001c-40dc-a777-0983b7b0c91a_1.json | 1 - .../968ccab9-da51-4a87-9ce2-d3c9782fd759.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_103.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_104.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_105.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_106.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_107.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_108.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_109.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_110.json | 1 - ...ccab9-da51-4a87-9ce2-d3c9782fd759_111.json | 1 - .../96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_206.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_208.json | 1 - ...9f4ea-0e8c-435b-8d53-2096e75fcac5_308.json | 76 ++++++++++ .../96d11d31-9a79-480f-8401-da28b194608f.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_1.json | 1 - ...d11d31-9a79-480f-8401-da28b194608f_10.json | 1 - ...d11d31-9a79-480f-8401-da28b194608f_11.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_2.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_3.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_4.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_5.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_6.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_7.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_8.json | 1 - ...6d11d31-9a79-480f-8401-da28b194608f_9.json | 1 - .../96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json | 1 - ...90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json | 1 - .../97020e61-e591-4191-8a3b-2861a2b887cd.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_3.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_4.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_5.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_6.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_7.json | 1 - ...7020e61-e591-4191-8a3b-2861a2b887cd_8.json | 1 - .../97314185-2568-4561-ae81-f3e480e5e695.json | 1 - ...14185-2568-4561-ae81-f3e480e5e695_101.json | 1 - ...14185-2568-4561-ae81-f3e480e5e695_102.json | 1 - ...14185-2568-4561-ae81-f3e480e5e695_103.json | 1 - ...14185-2568-4561-ae81-f3e480e5e695_105.json | 1 - .../97359fd8-757d-4b1d-9af1-ef29e4a8680e.json | 1 - ...59fd8-757d-4b1d-9af1-ef29e4a8680e_103.json | 1 - .../97697a52-4a76-4f0a-aa4f-25c178aae6eb.json | 1 - .../979729e7-0c52-4c4c-b71e-88103304a79f.json | 1 - ...729e7-0c52-4c4c-b71e-88103304a79f_102.json | 1 - ...729e7-0c52-4c4c-b71e-88103304a79f_103.json | 1 - ...729e7-0c52-4c4c-b71e-88103304a79f_104.json | 1 - ...729e7-0c52-4c4c-b71e-88103304a79f_205.json | 1 - ...729e7-0c52-4c4c-b71e-88103304a79f_206.json | 1 - .../97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212.json | 1 - ...8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312.json | 89 +++++++++++ .../97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_211.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_313.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_314.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_414.json | 1 - ...ba1ef-6034-4bd3-8c1a-1e0996b27afa_415.json | 1 - .../97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json | 1 - ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json | 1 - ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json | 1 - ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json | 1 - ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json | 1 - ...7db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json | 1 - .../97fc44d3-8dae-4019-ae83-298c3015600f.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_104.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_105.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_106.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_107.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_108.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_109.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_110.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_111.json | 1 - ...c44d3-8dae-4019-ae83-298c3015600f_112.json | 1 - .../980b70a0-c820-11ed-8799-f661ea17fbcc.json | 1 - ...80b70a0-c820-11ed-8799-f661ea17fbcc_1.json | 1 - ...80b70a0-c820-11ed-8799-f661ea17fbcc_2.json | 1 - ...80b70a0-c820-11ed-8799-f661ea17fbcc_3.json | 1 - .../9822c5a1-1494-42de-b197-487197bb540c.json | 1 - ...822c5a1-1494-42de-b197-487197bb540c_1.json | 1 - ...86361cd-3dac-47fe-afa1-5c5dd89f2fb4_1.json | 1 - .../98843d35-645e-4e66-9d6a-5049acd96ce1.json | 1 - ...8843d35-645e-4e66-9d6a-5049acd96ce1_1.json | 1 - ...8843d35-645e-4e66-9d6a-5049acd96ce1_2.json | 1 - ...8843d35-645e-4e66-9d6a-5049acd96ce1_3.json | 1 - .../9890ee61-d061-403d-9bf6-64934c51f638.json | 1 - ...0ee61-d061-403d-9bf6-64934c51f638_103.json | 1 - .../98995807-5b09-4e37-8a54-5cae5dc932d7.json | 1 - ...95807-5b09-4e37-8a54-5cae5dc932d7_101.json | 1 - ...95807-5b09-4e37-8a54-5cae5dc932d7_102.json | 1 - ...95807-5b09-4e37-8a54-5cae5dc932d7_103.json | 1 - ...95807-5b09-4e37-8a54-5cae5dc932d7_105.json | 1 - .../98fd7407-0bd5-5817-cda0-3fcc33113a56.json | 1 - ...d7407-0bd5-5817-cda0-3fcc33113a56_105.json | 1 - ...d7407-0bd5-5817-cda0-3fcc33113a56_106.json | 1 - ...d7407-0bd5-5817-cda0-3fcc33113a56_107.json | 1 - ...d7407-0bd5-5817-cda0-3fcc33113a56_208.json | 1 - .../990838aa-a953-4f3e-b3cb-6ddf7584de9e.json | 1 - ...838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json | 1 - ...838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json | 1 - ...838aa-a953-4f3e-b3cb-6ddf7584de9e_102.json | 1 - .../99239e7d-b0d4-46e3-8609-acafcf99f68c.json | 1 - ...39e7d-b0d4-46e3-8609-acafcf99f68c_102.json | 1 - ...39e7d-b0d4-46e3-8609-acafcf99f68c_103.json | 1 - ...39e7d-b0d4-46e3-8609-acafcf99f68c_104.json | 1 - ...39e7d-b0d4-46e3-8609-acafcf99f68c_105.json | 1 - ...39e7d-b0d4-46e3-8609-acafcf99f68c_106.json | 1 - .../994e40aa-8c85-43de-825e-15f665375ee8.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_1.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_2.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_3.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_4.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_5.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_6.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_7.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_8.json | 1 - ...94e40aa-8c85-43de-825e-15f665375ee8_9.json | 1 - .../9960432d-9b26-409f-972b-839a959e79e2.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_103.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_104.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_105.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_206.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_207.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_208.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_209.json | 1 - ...0432d-9b26-409f-972b-839a959e79e2_210.json | 1 - ...99565a2-fc52-4d72-91e4-ba6712c0377e_1.json | 1 - .../99dcf974-6587-4f65-9252-d866a3fdfd9c.json | 1 - ...cf974-6587-4f65-9252-d866a3fdfd9c_102.json | 1 - ...cf974-6587-4f65-9252-d866a3fdfd9c_103.json | 1 - ...cf974-6587-4f65-9252-d866a3fdfd9c_104.json | 1 - .../9a1a2dae-0b5f-4c3d-8305-a268d404c306.json | 1 - ...a2dae-0b5f-4c3d-8305-a268d404c306_101.json | 1 - ...a2dae-0b5f-4c3d-8305-a268d404c306_102.json | 1 - .../9a3884d0-282d-45ea-86ce-b9c81100f026.json | 1 - ...a3884d0-282d-45ea-86ce-b9c81100f026_1.json | 1 - ...a3884d0-282d-45ea-86ce-b9c81100f026_2.json | 1 - .../9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json | 1 - ...a3689-8ed1-4cdb-83fb-9506db54c61f_105.json | 1 - ...a3689-8ed1-4cdb-83fb-9506db54c61f_106.json | 1 - ...a3689-8ed1-4cdb-83fb-9506db54c61f_107.json | 1 - ...a3689-8ed1-4cdb-83fb-9506db54c61f_108.json | 1 - ...a3689-8ed1-4cdb-83fb-9506db54c61f_208.json | 1 - ...a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json | 1 - ...a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json | 1 - .../9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json | 1 - ...b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json | 1 - .../9aa0e1f6-52ce-42e1-abb3-09657cee2698.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_103.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_104.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_105.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_106.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_107.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_108.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_109.json | 1 - ...0e1f6-52ce-42e1-abb3-09657cee2698_110.json | 1 - .../9aa4be8d-5828-417d-9f54-7cd304571b24.json | 1 - ...aa4be8d-5828-417d-9f54-7cd304571b24_1.json | 1 - ...aa4be8d-5828-417d-9f54-7cd304571b24_2.json | 1 - ...aa4be8d-5828-417d-9f54-7cd304571b24_3.json | 1 - .../9b343b62-d173-4cfd-bd8b-e6379f964ca4.json | 1 - ...b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json | 1 - ...43b62-d173-4cfd-bd8b-e6379f964ca4_105.json | 78 ++++++++++ ...b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json | 1 - ...b343b62-d173-4cfd-bd8b-e6379f964ca4_3.json | 1 - .../9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_109.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_112.json | 1 - ...813a1-daf1-457e-b0e6-0bb4e55b8a4c_312.json | 1 - .../9b80cb26-9966-44b5-abbf-764fbdbc3586.json | 1 - ...b80cb26-9966-44b5-abbf-764fbdbc3586_1.json | 1 - ...b80cb26-9966-44b5-abbf-764fbdbc3586_2.json | 1 - ...b80cb26-9966-44b5-abbf-764fbdbc3586_3.json | 1 - .../9c260313-c811-4ec8-ab89-8f6530e0246c.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_103.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_104.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_105.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_106.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_107.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_108.json | 1 - ...60313-c811-4ec8-ab89-8f6530e0246c_109.json | 1 - .../9c865691-5599-447a-bac9-b3f2df5f9a9d.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_4.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_5.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_6.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_7.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_8.json | 1 - ...c865691-5599-447a-bac9-b3f2df5f9a9d_9.json | 1 - .../9c951837-7d13-4b0c-be7a-f346623c8795.json | 1 - ...c951837-7d13-4b0c-be7a-f346623c8795_1.json | 1 - .../9ccf3ce0-0057-440a-91f5-870c6ad39093.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_104.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_105.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_106.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_107.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_108.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_109.json | 1 - ...f3ce0-0057-440a-91f5-870c6ad39093_110.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213.json | 1 - .../9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json | 1 - ...10cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107.json | 1 - .../9d19ece6-c20e-481a-90c5-ccca596537de.json | 1 - ...9ece6-c20e-481a-90c5-ccca596537de_102.json | 1 - ...9ece6-c20e-481a-90c5-ccca596537de_103.json | 1 - ...9ece6-c20e-481a-90c5-ccca596537de_104.json | 1 - ...9ece6-c20e-481a-90c5-ccca596537de_105.json | 1 - .../9d302377-d226-4e12-b54c-1906b5aec4f6.json | 1 - ...02377-d226-4e12-b54c-1906b5aec4f6_101.json | 1 - ...02377-d226-4e12-b54c-1906b5aec4f6_102.json | 1 - ...02377-d226-4e12-b54c-1906b5aec4f6_103.json | 1 - .../9efb3f79-b77b-466a-9fa0-3645d22d1e7f.json | 1 - ...efb3f79-b77b-466a-9fa0-3645d22d1e7f_1.json | 1 - .../9f1c4ca3-44b5-481d-ba42-32dc215a2769.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_103.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_104.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_105.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_106.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_107.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_108.json | 1 - ...c4ca3-44b5-481d-ba42-32dc215a2769_109.json | 1 - .../9f962927-1a4f-45f3-a57b-287f2c7029c1.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_105.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_106.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_107.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_108.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_109.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_110.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_111.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_112.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_113.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_114.json | 1 - ...62927-1a4f-45f3-a57b-287f2c7029c1_115.json | 1 - .../9f9a2a82-93a8-4b1a-8778-1780895626d4.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_102.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_103.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_104.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_105.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_206.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_207.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_208.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_209.json | 1 - ...a2a82-93a8-4b1a-8778-1780895626d4_210.json | 1 - .../a00681e3-9ed6-447c-ab2c-be648821c622.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_105.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_205.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_206.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_207.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_308.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_309.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_310.json | 1 - ...681e3-9ed6-447c-ab2c-be648821c622_311.json | 1 - .../a02cb68e-7c93-48d1-93b2-2c39023308eb.json | 1 - ...02cb68e-7c93-48d1-93b2-2c39023308eb_5.json | 1 - ...02cb68e-7c93-48d1-93b2-2c39023308eb_6.json | 1 - ...02cb68e-7c93-48d1-93b2-2c39023308eb_7.json | 1 - ...02cb68e-7c93-48d1-93b2-2c39023308eb_8.json | 1 - ...02cb68e-7c93-48d1-93b2-2c39023308eb_9.json | 1 - .../a0ddb77b-0318-41f0-91e4-8c1b5528834f.json | 1 - ...0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json | 1 - ...0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json | 1 - .../a10d3d9d-0f65-48f1-8b25-af175e2594f5.json | 1 - ...d3d9d-0f65-48f1-8b25-af175e2594f5_104.json | 1 - .../a13167f1-eec2-4015-9631-1fee60406dcf.json | 1 - ...167f1-eec2-4015-9631-1fee60406dcf_103.json | 1 - ...167f1-eec2-4015-9631-1fee60406dcf_104.json | 1 - ...167f1-eec2-4015-9631-1fee60406dcf_105.json | 1 - ...167f1-eec2-4015-9631-1fee60406dcf_106.json | 1 - ...167f1-eec2-4015-9631-1fee60406dcf_107.json | 1 - .../a1329140-8de3-4445-9f87-908fb6d824f4.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_103.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_104.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_105.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_106.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_107.json | 1 - ...29140-8de3-4445-9f87-908fb6d824f4_108.json | 1 - .../a16612dd-b30e-4d41-86a0-ebe70974ec00.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_103.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_104.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_105.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_106.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_107.json | 1 - ...612dd-b30e-4d41-86a0-ebe70974ec00_207.json | 1 - .../a1699af0-8e1e-4ed0-8ec1-89783538a061.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_2.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_3.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_4.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_5.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_6.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_7.json | 1 - ...1699af0-8e1e-4ed0-8ec1-89783538a061_8.json | 1 - .../a17bcc91-297b-459b-b5ce-bc7460d8f82a.json | 1 - ...bcc91-297b-459b-b5ce-bc7460d8f82a_103.json | 1 - .../a198fbbd-9413-45ec-a269-47ae4ccf59ce.json | 1 - ...198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json | 1 - ...198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json | 1 - .../a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_103.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_104.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_105.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_106.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_107.json | 1 - ...0375f-22c2-48c0-81a4-7c2d11cc6856_108.json | 1 - .../a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json | 1 - ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json | 1 - ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json | 1 - ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json | 1 - ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json | 1 - ...1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5.json | 1 - .../a22a09c2-2162-4df0-a356-9aacbeb56a04.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_103.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_104.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_105.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_106.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_107.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_108.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_109.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_110.json | 1 - ...a09c2-2162-4df0-a356-9aacbeb56a04_111.json | 1 - .../a2795334-2499-11ed-9e1a-f661ea17fbce.json | 1 - ...95334-2499-11ed-9e1a-f661ea17fbce_104.json | 1 - ...95334-2499-11ed-9e1a-f661ea17fbce_105.json | 1 - ...95334-2499-11ed-9e1a-f661ea17fbce_106.json | 1 - ...95334-2499-11ed-9e1a-f661ea17fbce_107.json | 1 - .../a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json | 1 - ...2d04374-187c-4fd9-b513-3ad4e7fdd67a_8.json | 1 - .../a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_103.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_104.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_105.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_106.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_107.json | 1 - ...a12f3-0d4e-4667-8b44-4230c63f3c75_108.json | 1 - .../a44bcb58-5109-4870-a7c6-11f5fe7dd4b1.json | 1 - ...44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1.json | 1 - .../a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json | 1 - ...7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json | 1 - ...7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json | 1 - ...7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json | 1 - ...7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json | 1 - ...7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json | 1 - .../a52a9439-d52c-401c-be37-2785235c6547.json | 1 - ...52a9439-d52c-401c-be37-2785235c6547_1.json | 1 - .../a577e524-c2ee-47bd-9c5b-e917d01d3276.json | 1 - ...577e524-c2ee-47bd-9c5b-e917d01d3276_1.json | 1 - .../a5eb21b7-13cc-4b94-9fe2-29bb2914e037.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json | 1 - ...5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json | 1 - .../a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json | 1 - ...326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json | 1 - ...326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json | 1 - ...326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json | 1 - ...326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json | 1 - .../a605c51a-73ad-406d-bf3a-f24cc41d5c97.json | 1 - ...5c51a-73ad-406d-bf3a-f24cc41d5c97_104.json | 1 - .../a61809f3-fb5b-465c-8bff-23a8a068ac60.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_1.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_2.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_3.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_4.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_5.json | 1 - ...61809f3-fb5b-465c-8bff-23a8a068ac60_6.json | 1 - .../a624863f-a70d-417f-a7d2-7a404638d47f.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_105.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_106.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_107.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_108.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_109.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_110.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_111.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_112.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_113.json | 1 - ...4863f-a70d-417f-a7d2-7a404638d47f_313.json | 1 - .../a6788d4b-b241-4bf0-8986-a3b4315c5b70.json | 1 - .../a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json | 1 - ...f4dd4-743e-4da8-8c03-3ebd753a6c90_102.json | 1 - ...f4dd4-743e-4da8-8c03-3ebd753a6c90_103.json | 1 - ...f4dd4-743e-4da8-8c03-3ebd753a6c90_104.json | 1 - ...f4dd4-743e-4da8-8c03-3ebd753a6c90_105.json | 1 - ...f4dd4-743e-4da8-8c03-3ebd753a6c90_106.json | 1 - .../a74c60cb-70ee-4629-a127-608ead14ebf1.json | 1 - ...74c60cb-70ee-4629-a127-608ead14ebf1_1.json | 1 - ...74c60cb-70ee-4629-a127-608ead14ebf1_2.json | 1 - ...74c60cb-70ee-4629-a127-608ead14ebf1_3.json | 1 - .../a7ccae7b-9d2c-44b2-a061-98e5946971fa.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_104.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_105.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_106.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_107.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_108.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_109.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_110.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_111.json | 1 - ...cae7b-9d2c-44b2-a061-98e5946971fa_112.json | 1 - .../a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_104.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_105.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_106.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_107.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_108.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_109.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_110.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_111.json | 1 - ...7bfa3-088e-4f13-b29e-3986e0e756b8_311.json | 1 - .../a80d96cd-1164-41b3-9852-ef58724be496.json | 1 - ...80d96cd-1164-41b3-9852-ef58724be496_1.json | 1 - .../a83b3dac-325a-11ef-b3e6-f661ea17fbce.json | 1 - .../a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json | 1 - ...a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json | 1 - .../a8aaa49d-9834-462d-bf8f-b1255cebc004.json | 1 - .../a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json | 1 - ...8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json | 1 - ...8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json | 1 - ...8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json | 1 - .../a8d35ca0-ad8d-48a9-9f6c-553622dca61a.json | 1 - ...8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json | 1 - ...8d35ca0-ad8d-48a9-9f6c-553622dca61a_2.json | 1 - ...8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json | 1 - .../a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json | 1 - ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json | 1 - ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json | 1 - ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json | 1 - ...9fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json | 1 - .../a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json | 1 - ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json | 1 - ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json | 1 - ...f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json | 1 - .../a9b05c3b-b304-4bf9-970d-acdfaef2944c.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_102.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_103.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_104.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_105.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_106.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_107.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_108.json | 1 - ...05c3b-b304-4bf9-970d-acdfaef2944c_109.json | 1 - .../a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json | 1 - ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json | 1 - ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json | 1 - ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json | 1 - ...b3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json | 1 - .../aa8007f0-d1df-49ef-8520-407857594827.json | 1 - ...007f0-d1df-49ef-8520-407857594827_103.json | 1 - .../aa895aea-b69c-4411-b110-8d7599634b30.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_104.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_105.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_106.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_107.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_108.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_109.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_110.json | 1 - ...95aea-b69c-4411-b110-8d7599634b30_111.json | 1 - .../aa9a274d-6b53-424d-ac5e-cb8ca4251650.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_104.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_105.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_106.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_107.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_108.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_109.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_110.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_111.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_112.json | 1 - ...a274d-6b53-424d-ac5e-cb8ca4251650_113.json | 1 - .../aaab30ec-b004-4191-95e1-4a14387ef6a6.json | 1 - ...aab30ec-b004-4191-95e1-4a14387ef6a6_1.json | 1 - .../aab184d3-72b3-4639-b242-6597c99d8bca.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_1.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_2.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_3.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_4.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_5.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_6.json | 1 - ...ab184d3-72b3-4639-b242-6597c99d8bca_7.json | 1 - .../ab75c24b-2502-43a0-bf7c-e60e662c811e.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_104.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_105.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_106.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_107.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_108.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_109.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_110.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_111.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_112.json | 1 - ...5c24b-2502-43a0-bf7c-e60e662c811e_113.json | 1 - .../ab8f074c-5565-4bc4-991c-d49770e19fc9.json | 1 - ...b8f074c-5565-4bc4-991c-d49770e19fc9_1.json | 1 - .../abae61a8-c560-4dbd-acca-1e1438bff36b.json | 1 - ...e61a8-c560-4dbd-acca-1e1438bff36b_101.json | 1 - ...e61a8-c560-4dbd-acca-1e1438bff36b_102.json | 1 - ...e61a8-c560-4dbd-acca-1e1438bff36b_103.json | 1 - ...e61a8-c560-4dbd-acca-1e1438bff36b_104.json | 1 - ...e61a8-c560-4dbd-acca-1e1438bff36b_105.json | 1 - .../ac412404-57a5-476f-858f-4e8fbb4f48d8.json | 1 - ...12404-57a5-476f-858f-4e8fbb4f48d8_103.json | 1 - ...12404-57a5-476f-858f-4e8fbb4f48d8_104.json | 1 - ...12404-57a5-476f-858f-4e8fbb4f48d8_105.json | 1 - ...12404-57a5-476f-858f-4e8fbb4f48d8_106.json | 1 - ...12404-57a5-476f-858f-4e8fbb4f48d8_107.json | 1 - .../ac5012b8-8da8-440b-aaaf-aedafdea2dff.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_105.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_106.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_107.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_108.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_109.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_110.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_111.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_112.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_213.json | 1 - ...012b8-8da8-440b-aaaf-aedafdea2dff_314.json | 1 - .../ac531fcc-1d3b-476d-bbb5-1357728c9a37.json | 1 - ...c531fcc-1d3b-476d-bbb5-1357728c9a37_1.json | 1 - ...c531fcc-1d3b-476d-bbb5-1357728c9a37_2.json | 1 - .../ac5a2759-5c34-440a-b0c4-51fe674611d6.json | 1 - ...c5a2759-5c34-440a-b0c4-51fe674611d6_1.json | 1 - ...c6bc744-e82b-41ad-b58d-90654fa4ebfb_1.json | 1 - .../ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json | 1 - ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json | 1 - ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json | 1 - ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_106.json | 1 - ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_107.json | 1 - ...06eae-d5ec-4b14-b4fd-e8ba8086f0e1_208.json | 1 - .../ac8805f6-1e08-406c-962e-3937057fa86f.json | 1 - ...c8805f6-1e08-406c-962e-3937057fa86f_1.json | 1 - ...c8805f6-1e08-406c-962e-3937057fa86f_2.json | 1 - ...c8805f6-1e08-406c-962e-3937057fa86f_3.json | 1 - ...c8805f6-1e08-406c-962e-3937057fa86f_4.json | 1 - ...c8805f6-1e08-406c-962e-3937057fa86f_5.json | 1 - .../ac96ceb8-4399-4191-af1d-4feeac1f1f46.json | 1 - ...6ceb8-4399-4191-af1d-4feeac1f1f46_105.json | 1 - ...6ceb8-4399-4191-af1d-4feeac1f1f46_106.json | 1 - ...6ceb8-4399-4191-af1d-4feeac1f1f46_107.json | 1 - ...6ceb8-4399-4191-af1d-4feeac1f1f46_108.json | 1 - ...6ceb8-4399-4191-af1d-4feeac1f1f46_109.json | 1 - .../acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json | 1 - ...c8bb9-2486-49a8-8779-45fb5f9a93ee_203.json | 1 - ...c8bb9-2486-49a8-8779-45fb5f9a93ee_204.json | 1 - ...c8bb9-2486-49a8-8779-45fb5f9a93ee_205.json | 1 - ...c8bb9-2486-49a8-8779-45fb5f9a93ee_206.json | 1 - .../acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json | 1 - ...611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json | 1 - ...611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json | 1 - ...611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json | 1 - ...611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json | 1 - .../ace1e989-a541-44df-93a8-a8b0591b63c0.json | 1 - ...1e989-a541-44df-93a8-a8b0591b63c0_103.json | 1 - ...1e989-a541-44df-93a8-a8b0591b63c0_104.json | 1 - ...1e989-a541-44df-93a8-a8b0591b63c0_105.json | 1 - ...1e989-a541-44df-93a8-a8b0591b63c0_106.json | 1 - ...1e989-a541-44df-93a8-a8b0591b63c0_107.json | 1 - .../acf738b5-b5b2-4acc-bad9-1e18ee234f40.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_102.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_103.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_104.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_105.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_106.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_107.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_108.json | 1 - ...738b5-b5b2-4acc-bad9-1e18ee234f40_308.json | 1 - .../ad0d2742-9a49-11ec-8d6b-acde48001122.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_104.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_105.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_106.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_107.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_108.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_109.json | 1 - ...d2742-9a49-11ec-8d6b-acde48001122_309.json | 1 - .../ad3f2807-2b3e-47d7-b282-f84acbbe14be.json | 1 - ...f2807-2b3e-47d7-b282-f84acbbe14be_203.json | 1 - ...f2807-2b3e-47d7-b282-f84acbbe14be_204.json | 1 - ...f2807-2b3e-47d7-b282-f84acbbe14be_205.json | 1 - ...d5a3757-c872-4719-8c72-12d3f08db655_1.json | 1 - .../ad84d445-b1ce-4377-82d9-7c633f28bf9a.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_105.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_106.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_107.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_108.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_109.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_110.json | 1 - ...4d445-b1ce-4377-82d9-7c633f28bf9a_111.json | 1 - .../ad88231f-e2ab-491c-8fc6-64746da26cfe.json | 1 - ...8231f-e2ab-491c-8fc6-64746da26cfe_102.json | 1 - ...8231f-e2ab-491c-8fc6-64746da26cfe_103.json | 1 - ...8231f-e2ab-491c-8fc6-64746da26cfe_104.json | 1 - ...8231f-e2ab-491c-8fc6-64746da26cfe_105.json | 1 - .../ad959eeb-2b7b-4722-ba08-a45f6622f005.json | 1 - ...d959eeb-2b7b-4722-ba08-a45f6622f005_1.json | 1 - ...d959eeb-2b7b-4722-ba08-a45f6622f005_2.json | 1 - ...d959eeb-2b7b-4722-ba08-a45f6622f005_3.json | 1 - .../adb961e0-cb74-42a0-af9e-29fc41f88f5f.json | 1 - ...961e0-cb74-42a0-af9e-29fc41f88f5f_105.json | 1 - ...961e0-cb74-42a0-af9e-29fc41f88f5f_106.json | 1 - ...961e0-cb74-42a0-af9e-29fc41f88f5f_107.json | 1 - ...961e0-cb74-42a0-af9e-29fc41f88f5f_108.json | 1 - ...961e0-cb74-42a0-af9e-29fc41f88f5f_109.json | 1 - .../adbfa3ee-777e-4747-b6b0-7bd645f30880.json | 1 - ...dbfa3ee-777e-4747-b6b0-7bd645f30880_1.json | 1 - ...dbfa3ee-777e-4747-b6b0-7bd645f30880_2.json | 1 - ...dbfa3ee-777e-4747-b6b0-7bd645f30880_3.json | 1 - ...dbfa3ee-777e-4747-b6b0-7bd645f30880_4.json | 1 - .../ae343298-97bc-47bc-9ea2-5f2ad831c16e.json | 1 - ...e343298-97bc-47bc-9ea2-5f2ad831c16e_1.json | 1 - ...e343298-97bc-47bc-9ea2-5f2ad831c16e_2.json | 1 - ...e343298-97bc-47bc-9ea2-5f2ad831c16e_3.json | 1 - ...e343298-97bc-47bc-9ea2-5f2ad831c16e_4.json | 1 - .../ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json | 1 - ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json | 1 - ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json | 1 - ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json | 1 - ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json | 1 - ...e8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json | 1 - .../aebaa51f-2a91-4f6a-850b-b601db2293f4.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_1.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_2.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_3.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_4.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_5.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_6.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_7.json | 1 - ...ebaa51f-2a91-4f6a-850b-b601db2293f4_8.json | 1 - .../afa135c0-a365-43ab-aa35-fd86df314a47.json | 1 - ...fa135c0-a365-43ab-aa35-fd86df314a47_1.json | 1 - ...fa135c0-a365-43ab-aa35-fd86df314a47_2.json | 1 - ...fa135c0-a365-43ab-aa35-fd86df314a47_3.json | 1 - .../afcce5ad-65de-4ed2-8516-5e093d3ac99a.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_103.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_104.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_105.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_106.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_107.json | 1 - ...ce5ad-65de-4ed2-8516-5e093d3ac99a_108.json | 1 - .../afd04601-12fc-4149-9b78-9c3f8fe45d39.json | 1 - ...fd04601-12fc-4149-9b78-9c3f8fe45d39_1.json | 1 - ...fd04601-12fc-4149-9b78-9c3f8fe45d39_2.json | 1 - ...fd04601-12fc-4149-9b78-9c3f8fe45d39_3.json | 1 - ...fd04601-12fc-4149-9b78-9c3f8fe45d39_4.json | 1 - ...fd04601-12fc-4149-9b78-9c3f8fe45d39_5.json | 1 - .../afe6b0eb-dd9d-4922-b08a-1910124d524d.json | 1 - ...fe6b0eb-dd9d-4922-b08a-1910124d524d_1.json | 1 - ...fe6b0eb-dd9d-4922-b08a-1910124d524d_2.json | 1 - ...fe6b0eb-dd9d-4922-b08a-1910124d524d_3.json | 1 - ...fe6b0eb-dd9d-4922-b08a-1910124d524d_4.json | 1 - .../b0046934-486e-462f-9487-0d4cf9e429c6.json | 1 - ...46934-486e-462f-9487-0d4cf9e429c6_101.json | 1 - ...46934-486e-462f-9487-0d4cf9e429c6_102.json | 1 - ...46934-486e-462f-9487-0d4cf9e429c6_103.json | 1 - ...46934-486e-462f-9487-0d4cf9e429c6_104.json | 1 - ...46934-486e-462f-9487-0d4cf9e429c6_105.json | 1 - .../b00bcd89-000c-4425-b94c-716ef67762f6.json | 1 - ...bcd89-000c-4425-b94c-716ef67762f6_102.json | 1 - ...bcd89-000c-4425-b94c-716ef67762f6_103.json | 1 - ...bcd89-000c-4425-b94c-716ef67762f6_104.json | 1 - ...bcd89-000c-4425-b94c-716ef67762f6_105.json | 1 - .../b0638186-4f12-48ac-83d2-47e686d08e82.json | 1 - ...0638186-4f12-48ac-83d2-47e686d08e82_1.json | 1 - ...0638186-4f12-48ac-83d2-47e686d08e82_2.json | 1 - .../b1773d05-f349-45fb-9850-287b8f92f02d.json | 1 - ...1773d05-f349-45fb-9850-287b8f92f02d_1.json | 1 - ...1773d05-f349-45fb-9850-287b8f92f02d_2.json | 1 - .../b2318c71-5959-469a-a3ce-3a0768e63b9c.json | 1 - ...2318c71-5959-469a-a3ce-3a0768e63b9c_1.json | 1 - ...2318c71-5959-469a-a3ce-3a0768e63b9c_2.json | 1 - ...2318c71-5959-469a-a3ce-3a0768e63b9c_3.json | 1 - ...2318c71-5959-469a-a3ce-3a0768e63b9c_4.json | 1 - ...2318c71-5959-469a-a3ce-3a0768e63b9c_5.json | 1 - .../b240bfb8-26b7-4e5e-924e-218144a3fa71.json | 1 - ...0bfb8-26b7-4e5e-924e-218144a3fa71_101.json | 1 - ...0bfb8-26b7-4e5e-924e-218144a3fa71_102.json | 1 - ...0bfb8-26b7-4e5e-924e-218144a3fa71_103.json | 1 - .../b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json | 1 - ...a7df2-120a-4db2-bd3f-3e4b86b24bee_112.json | 1 - .../b2951150-658f-4a60-832f-a00d1e6c6745.json | 1 - ...51150-658f-4a60-832f-a00d1e6c6745_101.json | 1 - ...51150-658f-4a60-832f-a00d1e6c6745_102.json | 1 - ...51150-658f-4a60-832f-a00d1e6c6745_103.json | 1 - ...51150-658f-4a60-832f-a00d1e6c6745_105.json | 1 - .../b29ee2be-bf99-446c-ab1a-2dc0183394b8.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_102.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_103.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_104.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_105.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_106.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_107.json | 1 - ...ee2be-bf99-446c-ab1a-2dc0183394b8_108.json | 1 - .../b347b919-665f-4aac-b9e8-68369bf2340c.json | 1 - ...7b919-665f-4aac-b9e8-68369bf2340c_101.json | 1 - ...7b919-665f-4aac-b9e8-68369bf2340c_102.json | 1 - ...7b919-665f-4aac-b9e8-68369bf2340c_103.json | 1 - .../b36c99af-b944-4509-a523-7e0fad275be1.json | 1 - ...36c99af-b944-4509-a523-7e0fad275be1_1.json | 1 - .../b41a13c6-ba45-4bab-a534-df53d0cfed6a.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_104.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_105.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_106.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_107.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_108.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_109.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_110.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_111.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_112.json | 1 - ...a13c6-ba45-4bab-a534-df53d0cfed6a_113.json | 1 - .../b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json | 1 - ...570de-a908-4f7f-8bdb-b2df6ffd8c80_209.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_6.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_8.json | 1 - ...43570de-a908-4f7f-8bdb-b2df6ffd8c80_9.json | 1 - .../b4449455-f986-4b5a-82ed-e36b129331f7.json | 1 - ...49455-f986-4b5a-82ed-e36b129331f7_102.json | 1 - ...49455-f986-4b5a-82ed-e36b129331f7_103.json | 1 - ...49455-f986-4b5a-82ed-e36b129331f7_104.json | 1 - ...49455-f986-4b5a-82ed-e36b129331f7_105.json | 1 - .../b45ab1d2-712f-4f01-a751-df3826969807.json | 1 - ...ab1d2-712f-4f01-a751-df3826969807_102.json | 1 - ...ab1d2-712f-4f01-a751-df3826969807_103.json | 1 - ...ab1d2-712f-4f01-a751-df3826969807_104.json | 1 - ...ab1d2-712f-4f01-a751-df3826969807_205.json | 1 - .../b483365c-98a8-40c0-92d8-0458ca25058a.json | 1 - ...483365c-98a8-40c0-92d8-0458ca25058a_1.json | 1 - ...483365c-98a8-40c0-92d8-0458ca25058a_2.json | 1 - ...483365c-98a8-40c0-92d8-0458ca25058a_3.json | 1 - ...483365c-98a8-40c0-92d8-0458ca25058a_4.json | 1 - .../b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_207.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_209.json | 1 - ...b1440-0fcb-4ed1-87e5-b06d58efc5e9_309.json | 84 +++++++++++ .../b51dbc92-84e2-4af1-ba47-65183fcd0c57.json | 1 - ...51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json | 1 - ...51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json | 1 - ...51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json | 1 - ...51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json | 1 - .../b5877334-677f-4fb9-86d5-a9721274223b.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_104.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_105.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_106.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_107.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_108.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_109.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_110.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_111.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_112.json | 1 - ...77334-677f-4fb9-86d5-a9721274223b_312.json | 1 - .../b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_105.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_106.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_107.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_108.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_109.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_110.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_111.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_112.json | 1 - ...a4bfe-a1b2-421f-9d47-22a75a6f2921_312.json | 1 - .../b605f262-f7dc-41b5-9ebc-06bafe7a83b6.json | 1 - ...605f262-f7dc-41b5-9ebc-06bafe7a83b6_1.json | 1 - ...605f262-f7dc-41b5-9ebc-06bafe7a83b6_2.json | 1 - .../b627cd12-dac4-11ec-9582-f661ea17fbcd.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_101.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_102.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_103.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_104.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_105.json | 1 - ...7cd12-dac4-11ec-9582-f661ea17fbcd_106.json | 1 - .../b64b183e-1a76-422d-9179-7b389513e74d.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_104.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_105.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_106.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_107.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_108.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_109.json | 1 - ...b183e-1a76-422d-9179-7b389513e74d_110.json | 1 - .../b661f86d-1c23-4ce7-a59e-2edbdba28247.json | 1 - ...661f86d-1c23-4ce7-a59e-2edbdba28247_1.json | 1 - ...661f86d-1c23-4ce7-a59e-2edbdba28247_2.json | 1 - ...1f86d-1c23-4ce7-a59e-2edbdba28247_202.json | 1 - .../b66b7e2b-d50a-49b9-a6fc-3a383baedc6b.json | 1 - ...66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json | 1 - ...66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2.json | 1 - .../b6dce542-2b75-4ffb-b7d6-38787298ba9d.json | 1 - ...ce542-2b75-4ffb-b7d6-38787298ba9d_102.json | 1 - .../b719a170-3bdb-4141-b0e3-13e3cf627bfe.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_102.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_103.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_104.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_105.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_206.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_207.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_209.json | 1 - ...9a170-3bdb-4141-b0e3-13e3cf627bfe_309.json | 84 +++++++++++ .../b7c05aaf-78c2-4558-b069-87fa25973489.json | 1 - ...7c05aaf-78c2-4558-b069-87fa25973489_1.json | 1 - ...7c05aaf-78c2-4558-b069-87fa25973489_2.json | 1 - .../b8075894-0b62-46e5-977c-31275da34419.json | 1 - ...75894-0b62-46e5-977c-31275da34419_102.json | 1 - ...75894-0b62-46e5-977c-31275da34419_103.json | 1 - ...75894-0b62-46e5-977c-31275da34419_104.json | 1 - ...75894-0b62-46e5-977c-31275da34419_205.json | 1 - ...75894-0b62-46e5-977c-31275da34419_206.json | 1 - ...75894-0b62-46e5-977c-31275da34419_208.json | 1 - ...75894-0b62-46e5-977c-31275da34419_308.json | 77 ++++++++++ .../b81bd314-db5b-4d97-82e8-88e3e5fc9de5.json | 1 - ...81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json | 1 - ...81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json | 1 - .../b8386923-b02c-4b94-986a-d223d9b01f88.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_2.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_3.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_4.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_5.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_6.json | 1 - ...8386923-b02c-4b94-986a-d223d9b01f88_7.json | 1 - .../b83a7e96-2eb3-4edf-8346-427b6858d3bd.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_103.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_104.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_105.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_106.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_107.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_108.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_209.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_310.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_311.json | 1 - ...a7e96-2eb3-4edf-8346-427b6858d3bd_411.json | 1 - .../b86afe07-0d98-4738-b15d-8d7465f95ff5.json | 1 - ...afe07-0d98-4738-b15d-8d7465f95ff5_102.json | 1 - ...afe07-0d98-4738-b15d-8d7465f95ff5_103.json | 1 - ...afe07-0d98-4738-b15d-8d7465f95ff5_104.json | 1 - ...afe07-0d98-4738-b15d-8d7465f95ff5_105.json | 1 - ...afe07-0d98-4738-b15d-8d7465f95ff5_106.json | 1 - .../b8f8da2d-a9dc-48c0-90e4-955c0aa1259a.json | 1 - ...8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json | 1 - ...8da2d-a9dc-48c0-90e4-955c0aa1259a_106.json | 1 - ...8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json | 1 - ...8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json | 1 - ...8da2d-a9dc-48c0-90e4-955c0aa1259a_208.json | 1 - ...8da2d-a9dc-48c0-90e4-955c0aa1259a_209.json | 1 - ...8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json | 1 - ...8da2d-a9dc-48c0-90e4-955c0aa1259a_310.json | 1 - ...8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json | 1 - ...8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json | 1 - .../b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json | 1 - ...cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json | 1 - .../b910f25a-2d44-47f2-a873-aabdc0d355e6.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_103.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_104.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_105.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_106.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_107.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_108.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_109.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_110.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_111.json | 1 - ...0f25a-2d44-47f2-a873-aabdc0d355e6_112.json | 1 - .../b92d5eae-70bb-4b66-be27-f98ba9d0ccdc.json | 1 - ...92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json | 1 - .../b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json | 1 - ...946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json | 1 - .../b9554892-5e0e-424b-83a0-5aef95aa43bf.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_105.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_106.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_107.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_108.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_109.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_110.json | 1 - ...54892-5e0e-424b-83a0-5aef95aa43bf_111.json | 1 - .../b9666521-4742-49ce-9ddc-b8e84c35acae.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_102.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_103.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_104.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_105.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_106.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_107.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_108.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_109.json | 1 - ...66521-4742-49ce-9ddc-b8e84c35acae_110.json | 1 - .../b9960fef-82c6-4816-befa-44745030e917.json | 1 - ...60fef-82c6-4816-befa-44745030e917_103.json | 1 - ...60fef-82c6-4816-befa-44745030e917_104.json | 1 - ...60fef-82c6-4816-befa-44745030e917_105.json | 1 - ...60fef-82c6-4816-befa-44745030e917_106.json | 1 - ...60fef-82c6-4816-befa-44745030e917_107.json | 1 - ...60fef-82c6-4816-befa-44745030e917_108.json | 1 - ...60fef-82c6-4816-befa-44745030e917_109.json | 1 - ...60fef-82c6-4816-befa-44745030e917_110.json | 1 - ...60fef-82c6-4816-befa-44745030e917_111.json | 1 - .../ba342eb2-583c-439f-b04d-1fdd7c1417cc.json | 1 - ...42eb2-583c-439f-b04d-1fdd7c1417cc_101.json | 1 - ...42eb2-583c-439f-b04d-1fdd7c1417cc_102.json | 1 - ...42eb2-583c-439f-b04d-1fdd7c1417cc_103.json | 1 - ...42eb2-583c-439f-b04d-1fdd7c1417cc_104.json | 1 - ...42eb2-583c-439f-b04d-1fdd7c1417cc_105.json | 1 - .../ba81c182-4287-489d-af4d-8ae834b06040.json | 1 - ...a81c182-4287-489d-af4d-8ae834b06040_1.json | 1 - ...a81c182-4287-489d-af4d-8ae834b06040_2.json | 1 - .../baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json | 1 - ...5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json | 1 - .../bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json | 1 - ...fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json | 1 - .../bb9b13b2-1700-48a8-a750-b43b0a72ab69.json | 1 - ...b13b2-1700-48a8-a750-b43b0a72ab69_102.json | 1 - ...b13b2-1700-48a8-a750-b43b0a72ab69_103.json | 1 - ...b13b2-1700-48a8-a750-b43b0a72ab69_104.json | 1 - ...b13b2-1700-48a8-a750-b43b0a72ab69_205.json | 1 - .../bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json | 1 - ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json | 1 - ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json | 1 - ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json | 1 - ...1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json | 1 - .../bbaa96b9-f36c-4898-ace2-581acb00a409.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_1.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_2.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_3.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_4.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_5.json | 1 - ...baa96b9-f36c-4898-ace2-581acb00a409_6.json | 1 - .../bbd1a775-8267-41fa-9232-20e5582596ac.json | 1 - ...1a775-8267-41fa-9232-20e5582596ac_101.json | 1 - ...1a775-8267-41fa-9232-20e5582596ac_102.json | 1 - ...1a775-8267-41fa-9232-20e5582596ac_103.json | 1 - ...1a775-8267-41fa-9232-20e5582596ac_104.json | 1 - ...1a775-8267-41fa-9232-20e5582596ac_106.json | 1 - .../bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json | 1 - ...c6f0d-dab0-47a3-b135-0925f0a333bc_105.json | 1 - ...c6f0d-dab0-47a3-b135-0925f0a333bc_106.json | 1 - ...c6f0d-dab0-47a3-b135-0925f0a333bc_107.json | 1 - ...c6f0d-dab0-47a3-b135-0925f0a333bc_208.json | 1 - .../bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json | 1 - ...f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json | 1 - .../bc0fc359-68db-421e-a435-348ced7a7f92.json | 1 - ...c0fc359-68db-421e-a435-348ced7a7f92_1.json | 1 - .../bc1eeacf-2972-434f-b782-3a532b100d67.json | 1 - ...eeacf-2972-434f-b782-3a532b100d67_102.json | 1 - ...eeacf-2972-434f-b782-3a532b100d67_103.json | 1 - ...eeacf-2972-434f-b782-3a532b100d67_104.json | 1 - ...eeacf-2972-434f-b782-3a532b100d67_105.json | 1 - .../bc48bba7-4a23-4232-b551-eca3ca1e3f20.json | 1 - ...8bba7-4a23-4232-b551-eca3ca1e3f20_101.json | 1 - .../bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json | 1 - ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json | 1 - ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json | 1 - ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json | 1 - ...c8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json | 1 - .../bc9e4f5a-e263-4213-a2ac-1edf9b417ada.json | 1 - ...c9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json | 1 - .../bca7d28e-4a48-47b1-adb7-5074310e9a61.json | 1 - ...7d28e-4a48-47b1-adb7-5074310e9a61_103.json | 1 - .../bcaa15ce-2d41-44d7-a322-918f9db77766.json | 1 - ...caa15ce-2d41-44d7-a322-918f9db77766_1.json | 1 - ...caa15ce-2d41-44d7-a322-918f9db77766_2.json | 1 - ...caa15ce-2d41-44d7-a322-918f9db77766_3.json | 1 - ...caa15ce-2d41-44d7-a322-918f9db77766_4.json | 1 - .../bd2c86a0-8b61-4457-ab38-96943984e889.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_105.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_106.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_107.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_108.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_109.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_110.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_111.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_112.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_113.json | 1 - ...c86a0-8b61-4457-ab38-96943984e889_114.json | 1 - .../bd3d058d-5405-4cee-b890-337f09366ba2.json | 1 - ...d3d058d-5405-4cee-b890-337f09366ba2_1.json | 1 - ...d3d058d-5405-4cee-b890-337f09366ba2_2.json | 1 - ...d3d058d-5405-4cee-b890-337f09366ba2_3.json | 1 - ...d3d058d-5405-4cee-b890-337f09366ba2_4.json | 1 - .../bd7eefee-f671-494e-98df-f01daf9e5f17.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_102.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_103.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_104.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_105.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_106.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_107.json | 1 - ...eefee-f671-494e-98df-f01daf9e5f17_207.json | 1 - .../bdb04043-f0e3-4efa-bdee-7d9d13fa9edc.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json | 1 - ...db04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json | 1 - .../bdcf646b-08d4-492c-870a-6c04e3700034.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_103.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_104.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_105.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_106.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_107.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_108.json | 1 - ...f646b-08d4-492c-870a-6c04e3700034_109.json | 1 - ...dfaddc4-4438-48b4-bc43-9f5cf8151c46_1.json | 1 - ...addc4-4438-48b4-bc43-9f5cf8151c46_101.json | 1 - .../bdfebe11-e169-42e3-b344-c5d2015533d3.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_1.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_2.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_3.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_4.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_5.json | 1 - ...dfebe11-e169-42e3-b344-c5d2015533d3_6.json | 1 - .../be4c5aed-90f5-4221-8bd5-7ab3a4334751.json | 1 - ...e4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json | 1 - ...e4c5aed-90f5-4221-8bd5-7ab3a4334751_2.json | 1 - ...e4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json | 1 - .../be8afaed-4bcd-4e0a-b5f9-5562003dde81.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_104.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_105.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_106.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_107.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_108.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_109.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_110.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_310.json | 1 - ...afaed-4bcd-4e0a-b5f9-5562003dde81_311.json | 1 - .../bf1073bf-ce26-4607-b405-ba1ed8e9e204.json | 1 - ...073bf-ce26-4607-b405-ba1ed8e9e204_102.json | 1 - ...073bf-ce26-4607-b405-ba1ed8e9e204_103.json | 1 - ...073bf-ce26-4607-b405-ba1ed8e9e204_104.json | 1 - ...073bf-ce26-4607-b405-ba1ed8e9e204_205.json | 1 - ...073bf-ce26-4607-b405-ba1ed8e9e204_206.json | 1 - .../bf8c007c-7dee-4842-8e9a-ee534c09d205.json | 1 - ...f8c007c-7dee-4842-8e9a-ee534c09d205_1.json | 1 - ...f8c007c-7dee-4842-8e9a-ee534c09d205_2.json | 1 - .../bfba5158-1fd6-4937-a205-77d96213b341.json | 1 - ...fba5158-1fd6-4937-a205-77d96213b341_1.json | 1 - ...fba5158-1fd6-4937-a205-77d96213b341_2.json | 1 - ...fba5158-1fd6-4937-a205-77d96213b341_3.json | 1 - .../bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_104.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_105.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_106.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_107.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_108.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_109.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_110.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_111.json | 1 - ...af89b-a2a7-48a3-817f-e41829dc61ee_112.json | 1 - .../c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json | 1 - ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json | 1 - ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json | 1 - ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json | 1 - ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json | 1 - ...c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json | 1 - .../c0429aa8-9974-42da-bfb6-53a0a515a145.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_103.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_104.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_105.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_106.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_107.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_108.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_109.json | 1 - ...29aa8-9974-42da-bfb6-53a0a515a145_110.json | 1 - .../c0b9dc99-c696-4779-b086-0d37dc2b3778.json | 1 - ...0b9dc99-c696-4779-b086-0d37dc2b3778_1.json | 1 - .../c0be5f31-e180-48ed-aa08-96b36899d48f.json | 1 - ...e5f31-e180-48ed-aa08-96b36899d48f_100.json | 1 - ...e5f31-e180-48ed-aa08-96b36899d48f_101.json | 1 - ...e5f31-e180-48ed-aa08-96b36899d48f_102.json | 1 - ...124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1.json | 1 - ...124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2.json | 1 - .../c125e48f-6783-41f0-b100-c3bf1b114d16.json | 1 - ...125e48f-6783-41f0-b100-c3bf1b114d16_1.json | 1 - ...125e48f-6783-41f0-b100-c3bf1b114d16_2.json | 1 - ...125e48f-6783-41f0-b100-c3bf1b114d16_3.json | 1 - ...125e48f-6783-41f0-b100-c3bf1b114d16_4.json | 1 - ...125e48f-6783-41f0-b100-c3bf1b114d16_5.json | 1 - .../c1812764-0788-470f-8e74-eb4a14d47573.json | 1 - ...12764-0788-470f-8e74-eb4a14d47573_102.json | 1 - ...12764-0788-470f-8e74-eb4a14d47573_103.json | 1 - ...12764-0788-470f-8e74-eb4a14d47573_104.json | 1 - ...12764-0788-470f-8e74-eb4a14d47573_205.json | 1 - .../c1e79a70-fa6f-11ee-8bc8-f661ea17fbce.json | 1 - ...1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1.json | 1 - .../c20cd758-07b1-46a1-b03f-fa66158258b8.json | 1 - ...20cd758-07b1-46a1-b03f-fa66158258b8_1.json | 1 - ...cd758-07b1-46a1-b03f-fa66158258b8_101.json | 1 - .../c24e9a43-f67e-431d-991b-09cdb83b3c0c.json | 1 - ...24e9a43-f67e-431d-991b-09cdb83b3c0c_1.json | 1 - ...24e9a43-f67e-431d-991b-09cdb83b3c0c_2.json | 1 - .../c25e9c87-95e1-4368-bfab-9fd34cf867ec.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_104.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_105.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_106.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_107.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_108.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_109.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_110.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_111.json | 1 - ...e9c87-95e1-4368-bfab-9fd34cf867ec_311.json | 1 - .../c28c4d8c-f014-40ef-88b6-79a1d67cd499.json | 1 - ...c4d8c-f014-40ef-88b6-79a1d67cd499_101.json | 1 - ...c4d8c-f014-40ef-88b6-79a1d67cd499_102.json | 1 - ...c4d8c-f014-40ef-88b6-79a1d67cd499_103.json | 1 - .../c292fa52-4115-408a-b897-e14f684b3cb7.json | 1 - ...2fa52-4115-408a-b897-e14f684b3cb7_102.json | 1 - ...2fa52-4115-408a-b897-e14f684b3cb7_103.json | 1 - ...2fa52-4115-408a-b897-e14f684b3cb7_104.json | 1 - ...2fa52-4115-408a-b897-e14f684b3cb7_105.json | 1 - ...2fa52-4115-408a-b897-e14f684b3cb7_106.json | 1 - .../c296f888-eac6-4543-8da5-b6abb0d3304f.json | 1 - ...296f888-eac6-4543-8da5-b6abb0d3304f_1.json | 1 - .../c2d90150-0133-451c-a783-533e736c12d7.json | 1 - ...90150-0133-451c-a783-533e736c12d7_103.json | 1 - ...90150-0133-451c-a783-533e736c12d7_104.json | 1 - ...90150-0133-451c-a783-533e736c12d7_105.json | 1 - ...90150-0133-451c-a783-533e736c12d7_106.json | 1 - ...90150-0133-451c-a783-533e736c12d7_107.json | 1 - ...90150-0133-451c-a783-533e736c12d7_108.json | 1 - .../c3167e1b-f73c-41be-b60b-87f4df707fe3.json | 1 - ...67e1b-f73c-41be-b60b-87f4df707fe3_100.json | 1 - ...67e1b-f73c-41be-b60b-87f4df707fe3_101.json | 1 - ...67e1b-f73c-41be-b60b-87f4df707fe3_102.json | 1 - ...371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1.json | 1 - ...371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2.json | 1 - .../c3b915e0-22f3-4bf7-991d-b643513c722f.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_102.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_103.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_104.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_105.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_106.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_107.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_208.json | 1 - ...915e0-22f3-4bf7-991d-b643513c722f_309.json | 1 - .../c3f5e1d8-910e-43b4-8d44-d748e498ca86.json | 1 - ...5e1d8-910e-43b4-8d44-d748e498ca86_102.json | 1 - ...5e1d8-910e-43b4-8d44-d748e498ca86_103.json | 1 - .../c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_110.json | 1 - ...10e1c-64f2-4f48-b67e-b5a8ffe3aa14_310.json | 1 - .../c4818812-d44f-47be-aaef-4cfb2f9cc799.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_102.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_103.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_104.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_105.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_106.json | 1 - ...18812-d44f-47be-aaef-4cfb2f9cc799_107.json | 1 - .../c4e9ed3e-55a2-4309-a012-bc3c78dad10a.json | 1 - ...4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json | 1 - ...4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json | 1 - ...4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json | 1 - .../c55badd3-3e61-4292-836f-56209dc8a601.json | 1 - ...55badd3-3e61-4292-836f-56209dc8a601_1.json | 1 - ...55badd3-3e61-4292-836f-56209dc8a601_2.json | 1 - ...55badd3-3e61-4292-836f-56209dc8a601_3.json | 1 - ...55badd3-3e61-4292-836f-56209dc8a601_4.json | 1 - ...55badd3-3e61-4292-836f-56209dc8a601_5.json | 1 - .../c5677997-f75b-4cda-b830-a75920514096.json | 1 - ...5677997-f75b-4cda-b830-a75920514096_1.json | 1 - ...5677997-f75b-4cda-b830-a75920514096_2.json | 1 - ...5677997-f75b-4cda-b830-a75920514096_3.json | 1 - ...5677997-f75b-4cda-b830-a75920514096_4.json | 1 - ...5677997-f75b-4cda-b830-a75920514096_5.json | 1 - .../c57f8579-e2a5-4804-847f-f2732edc5156.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_103.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_104.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_105.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_106.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_107.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_108.json | 1 - ...f8579-e2a5-4804-847f-f2732edc5156_109.json | 1 - .../c58c3081-2e1d-4497-8491-e73a45d1a6d6.json | 1 - ...c3081-2e1d-4497-8491-e73a45d1a6d6_103.json | 1 - .../c5c9f591-d111-4cf8-baec-c26a39bc31ef.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_103.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_104.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_105.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_106.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_107.json | 1 - ...9f591-d111-4cf8-baec-c26a39bc31ef_108.json | 1 - .../c5ce48a6-7f57-4ee8-9313-3d0024caee10.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_103.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_104.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_105.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_106.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_107.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_108.json | 1 - ...e48a6-7f57-4ee8-9313-3d0024caee10_109.json | 1 - .../c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_104.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_105.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_106.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_107.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_108.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_109.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_110.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_111.json | 1 - ...c3223-13a2-44a2-946c-e9dc0aa0449c_311.json | 1 - .../c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json | 1 - ...81243-56e0-47f9-b5bb-55a5ed89ba57_101.json | 1 - .../c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_104.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_105.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_106.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_107.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_108.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_109.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_110.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_111.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_112.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_113.json | 1 - ...53e73-90eb-4fe7-a98c-cde7bbfc504a_313.json | 1 - ...6655282-6c79-11ef-bbb5-f661ea17fbcc_1.json | 1 - .../c749e367-a069-4a73-b1f2-43a3798153ad.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_102.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_103.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_104.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_105.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_206.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_207.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_209.json | 1 - ...9e367-a069-4a73-b1f2-43a3798153ad_309.json | 85 +++++++++++ .../c74fd275-ab2c-4d49-8890-e2943fa65c09.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_102.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_103.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_104.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_205.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_206.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_208.json | 1 - ...fd275-ab2c-4d49-8890-e2943fa65c09_308.json | 71 +++++++++ .../c75d0c86-38d6-4821-98a1-465cff8ff4c8.json | 1 - .../c7894234-7814-44c2-92a9-f7d851ea246a.json | 1 - ...94234-7814-44c2-92a9-f7d851ea246a_103.json | 1 - ...94234-7814-44c2-92a9-f7d851ea246a_104.json | 1 - ...94234-7814-44c2-92a9-f7d851ea246a_105.json | 1 - ...94234-7814-44c2-92a9-f7d851ea246a_106.json | 1 - ...94234-7814-44c2-92a9-f7d851ea246a_107.json | 1 - .../c7908cac-337a-4f38-b50d-5eeb78bdb531.json | 1 - ...08cac-337a-4f38-b50d-5eeb78bdb531_201.json | 1 - ...08cac-337a-4f38-b50d-5eeb78bdb531_202.json | 1 - ...08cac-337a-4f38-b50d-5eeb78bdb531_203.json | 1 - .../c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json | 1 - ...e36c0-32ff-4f9a-bfc2-dcb242bf99f9_111.json | 1 - .../c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json | 1 - ...b5533-ca2a-41f6-a8b0-ee98abe0f573_102.json | 1 - ...b5533-ca2a-41f6-a8b0-ee98abe0f573_103.json | 1 - ...b5533-ca2a-41f6-a8b0-ee98abe0f573_104.json | 1 - .../c81cefcb-82b9-4408-a533-3c3df549e62d.json | 1 - ...cefcb-82b9-4408-a533-3c3df549e62d_102.json | 1 - ...cefcb-82b9-4408-a533-3c3df549e62d_103.json | 1 - ...cefcb-82b9-4408-a533-3c3df549e62d_104.json | 1 - ...cefcb-82b9-4408-a533-3c3df549e62d_105.json | 1 - ...cefcb-82b9-4408-a533-3c3df549e62d_106.json | 1 - .../c82b2bd8-d701-420c-ba43-f11a155b681a.json | 1 - ...b2bd8-d701-420c-ba43-f11a155b681a_100.json | 1 - ...b2bd8-d701-420c-ba43-f11a155b681a_101.json | 1 - ...b2bd8-d701-420c-ba43-f11a155b681a_102.json | 1 - ...b2bd8-d701-420c-ba43-f11a155b681a_103.json | 1 - .../c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110.json | 1 - ...c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111.json | 1 - .../c85eb82c-d2c8-485c-a36f-534f914b7663.json | 1 - ...eb82c-d2c8-485c-a36f-534f914b7663_101.json | 1 - ...eb82c-d2c8-485c-a36f-534f914b7663_102.json | 1 - ...eb82c-d2c8-485c-a36f-534f914b7663_103.json | 1 - ...eb82c-d2c8-485c-a36f-534f914b7663_104.json | 1 - .../c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json | 1 - ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json | 1 - ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json | 1 - ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json | 1 - ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json | 1 - ...d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json | 1 - .../c8935a8b-634a-4449-98f7-bb24d3b2c0af.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json | 1 - ...8935a8b-634a-4449-98f7-bb24d3b2c0af_9.json | 1 - .../c8b150f0-0164-475b-a75e-74b47800a9ff.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_104.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_105.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_106.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_107.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_108.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_109.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_110.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_111.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_112.json | 1 - ...150f0-0164-475b-a75e-74b47800a9ff_113.json | 1 - .../c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_104.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_105.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_106.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_107.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_108.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_109.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_110.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_111.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_112.json | 1 - ...ccb06-faf2-4cd5-886e-2c9636cfcb87_312.json | 1 - .../c9482bfa-a553-4226-8ea2-4959bd4f7923.json | 1 - ...9482bfa-a553-4226-8ea2-4959bd4f7923_1.json | 1 - ...9482bfa-a553-4226-8ea2-4959bd4f7923_2.json | 1 - ...9482bfa-a553-4226-8ea2-4959bd4f7923_3.json | 1 - ...9482bfa-a553-4226-8ea2-4959bd4f7923_4.json | 1 - ...9482bfa-a553-4226-8ea2-4959bd4f7923_5.json | 1 - .../c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json | 1 - ...38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json | 1 - ...38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json | 1 - ...38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102.json | 1 - .../ca79768e-40e1-4e45-a097-0e5fbc876ac2.json | 1 - ...9768e-40e1-4e45-a097-0e5fbc876ac2_101.json | 1 - ...9768e-40e1-4e45-a097-0e5fbc876ac2_102.json | 1 - ...9768e-40e1-4e45-a097-0e5fbc876ac2_103.json | 1 - ...9768e-40e1-4e45-a097-0e5fbc876ac2_105.json | 1 - .../ca98c7cf-a56e-4057-a4e8-39603f7f0389.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_2.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_3.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_4.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_5.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_6.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_7.json | 1 - ...a98c7cf-a56e-4057-a4e8-39603f7f0389_8.json | 1 - .../cac91072-d165-11ec-a764-f661ea17fbce.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_105.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_106.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_107.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_207.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_208.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_209.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_210.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_211.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_212.json | 1 - ...91072-d165-11ec-a764-f661ea17fbce_213.json | 1 - .../cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json | 1 - ...4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json | 1 - ...4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json | 1 - .../cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json | 1 - ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json | 1 - ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json | 1 - ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json | 1 - ...1aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json | 1 - .../cc2fd2d0-ba3a-4939-b87f-2901764ed036.json | 1 - ...fd2d0-ba3a-4939-b87f-2901764ed036_102.json | 1 - ...fd2d0-ba3a-4939-b87f-2901764ed036_103.json | 1 - ...fd2d0-ba3a-4939-b87f-2901764ed036_104.json | 1 - ...fd2d0-ba3a-4939-b87f-2901764ed036_105.json | 1 - .../cc382a2e-7e52-11ee-9aac-f661ea17fbcd.json | 1 - ...c382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json | 1 - ...82a2e-7e52-11ee-9aac-f661ea17fbcd_102.json | 1 - ...82a2e-7e52-11ee-9aac-f661ea17fbcd_103.json | 1 - ...c382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json | 1 - ...82a2e-7e52-11ee-9aac-f661ea17fbcd_204.json | 55 +++++++ .../cc653d77-ddd2-45b1-9197-c75ad19df66c.json | 1 - ...c653d77-ddd2-45b1-9197-c75ad19df66c_1.json | 1 - ...c653d77-ddd2-45b1-9197-c75ad19df66c_2.json | 1 - ...c653d77-ddd2-45b1-9197-c75ad19df66c_3.json | 1 - .../cc6a8a20-2df2-11ed-8378-f661ea17fbce.json | 1 - ...a8a20-2df2-11ed-8378-f661ea17fbce_104.json | 1 - ...a8a20-2df2-11ed-8378-f661ea17fbce_105.json | 1 - ...a8a20-2df2-11ed-8378-f661ea17fbce_106.json | 1 - .../cc89312d-6f47-48e4-a87c-4977bd4633c3.json | 1 - ...9312d-6f47-48e4-a87c-4977bd4633c3_103.json | 1 - .../cc92c835-da92-45c9-9f29-b4992ad621a0.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_102.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_103.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_104.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_105.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_106.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_207.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_208.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_210.json | 1 - ...2c835-da92-45c9-9f29-b4992ad621a0_310.json | 84 +++++++++++ .../cd16fb10-0261-46e8-9932-a0336278cdbe.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_102.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_103.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_104.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_105.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_206.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_207.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_209.json | 1 - ...6fb10-0261-46e8-9932-a0336278cdbe_309.json | 77 ++++++++++ .../cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json | 1 - ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json | 1 - ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json | 1 - ...6a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json | 1 - .../cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_103.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_104.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_105.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_106.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_107.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_108.json | 1 - ...6a5af-e34b-4bb0-8931-57d0a043f2ef_109.json | 1 - .../cd82e3d6-1346-4afd-8f22-38388bbf34cb.json | 1 - ...d82e3d6-1346-4afd-8f22-38388bbf34cb_1.json | 1 - ...d82e3d6-1346-4afd-8f22-38388bbf34cb_2.json | 1 - .../cd89602e-9db0-48e3-9391-ae3bf241acd8.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_102.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_103.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_104.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_105.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_206.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_207.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_208.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_209.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_211.json | 1 - ...9602e-9db0-48e3-9391-ae3bf241acd8_311.json | 100 +++++++++++++ .../cdbebdc1-dc97-43c6-a538-f26a20c0a911.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_102.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_103.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_104.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_105.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_106.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_207.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_208.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_210.json | 1 - ...ebdc1-dc97-43c6-a538-f26a20c0a911_310.json | 69 +++++++++ .../cde1bafa-9f01-4f43-a872-605b678968b0.json | 1 - ...e1bafa-9f01-4f43-a872-605b678968b0_10.json | 1 - ...1bafa-9f01-4f43-a872-605b678968b0_111.json | 1 - ...1bafa-9f01-4f43-a872-605b678968b0_112.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_2.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_3.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_4.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_5.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_6.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_7.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_8.json | 1 - ...de1bafa-9f01-4f43-a872-605b678968b0_9.json | 1 - .../cdf1a39b-1ca5-4e2a-9739-17fc4d026029.json | 1 - ...df1a39b-1ca5-4e2a-9739-17fc4d026029_1.json | 1 - .../ce08b55a-f67d-4804-92b5-617b0fe5a5b5.json | 1 - ...e08b55a-f67d-4804-92b5-617b0fe5a5b5_1.json | 1 - ...8b55a-f67d-4804-92b5-617b0fe5a5b5_103.json | 88 +++++++++++ .../ce64d965-6cb0-466d-b74f-8d2c76f47f05.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_103.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_104.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_105.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_106.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_107.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_108.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_109.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_110.json | 1 - ...4d965-6cb0-466d-b74f-8d2c76f47f05_310.json | 1 - .../cf53f532-9cc9-445a-9ae7-fced307ec53c.json | 1 - ...3f532-9cc9-445a-9ae7-fced307ec53c_102.json | 1 - ...3f532-9cc9-445a-9ae7-fced307ec53c_103.json | 1 - ...3f532-9cc9-445a-9ae7-fced307ec53c_104.json | 1 - .../cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json | 1 - ...49724-c577-4fd6-8f9b-d1b8ec519ec0_203.json | 1 - ...49724-c577-4fd6-8f9b-d1b8ec519ec0_204.json | 1 - ...49724-c577-4fd6-8f9b-d1b8ec519ec0_205.json | 1 - .../cf575427-0839-4c69-a9e6-99fde02606f3.json | 1 - ...f575427-0839-4c69-a9e6-99fde02606f3_1.json | 1 - .../cf6995ec-32a9-4b2d-9340-f8e61acf3f4e.json | 1 - ...f6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json | 1 - .../cff92c41-2225-4763-b4ce-6f71e5bda5e6.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_105.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_106.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_107.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_108.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_109.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_110.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_111.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_112.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_113.json | 1 - ...92c41-2225-4763-b4ce-6f71e5bda5e6_114.json | 1 - .../cffbaf47-9391-4e09-a83c-1f27d7474826.json | 1 - ...ffbaf47-9391-4e09-a83c-1f27d7474826_1.json | 1 - .../d00f33e7-b57d-4023-9952-2db91b1767c4.json | 1 - ...00f33e7-b57d-4023-9952-2db91b1767c4_4.json | 1 - ...00f33e7-b57d-4023-9952-2db91b1767c4_5.json | 1 - ...00f33e7-b57d-4023-9952-2db91b1767c4_6.json | 1 - ...00f33e7-b57d-4023-9952-2db91b1767c4_7.json | 1 - ...00f33e7-b57d-4023-9952-2db91b1767c4_8.json | 1 - .../d0b0f3ed-0b37-44bf-adee-e8cb7de92767.json | 1 - .../d0e159cf-73e9-40d1-a9ed-077e3158a855.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_102.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_103.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_104.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_105.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_106.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_107.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_108.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_109.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_110.json | 1 - ...159cf-73e9-40d1-a9ed-077e3158a855_111.json | 1 - .../d117cbb4-7d56-41b4-b999-bdf8c25648a0.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_104.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_105.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_106.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_107.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_108.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_109.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_110.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_111.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_112.json | 1 - ...7cbb4-7d56-41b4-b999-bdf8c25648a0_312.json | 1 - .../d12bac54-ab2a-4159-933f-d7bcefa7b61d.json | 1 - ...12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json | 1 - ...12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json | 1 - ...12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json | 1 - ...12bac54-ab2a-4159-933f-d7bcefa7b61d_4.json | 1 - .../d197478e-39f0-4347-a22f-ba654718b148.json | 1 - ...197478e-39f0-4347-a22f-ba654718b148_1.json | 1 - ...197478e-39f0-4347-a22f-ba654718b148_2.json | 1 - .../d1e5e410-3e34-412e-9b1f-dd500b3b55cd.json | 1 - .../d22a85c6-d2ad-4cc4-bf7b-54787473669a.json | 1 - ...a85c6-d2ad-4cc4-bf7b-54787473669a_102.json | 1 - ...a85c6-d2ad-4cc4-bf7b-54787473669a_103.json | 1 - ...a85c6-d2ad-4cc4-bf7b-54787473669a_104.json | 1 - ...a85c6-d2ad-4cc4-bf7b-54787473669a_105.json | 1 - .../d31f183a-e5b1-451b-8534-ba62bca0b404.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_104.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_105.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_106.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_107.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_108.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_109.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_110.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_111.json | 1 - ...f183a-e5b1-451b-8534-ba62bca0b404_112.json | 1 - .../d331bbe2-6db4-4941-80a5-8270db72eb61.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_105.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_106.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_107.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_108.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_109.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_110.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_111.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_112.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_113.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_114.json | 1 - ...1bbe2-6db4-4941-80a5-8270db72eb61_314.json | 1 - .../d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json | 1 - ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json | 1 - ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json | 1 - ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json | 1 - ...33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7.json | 1 - .../d3551433-782f-4e22-bbea-c816af2d41c6.json | 1 - ...3551433-782f-4e22-bbea-c816af2d41c6_1.json | 1 - ...3551433-782f-4e22-bbea-c816af2d41c6_2.json | 1 - ...3551433-782f-4e22-bbea-c816af2d41c6_3.json | 1 - .../d461fac0-43e8-49e2-85ea-3a58fe120b4f.json | 1 - ...1fac0-43e8-49e2-85ea-3a58fe120b4f_102.json | 1 - ...1fac0-43e8-49e2-85ea-3a58fe120b4f_103.json | 1 - ...1fac0-43e8-49e2-85ea-3a58fe120b4f_104.json | 1 - ...1fac0-43e8-49e2-85ea-3a58fe120b4f_105.json | 1 - ...1fac0-43e8-49e2-85ea-3a58fe120b4f_106.json | 1 - .../d488f026-7907-4f56-ad51-742feb3db01c.json | 1 - .../d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208.json | 1 - ...e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308.json | 76 ++++++++++ .../d49cc73f-7a16-4def-89ce-9fc7127d7820.json | 1 - ...cc73f-7a16-4def-89ce-9fc7127d7820_101.json | 1 - .../d4af3a06-1e0a-48ec-b96a-faf2309fae46.json | 1 - ...f3a06-1e0a-48ec-b96a-faf2309fae46_101.json | 1 - ...f3a06-1e0a-48ec-b96a-faf2309fae46_102.json | 1 - ...f3a06-1e0a-48ec-b96a-faf2309fae46_103.json | 1 - .../d4b73fa0-9d43-465e-b8bf-50230da6718b.json | 1 - ...73fa0-9d43-465e-b8bf-50230da6718b_101.json | 1 - ...73fa0-9d43-465e-b8bf-50230da6718b_102.json | 1 - ...73fa0-9d43-465e-b8bf-50230da6718b_103.json | 1 - .../d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f.json | 1 - ...4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json | 1 - ...4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json | 1 - ...4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json | 1 - ...4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json | 1 - ...4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json | 1 - .../d55436a8-719c-445f-92c4-c113ff2f9ba5.json | 1 - ...55436a8-719c-445f-92c4-c113ff2f9ba5_1.json | 1 - ...55436a8-719c-445f-92c4-c113ff2f9ba5_2.json | 1 - ...55436a8-719c-445f-92c4-c113ff2f9ba5_3.json | 1 - ...55436a8-719c-445f-92c4-c113ff2f9ba5_4.json | 1 - .../d55abdfb-5384-402b-add4-6c401501b0c3.json | 1 - ...55abdfb-5384-402b-add4-6c401501b0c3_1.json | 1 - ...55abdfb-5384-402b-add4-6c401501b0c3_2.json | 1 - .../d563aaba-2e72-462b-8658-3e5ea22db3a6.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_102.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_103.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_104.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_105.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_106.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_107.json | 1 - ...3aaba-2e72-462b-8658-3e5ea22db3a6_108.json | 1 - .../d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_207.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_209.json | 1 - ...86bf5-cf0c-4c06-b688-53fdc072fdfd_309.json | 84 +++++++++++ .../d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json | 1 - ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json | 1 - ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json | 1 - ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json | 1 - ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json | 1 - ...cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107.json | 1 - .../d6241c90-99f2-44db-b50f-299b6ebd7ee9.json | 1 - ...6241c90-99f2-44db-b50f-299b6ebd7ee9_1.json | 1 - .../d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json | 1 - ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json | 1 - ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json | 1 - ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json | 1 - ...4f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json | 1 - .../d62b64a8-a7c9-43e5-aee3-15a725a794e7.json | 1 - ...b64a8-a7c9-43e5-aee3-15a725a794e7_104.json | 1 - .../d68e95ad-1c82-4074-a12a-125fe10ac8ba.json | 1 - ...8e95ad-1c82-4074-a12a-125fe10ac8ba_10.json | 1 - ...8e95ad-1c82-4074-a12a-125fe10ac8ba_11.json | 1 - ...8e95ad-1c82-4074-a12a-125fe10ac8ba_12.json | 1 - ...8e95ad-1c82-4074-a12a-125fe10ac8ba_13.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json | 1 - ...68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json | 1 - .../d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json | 1 - ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json | 1 - ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json | 1 - ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json | 1 - ...eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json | 1 - .../d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json | 1 - ...3a5af-d5b0-43bd-8ddb-7a5d500b7da5_110.json | 1 - .../d72e33fc-6e91-42ff-ac8b-e573268c5a87.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_104.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_105.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_106.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_107.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_108.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_109.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_110.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_111.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_112.json | 1 - ...e33fc-6e91-42ff-ac8b-e573268c5a87_312.json | 1 - .../d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json | 1 - ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json | 1 - ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json | 1 - ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json | 1 - ...3ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json | 1 - .../d74d6506-427a-4790-b170-0c2a6ddac799.json | 1 - ...74d6506-427a-4790-b170-0c2a6ddac799_1.json | 1 - ...74d6506-427a-4790-b170-0c2a6ddac799_2.json | 1 - .../d75991f2-b989-419d-b797-ac1e54ec2d61.json | 1 - ...991f2-b989-419d-b797-ac1e54ec2d61_102.json | 1 - ...991f2-b989-419d-b797-ac1e54ec2d61_103.json | 1 - ...991f2-b989-419d-b797-ac1e54ec2d61_104.json | 1 - ...991f2-b989-419d-b797-ac1e54ec2d61_105.json | 1 - ...991f2-b989-419d-b797-ac1e54ec2d61_106.json | 1 - .../d76b02ef-fc95-4001-9297-01cb7412232f.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_103.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_104.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_105.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_106.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_107.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_108.json | 1 - ...b02ef-fc95-4001-9297-01cb7412232f_109.json | 1 - .../d79c4b2a-6134-4edd-86e6-564a92a933f9.json | 1 - ...c4b2a-6134-4edd-86e6-564a92a933f9_101.json | 1 - ...c4b2a-6134-4edd-86e6-564a92a933f9_102.json | 1 - .../d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json | 1 - ...5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json | 1 - ...5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json | 1 - ...5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json | 1 - .../d7e62693-aab9-4f66-a21a-3d79ecdd603d.json | 1 - ...62693-aab9-4f66-a21a-3d79ecdd603d_100.json | 1 - ...62693-aab9-4f66-a21a-3d79ecdd603d_101.json | 1 - ...62693-aab9-4f66-a21a-3d79ecdd603d_102.json | 1 - ...62693-aab9-4f66-a21a-3d79ecdd603d_103.json | 1 - ...62693-aab9-4f66-a21a-3d79ecdd603d_104.json | 1 - .../d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json | 1 - ...8ab1ec1-feeb-48b9-89e7-c12e189448aa_8.json | 1 - .../d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json | 1 - ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json | 1 - ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json | 1 - ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json | 1 - ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json | 1 - ...c1cca-93ed-43c1-bbb6-c0dd3eff2958_209.json | 1 - .../d93e61db-82d6-4095-99aa-714988118064.json | 1 - ...93e61db-82d6-4095-99aa-714988118064_1.json | 1 - ...93e61db-82d6-4095-99aa-714988118064_2.json | 1 - ...e61db-82d6-4095-99aa-714988118064_202.json | 1 - .../d99a037b-c8e2-47a5-97b9-170d076827c4.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_104.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_105.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_106.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_107.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_108.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_109.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_110.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_111.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_112.json | 1 - ...a037b-c8e2-47a5-97b9-170d076827c4_312.json | 1 - ...fc3d6-9de9-4b29-9395-5757d0695ecf_101.json | 1 - .../da7733b1-fe08-487e-b536-0a04c6d8b0cd.json | 1 - ...7733b1-fe08-487e-b536-0a04c6d8b0cd_10.json | 1 - ...7733b1-fe08-487e-b536-0a04c6d8b0cd_11.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json | 1 - ...a7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json | 1 - .../da7f5803-1cd4-42fd-a890-0173ae80ac69.json | 1 - ...a7f5803-1cd4-42fd-a890-0173ae80ac69_1.json | 1 - ...a7f5803-1cd4-42fd-a890-0173ae80ac69_2.json | 1 - ...a7f5803-1cd4-42fd-a890-0173ae80ac69_3.json | 1 - ...a7f5803-1cd4-42fd-a890-0173ae80ac69_4.json | 1 - .../da87eee1-129c-4661-a7aa-57d0b9645fad.json | 1 - ...87eee1-129c-4661-a7aa-57d0b9645fad_10.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_4.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_5.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_6.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_7.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_8.json | 1 - ...a87eee1-129c-4661-a7aa-57d0b9645fad_9.json | 1 - .../daafdf96-e7b1-4f14-b494-27e0d24b11f6.json | 1 - ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json | 1 - ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json | 1 - ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_3.json | 1 - ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_4.json | 1 - ...aafdf96-e7b1-4f14-b494-27e0d24b11f6_5.json | 1 - .../dafa3235-76dc-40e2-9f71-1773b96d24cf.json | 1 - ...a3235-76dc-40e2-9f71-1773b96d24cf_104.json | 1 - .../db65f5ba-d1ef-4944-b9e8-7e51060c2b42.json | 1 - ...b65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json | 1 - ...b65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json | 1 - ...b65f5ba-d1ef-4944-b9e8-7e51060c2b42_3.json | 1 - .../db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json | 1 - ...dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json | 1 - ...b7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7.json | 1 - .../db8c33a8-03cd-4988-9e2c-d0a4863adb13.json | 1 - ...c33a8-03cd-4988-9e2c-d0a4863adb13_100.json | 1 - ...c33a8-03cd-4988-9e2c-d0a4863adb13_101.json | 1 - ...c33a8-03cd-4988-9e2c-d0a4863adb13_102.json | 1 - .../dc0b7782-0df0-47ff-8337-db0d678bdb66.json | 1 - ...c0b7782-0df0-47ff-8337-db0d678bdb66_1.json | 1 - ...c0b7782-0df0-47ff-8337-db0d678bdb66_2.json | 1 - ...c0b7782-0df0-47ff-8337-db0d678bdb66_3.json | 1 - ...c0b7782-0df0-47ff-8337-db0d678bdb66_4.json | 1 - .../dc61f382-dc0c-4cc0-a845-069f2a071704.json | 1 - ...c61f382-dc0c-4cc0-a845-069f2a071704_1.json | 1 - .../dc71c186-9fe4-4437-a4d0-85ebb32b8204.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_1.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_2.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_3.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_4.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_5.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_6.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_7.json | 1 - ...c71c186-9fe4-4437-a4d0-85ebb32b8204_8.json | 1 - .../dc9c1f74-dac3-48e3-b47f-eb79db358f57.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_104.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_105.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_106.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_107.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_108.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_109.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_110.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_111.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_311.json | 1 - ...c1f74-dac3-48e3-b47f-eb79db358f57_312.json | 1 - .../dca28dee-c999-400f-b640-50a081cc0fd1.json | 1 - ...28dee-c999-400f-b640-50a081cc0fd1_104.json | 1 - ...28dee-c999-400f-b640-50a081cc0fd1_105.json | 1 - ...28dee-c999-400f-b640-50a081cc0fd1_106.json | 1 - ...28dee-c999-400f-b640-50a081cc0fd1_107.json | 1 - ...28dee-c999-400f-b640-50a081cc0fd1_208.json | 1 - .../dca6b4b0-ae70-44eb-bb7a-ce6db502ee78.json | 1 - ...ca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json | 1 - ...ca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json | 1 - ...6b4b0-ae70-44eb-bb7a-ce6db502ee78_203.json | 1 - ...ca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3.json | 1 - .../dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json | 1 - ...4b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json | 1 - ...d34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8.json | 1 - .../dd52d45a-4602-4195-9018-ebe0f219c273.json | 1 - ...d52d45a-4602-4195-9018-ebe0f219c273_1.json | 1 - ...d52d45a-4602-4195-9018-ebe0f219c273_2.json | 1 - .../ddab1f5f-7089-44f5-9fda-de5b11322e77.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_103.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_104.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_105.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_106.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_107.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_108.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_109.json | 1 - ...b1f5f-7089-44f5-9fda-de5b11322e77_110.json | 1 - .../dde13d58-bc39-4aa0-87fd-b4bdbf4591da.json | 1 - ...de13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json | 1 - ...de13d58-bc39-4aa0-87fd-b4bdbf4591da_2.json | 1 - .../de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_108.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_111.json | 1 - ...bd7e0-49e9-4e92-a64d-53ade2e66af1_311.json | 1 - .../debff20a-46bc-4a4d-bae5-5cdd14222795.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_103.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_104.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_105.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_106.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_107.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_108.json | 1 - ...ff20a-46bc-4a4d-bae5-5cdd14222795_109.json | 1 - .../ded09d02-0137-4ccc-8005-c45e617e8d4c.json | 1 - ...ed09d02-0137-4ccc-8005-c45e617e8d4c_1.json | 1 - ...09d02-0137-4ccc-8005-c45e617e8d4c_102.json | 1 - ...09d02-0137-4ccc-8005-c45e617e8d4c_103.json | 1 - ...09d02-0137-4ccc-8005-c45e617e8d4c_104.json | 1 - ...ed09d02-0137-4ccc-8005-c45e617e8d4c_2.json | 1 - .../df0fd41e-5590-4965-ad5e-cd079ec22fa9.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json | 1 - ...f0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json | 1 - .../df197323-72a8-46a9-a08e-3f5b04a4a97a.json | 1 - ...97323-72a8-46a9-a08e-3f5b04a4a97a_101.json | 1 - ...97323-72a8-46a9-a08e-3f5b04a4a97a_102.json | 1 - ...97323-72a8-46a9-a08e-3f5b04a4a97a_103.json | 1 - ...97323-72a8-46a9-a08e-3f5b04a4a97a_104.json | 1 - ...97323-72a8-46a9-a08e-3f5b04a4a97a_105.json | 1 - .../df26fd74-1baa-4479-b42e-48da84642330.json | 1 - ...6fd74-1baa-4479-b42e-48da84642330_101.json | 1 - .../df6f62d9-caab-4b88-affa-044f4395a1e0.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_102.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_103.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_104.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_105.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_106.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_107.json | 1 - ...f62d9-caab-4b88-affa-044f4395a1e0_108.json | 1 - .../df7fda76-c92b-4943-bc68-04460a5ea5ba.json | 1 - ...fda76-c92b-4943-bc68-04460a5ea5ba_201.json | 1 - ...fda76-c92b-4943-bc68-04460a5ea5ba_202.json | 1 - ...fda76-c92b-4943-bc68-04460a5ea5ba_203.json | 1 - .../df919b5e-a0f6-4fd8-8598-e3ce79299e3b.json | 1 - ...f919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json | 1 - ...f919b5e-a0f6-4fd8-8598-e3ce79299e3b_2.json | 1 - .../dffbd37c-d4c5-46f8-9181-5afdd9172b4c.json | 1 - ...ffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json | 1 - ...ffbd37c-d4c5-46f8-9181-5afdd9172b4c_2.json | 1 - ...ffbd37c-d4c5-46f8-9181-5afdd9172b4c_3.json | 1 - .../e00b8d49-632f-4dc6-94a5-76153a481915.json | 1 - ...00b8d49-632f-4dc6-94a5-76153a481915_1.json | 1 - ...00b8d49-632f-4dc6-94a5-76153a481915_2.json | 1 - .../e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json | 1 - ...bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json | 1 - .../e052c845-48d0-4f46-8a13-7d0aba05df82.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_103.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_104.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_105.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_106.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_107.json | 1 - ...2c845-48d0-4f46-8a13-7d0aba05df82_108.json | 1 - .../e0881d20-54ac-457f-8733-fe0bc5d44c55.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_2.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_3.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_4.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_5.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_6.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_7.json | 1 - ...0881d20-54ac-457f-8733-fe0bc5d44c55_8.json | 1 - .../e08ccd49-0380-4b2b-8d71-8000377d6e49.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_102.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_103.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_104.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_105.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_106.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_207.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_208.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_209.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_211.json | 1 - ...ccd49-0380-4b2b-8d71-8000377d6e49_311.json | 82 ++++++++++ .../e0cc3807-e108-483c-bf66-5a4fbe0d7e89.json | 1 - ...0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json | 1 - ...0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json | 1 - ...0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json | 1 - ...0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json | 1 - .../e0f36de1-0342-453d-95a9-a068b257b053.json | 1 - ...36de1-0342-453d-95a9-a068b257b053_101.json | 1 - .../e12c0318-99b1-44f2-830c-3a38a43207ca.json | 1 - ...c0318-99b1-44f2-830c-3a38a43207ca_102.json | 1 - ...c0318-99b1-44f2-830c-3a38a43207ca_103.json | 1 - ...c0318-99b1-44f2-830c-3a38a43207ca_104.json | 1 - ...c0318-99b1-44f2-830c-3a38a43207ca_205.json | 1 - ...c0318-99b1-44f2-830c-3a38a43207ca_206.json | 1 - .../e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json | 1 - ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json | 1 - ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json | 1 - ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json | 1 - ...c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json | 1 - .../e19e64ee-130e-4c07-961f-8a339f0b8362.json | 1 - ...e64ee-130e-4c07-961f-8a339f0b8362_102.json | 1 - ...e64ee-130e-4c07-961f-8a339f0b8362_103.json | 1 - ...e64ee-130e-4c07-961f-8a339f0b8362_104.json | 1 - ...e64ee-130e-4c07-961f-8a339f0b8362_105.json | 1 - ...e64ee-130e-4c07-961f-8a339f0b8362_106.json | 1 - .../e1db8899-97c1-4851-8993-3a3265353601.json | 1 - ...1db8899-97c1-4851-8993-3a3265353601_1.json | 1 - ...1db8899-97c1-4851-8993-3a3265353601_2.json | 1 - ...1db8899-97c1-4851-8993-3a3265353601_3.json | 1 - .../e2258f48-ba75-4248-951b-7c885edf18c2.json | 1 - ...2258f48-ba75-4248-951b-7c885edf18c2_1.json | 1 - ...2258f48-ba75-4248-951b-7c885edf18c2_2.json | 1 - ...2258f48-ba75-4248-951b-7c885edf18c2_3.json | 1 - ...2258f48-ba75-4248-951b-7c885edf18c2_4.json | 1 - ...2258f48-ba75-4248-951b-7c885edf18c2_5.json | 1 - .../e26aed74-c816-40d3-a810-48d6fbd8b2fd.json | 1 - ...aed74-c816-40d3-a810-48d6fbd8b2fd_102.json | 1 - ...aed74-c816-40d3-a810-48d6fbd8b2fd_103.json | 1 - ...aed74-c816-40d3-a810-48d6fbd8b2fd_104.json | 1 - .../e26f042e-c590-4e82-8e05-41e81bd822ad.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_105.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_106.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_107.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_108.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_109.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_110.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_111.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_112.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_212.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_213.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_214.json | 1 - ...f042e-c590-4e82-8e05-41e81bd822ad_215.json | 1 - .../e28b8093-833b-4eda-b877-0873d134cf3c.json | 1 - ...28b8093-833b-4eda-b877-0873d134cf3c_1.json | 1 - ...28b8093-833b-4eda-b877-0873d134cf3c_2.json | 1 - ...28b8093-833b-4eda-b877-0873d134cf3c_3.json | 1 - .../e2a67480-3b79-403d-96e3-fdd2992c50ef.json | 1 - ...67480-3b79-403d-96e3-fdd2992c50ef_105.json | 1 - ...67480-3b79-403d-96e3-fdd2992c50ef_106.json | 1 - ...67480-3b79-403d-96e3-fdd2992c50ef_107.json | 1 - ...67480-3b79-403d-96e3-fdd2992c50ef_208.json | 1 - .../e2dc8f8c-5f16-42fa-b49e-0eb8057f7444.json | 1 - ...2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json | 1 - ...2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json | 1 - .../e2e0537d-7d8f-4910-a11d-559bcf61295a.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_2.json | 1 - ...0537d-7d8f-4910-a11d-559bcf61295a_208.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_3.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_4.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_5.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_6.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_7.json | 1 - ...2e0537d-7d8f-4910-a11d-559bcf61295a_8.json | 1 - .../e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json | 1 - ...9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json | 1 - .../e2fb5b18-e33c-4270-851e-c3d675c9afcd.json | 1 - ...b5b18-e33c-4270-851e-c3d675c9afcd_103.json | 1 - .../e3343ab9-4245-4715-b344-e11c56b0a47f.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_104.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_105.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_106.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_107.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_108.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_109.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_110.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_111.json | 1 - ...43ab9-4245-4715-b344-e11c56b0a47f_311.json | 1 - .../e3c27562-709a-42bd-82f2-3ed926cced19.json | 1 - ...27562-709a-42bd-82f2-3ed926cced19_102.json | 1 - ...27562-709a-42bd-82f2-3ed926cced19_103.json | 1 - ...27562-709a-42bd-82f2-3ed926cced19_104.json | 1 - ...27562-709a-42bd-82f2-3ed926cced19_205.json | 1 - .../e3c5d5cb-41d5-4206-805c-f30561eae3ac.json | 1 - ...5d5cb-41d5-4206-805c-f30561eae3ac_100.json | 1 - ...5d5cb-41d5-4206-805c-f30561eae3ac_101.json | 1 - ...5d5cb-41d5-4206-805c-f30561eae3ac_102.json | 1 - .../e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_102.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_103.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_104.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_105.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_106.json | 1 - ...f38fa-d5b8-46cc-87f9-4a7513e4281d_107.json | 1 - .../e3e904b3-0a8e-4e68-86a8-977a163e21d3.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_103.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_104.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_105.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_106.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_107.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_108.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_109.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_110.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_111.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_112.json | 1 - ...904b3-0a8e-4e68-86a8-977a163e21d3_113.json | 1 - .../e468f3f6-7c4c-45bb-846a-053738b3fe5d.json | 1 - ...468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json | 1 - ...468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json | 1 - ...468f3f6-7c4c-45bb-846a-053738b3fe5d_3.json | 1 - ...468f3f6-7c4c-45bb-846a-053738b3fe5d_4.json | 1 - .../e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_207.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_209.json | 1 - ...236ca-b67a-4b4e-840c-fdc7782bc0c3_309.json | 85 +++++++++++ .../e4e31051-ee01-4307-a6ee-b21b186958f4.json | 1 - ...31051-ee01-4307-a6ee-b21b186958f4_103.json | 1 - ...31051-ee01-4307-a6ee-b21b186958f4_104.json | 1 - ...31051-ee01-4307-a6ee-b21b186958f4_105.json | 1 - ...31051-ee01-4307-a6ee-b21b186958f4_106.json | 1 - .../e514d8cd-ed15-4011-84e2-d15147e059f1.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_105.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_106.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_107.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_108.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_109.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_110.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_111.json | 1 - ...4d8cd-ed15-4011-84e2-d15147e059f1_112.json | 1 - .../e555105c-ba6d-481f-82bb-9b633e7b4827.json | 1 - ...5105c-ba6d-481f-82bb-9b633e7b4827_203.json | 1 - ...5105c-ba6d-481f-82bb-9b633e7b4827_204.json | 1 - ...5105c-ba6d-481f-82bb-9b633e7b4827_205.json | 1 - .../e6c1a552-7776-44ad-ae0f-8746cc07773c.json | 1 - ...1a552-7776-44ad-ae0f-8746cc07773c_101.json | 1 - ...1a552-7776-44ad-ae0f-8746cc07773c_102.json | 1 - ...1a552-7776-44ad-ae0f-8746cc07773c_103.json | 1 - .../e6c98d38-633d-4b3e-9387-42112cd5ac10.json | 1 - ...98d38-633d-4b3e-9387-42112cd5ac10_102.json | 1 - ...98d38-633d-4b3e-9387-42112cd5ac10_103.json | 1 - ...98d38-633d-4b3e-9387-42112cd5ac10_104.json | 1 - ...98d38-633d-4b3e-9387-42112cd5ac10_105.json | 1 - ...98d38-633d-4b3e-9387-42112cd5ac10_106.json | 1 - .../e6e3ecff-03dd-48ec-acbd-54a04de10c68.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_102.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_103.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_104.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_205.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_206.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_208.json | 1 - ...3ecff-03dd-48ec-acbd-54a04de10c68_308.json | 78 ++++++++++ .../e6e8912f-283f-4d0d-8442-e0dcaf49944b.json | 1 - ...8912f-283f-4d0d-8442-e0dcaf49944b_102.json | 1 - ...8912f-283f-4d0d-8442-e0dcaf49944b_103.json | 1 - ...8912f-283f-4d0d-8442-e0dcaf49944b_104.json | 1 - ...8912f-283f-4d0d-8442-e0dcaf49944b_105.json | 1 - ...8912f-283f-4d0d-8442-e0dcaf49944b_106.json | 1 - .../e7075e8d-a966-458e-a183-85cd331af255.json | 1 - ...75e8d-a966-458e-a183-85cd331af255_102.json | 1 - ...75e8d-a966-458e-a183-85cd331af255_103.json | 1 - .../e707a7be-cc52-41ac-8ab3-d34b38c20005.json | 1 - ...707a7be-cc52-41ac-8ab3-d34b38c20005_1.json | 1 - ...707a7be-cc52-41ac-8ab3-d34b38c20005_2.json | 1 - .../e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json | 1 - ...25cea-9fe1-42a5-9a05-b0792cf86f5a_103.json | 1 - ...25cea-9fe1-42a5-9a05-b0792cf86f5a_104.json | 1 - ...25cea-9fe1-42a5-9a05-b0792cf86f5a_105.json | 1 - ...25cea-9fe1-42a5-9a05-b0792cf86f5a_106.json | 1 - ...25cea-9fe1-42a5-9a05-b0792cf86f5a_107.json | 1 - .../e72f87d0-a70e-4f8d-8443-a6407bc34643.json | 1 - ...f87d0-a70e-4f8d-8443-a6407bc34643_105.json | 1 - ...f87d0-a70e-4f8d-8443-a6407bc34643_106.json | 1 - ...72f87d0-a70e-4f8d-8443-a6407bc34643_2.json | 1 - ...72f87d0-a70e-4f8d-8443-a6407bc34643_4.json | 1 - .../e7357fec-6e9c-41b9-b93d-6e4fc40c7d47.json | 1 - .../e74d645b-fec6-431e-bf93-ca64a538e0de.json | 1 - ...74d645b-fec6-431e-bf93-ca64a538e0de_1.json | 1 - ...74d645b-fec6-431e-bf93-ca64a538e0de_2.json | 1 - ...74d645b-fec6-431e-bf93-ca64a538e0de_3.json | 1 - .../e760c72b-bb1f-44f0-9f0d-37d51744ee75.json | 1 - ...760c72b-bb1f-44f0-9f0d-37d51744ee75_1.json | 1 - .../e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json | 1 - ...7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json | 1 - .../e7cd5982-17c8-4959-874c-633acde7d426.json | 1 - ...d5982-17c8-4959-874c-633acde7d426_102.json | 1 - ...d5982-17c8-4959-874c-633acde7d426_103.json | 1 - ...d5982-17c8-4959-874c-633acde7d426_104.json | 1 - ...d5982-17c8-4959-874c-633acde7d426_205.json | 1 - ...d5982-17c8-4959-874c-633acde7d426_206.json | 1 - .../e8571d5f-bea1-46c2-9f56-998de2d3ed95.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_103.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_104.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_105.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_106.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_107.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_108.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_109.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_110.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_111.json | 1 - ...71d5f-bea1-46c2-9f56-998de2d3ed95_212.json | 1 - .../e86da94d-e54b-4fb5-b96c-cecff87e8787.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_102.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_103.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_104.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_105.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_106.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_107.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_108.json | 1 - ...da94d-e54b-4fb5-b96c-cecff87e8787_109.json | 1 - .../e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_5.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json | 1 - ...88d1fe9-b2f4-48d4-bace-a026dc745d4b_7.json | 1 - .../e8c9ff14-fd1e-11ee-a0df-f661ea17fbce.json | 1 - ...8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json | 1 - .../e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json | 1 - ...9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json | 1 - ...01ee6-2d00-4d2f-849e-b8b1fb05234c_103.json | 1 - ...01ee6-2d00-4d2f-849e-b8b1fb05234c_104.json | 1 - ...01ee6-2d00-4d2f-849e-b8b1fb05234c_105.json | 1 - ...01ee6-2d00-4d2f-849e-b8b1fb05234c_106.json | 1 - ...9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json | 1 - .../e90ee3af-45fc-432e-a850-4a58cf14a457.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_102.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_103.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_104.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_105.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_106.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_207.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_208.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_209.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_211.json | 1 - ...ee3af-45fc-432e-a850-4a58cf14a457_311.json | 115 ++++++++++++++ .../e919611d-6b6f-493b-8314-7ed6ac2e413b.json | 1 - ...9611d-6b6f-493b-8314-7ed6ac2e413b_102.json | 1 - ...9611d-6b6f-493b-8314-7ed6ac2e413b_103.json | 1 - ...9611d-6b6f-493b-8314-7ed6ac2e413b_104.json | 1 - ...9611d-6b6f-493b-8314-7ed6ac2e413b_205.json | 1 - .../e92c99b6-c547-4bb6-b244-2f27394bc849.json | 1 - ...92c99b6-c547-4bb6-b244-2f27394bc849_1.json | 1 - ...92c99b6-c547-4bb6-b244-2f27394bc849_2.json | 1 - ...92c99b6-c547-4bb6-b244-2f27394bc849_3.json | 1 - .../e94262f2-c1e9-4d3f-a907-aeab16712e1a.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_104.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_105.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_106.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_107.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_108.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_109.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_110.json | 1 - ...262f2-c1e9-4d3f-a907-aeab16712e1a_111.json | 1 - .../e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json | 1 - ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json | 1 - ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json | 1 - ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json | 1 - ...be69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json | 1 - .../e9b0902b-c515-413b-b80b-a8dcebc81a66.json | 1 - ...9b0902b-c515-413b-b80b-a8dcebc81a66_1.json | 1 - ...9b0902b-c515-413b-b80b-a8dcebc81a66_2.json | 1 - ...9b0902b-c515-413b-b80b-a8dcebc81a66_3.json | 1 - .../e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json | 1 - ...f9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json | 1 - .../ea09ff26-3902-4c53-bb8e-24b7a5d029dd.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_2.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_5.json | 1 - ...a09ff26-3902-4c53-bb8e-24b7a5d029dd_6.json | 1 - .../ea248a02-bc47-4043-8e94-2885b19b2636.json | 1 - ...48a02-bc47-4043-8e94-2885b19b2636_105.json | 1 - ...48a02-bc47-4043-8e94-2885b19b2636_106.json | 1 - ...48a02-bc47-4043-8e94-2885b19b2636_107.json | 1 - ...48a02-bc47-4043-8e94-2885b19b2636_208.json | 1 - ...48a02-bc47-4043-8e94-2885b19b2636_209.json | 1 - .../eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json | 1 - ...77d63-9679-4ce3-be25-3ba8b795e5fa_101.json | 1 - ...77d63-9679-4ce3-be25-3ba8b795e5fa_102.json | 1 - ...77d63-9679-4ce3-be25-3ba8b795e5fa_103.json | 1 - .../eaef8a35-12e0-4ac0-bc14-81c72b6bd27c.json | 1 - ...aef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json | 1 - ...aef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json | 1 - ...aef8a35-12e0-4ac0-bc14-81c72b6bd27c_3.json | 1 - .../eb079c62-4481-4d6e-9643-3ca499df7aaa.json | 1 - ...79c62-4481-4d6e-9643-3ca499df7aaa_101.json | 1 - ...79c62-4481-4d6e-9643-3ca499df7aaa_102.json | 1 - .../eb44611f-62a8-4036-a5ef-587098be6c43.json | 1 - ...b44611f-62a8-4036-a5ef-587098be6c43_1.json | 1 - ...b44611f-62a8-4036-a5ef-587098be6c43_2.json | 1 - ...b44611f-62a8-4036-a5ef-587098be6c43_3.json | 1 - ...b44611f-62a8-4036-a5ef-587098be6c43_4.json | 1 - ...b44611f-62a8-4036-a5ef-587098be6c43_5.json | 1 - .../eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_105.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_106.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_107.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_108.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_109.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_110.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_111.json | 1 - ...10e70-f9e6-4949-82b9-f1c5bcd37c39_112.json | 1 - .../eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json | 1 - ...eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json | 1 - .../ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_210.json | 1 - ...200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json | 1 - .../ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_104.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_105.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_106.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_107.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_108.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_109.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_110.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_111.json | 1 - ...1adea-ccf2-4943-8b96-7ab11ca173a5_311.json | 1 - .../ebfe1448-7fac-4d59-acea-181bd89b1f7f.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_104.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_105.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_106.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_107.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_108.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_109.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_110.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_111.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_112.json | 1 - ...e1448-7fac-4d59-acea-181bd89b1f7f_312.json | 1 - .../ec604672-bed9-43e1-8871-cf591c052550.json | 1 - ...c604672-bed9-43e1-8871-cf591c052550_1.json | 1 - .../ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json | 1 - ...efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json | 1 - ...efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json | 1 - ...efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json | 1 - ...efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json | 1 - ...cc0cd54-608e-11ef-ab6d-f661ea17fbce_1.json | 1 - .../ecd4857b-5bac-455e-a7c9-a88b66e56a9e.json | 1 - ...cd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json | 1 - .../ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json | 1 - ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json | 1 - ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json | 1 - ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json | 1 - ...2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json | 1 - .../ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json | 1 - ...ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json | 1 - .../eda499b8-a073-4e35-9733-22ec71f57f3a.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_104.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_105.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_106.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_107.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_108.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_109.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_110.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_111.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_112.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_113.json | 1 - ...499b8-a073-4e35-9733-22ec71f57f3a_313.json | 1 - .../edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_207.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_209.json | 1 - ...91186-1c7e-4db8-b53e-bfa33a1a0a8a_309.json | 77 ++++++++++ .../edf8ee23-5ea7-4123-ba19-56b41e424ae3.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_104.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_105.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_106.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_107.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_108.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_109.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_110.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_111.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_112.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_113.json | 1 - ...8ee23-5ea7-4123-ba19-56b41e424ae3_313.json | 1 - .../edfd5ca9-9d6c-44d9-b615-1e56b920219c.json | 1 - ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json | 1 - ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json | 1 - ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json | 1 - ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json | 1 - ...dfd5ca9-9d6c-44d9-b615-1e56b920219c_5.json | 1 - .../ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e.json | 1 - ...9a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json | 1 - ...9a9f7-5a79-4b0a-9815-d36b3cf28d3e_104.json | 1 - ...9a9f7-5a79-4b0a-9815-d36b3cf28d3e_106.json | 1 - ...e39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json | 1 - ...9a9f7-5a79-4b0a-9815-d36b3cf28d3e_206.json | 89 +++++++++++ .../ee5300a7-7e31-4a72-a258-250abb8b3aa1.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_102.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_103.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_104.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_105.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_106.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_107.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_108.json | 1 - ...300a7-7e31-4a72-a258-250abb8b3aa1_109.json | 1 - .../ee53d67a-5f0c-423c-a53c-8084ae562b5c.json | 1 - ...e53d67a-5f0c-423c-a53c-8084ae562b5c_1.json | 1 - .../eea82229-b002-470e-a9e1-00be38b14d32.json | 1 - ...82229-b002-470e-a9e1-00be38b14d32_102.json | 1 - ...82229-b002-470e-a9e1-00be38b14d32_103.json | 1 - ...82229-b002-470e-a9e1-00be38b14d32_104.json | 1 - ...82229-b002-470e-a9e1-00be38b14d32_105.json | 1 - ...82229-b002-470e-a9e1-00be38b14d32_106.json | 1 - .../ef04a476-07ec-48fc-8f3d-5e1742de76d3.json | 1 - ...4a476-07ec-48fc-8f3d-5e1742de76d3_103.json | 1 - ...4a476-07ec-48fc-8f3d-5e1742de76d3_104.json | 1 - ...4a476-07ec-48fc-8f3d-5e1742de76d3_105.json | 1 - ...4a476-07ec-48fc-8f3d-5e1742de76d3_106.json | 1 - ...4a476-07ec-48fc-8f3d-5e1742de76d3_107.json | 1 - .../ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json | 1 - ...f100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json | 1 - .../ef65e82c-d8b4-4895-9824-5f6bc6166804.json | 1 - .../ef862985-3f13-4262-a686-5f357bbb9bc2.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_105.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_106.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_107.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_108.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_109.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_110.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_111.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_112.json | 1 - ...62985-3f13-4262-a686-5f357bbb9bc2_113.json | 1 - .../ef8cc01c-fc49-4954-a175-98569c646740.json | 1 - ...f8cc01c-fc49-4954-a175-98569c646740_1.json | 1 - ...f8cc01c-fc49-4954-a175-98569c646740_2.json | 1 - ...f8cc01c-fc49-4954-a175-98569c646740_3.json | 1 - .../f036953a-4615-4707-a1ca-dc53bf69dcd5.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_103.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_104.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_105.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_106.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_107.json | 1 - ...6953a-4615-4707-a1ca-dc53bf69dcd5_108.json | 1 - .../f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_102.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_103.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_104.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_105.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_106.json | 1 - ...93cb4-9b15-43a9-9359-68c23a7f2cf3_107.json | 1 - .../f06414a6-f2a4-466d-8eba-10f85e8abf71.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_102.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_103.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_104.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_205.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_206.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_208.json | 1 - ...414a6-f2a4-466d-8eba-10f85e8abf71_308.json | 78 ++++++++++ .../f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json | 1 - ...48bbc-549e-4bcf-8ee0-a7a72586c6a7_108.json | 1 - .../f0bc081a-2346-4744-a6a4-81514817e888.json | 1 - ...c081a-2346-4744-a6a4-81514817e888_101.json | 1 - .../f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json | 1 - ...b70e9-71e9-40cd-813f-bf8e8c812cb1_102.json | 1 - ...b70e9-71e9-40cd-813f-bf8e8c812cb1_103.json | 1 - ...b70e9-71e9-40cd-813f-bf8e8c812cb1_104.json | 1 - ...b70e9-71e9-40cd-813f-bf8e8c812cb1_105.json | 1 - .../f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json | 1 - ...16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json | 1 - .../f18a474c-3632-427f-bcf5-363c994309ee.json | 1 - .../f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json | 1 - ...1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json | 1 - ...1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json | 1 - .../f2015527-7c46-4bb9-80db-051657ddfb69.json | 1 - ...2015527-7c46-4bb9-80db-051657ddfb69_1.json | 1 - .../f243fe39-83a4-46f3-a3b6-707557a102df.json | 1 - ...243fe39-83a4-46f3-a3b6-707557a102df_1.json | 1 - ...243fe39-83a4-46f3-a3b6-707557a102df_2.json | 1 - ...243fe39-83a4-46f3-a3b6-707557a102df_3.json | 1 - ...243fe39-83a4-46f3-a3b6-707557a102df_4.json | 1 - .../f24bcae1-8980-4b30-b5dd-f851b055c9e7.json | 1 - ...bcae1-8980-4b30-b5dd-f851b055c9e7_103.json | 1 - ...bcae1-8980-4b30-b5dd-f851b055c9e7_104.json | 1 - ...bcae1-8980-4b30-b5dd-f851b055c9e7_105.json | 1 - ...bcae1-8980-4b30-b5dd-f851b055c9e7_106.json | 1 - ...bcae1-8980-4b30-b5dd-f851b055c9e7_107.json | 1 - .../f28e2be4-6eca-4349-bdd9-381573730c22.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_103.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_104.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_105.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_106.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_107.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_108.json | 1 - ...e2be4-6eca-4349-bdd9-381573730c22_109.json | 1 - .../f2c7b914-eda3-40c2-96ac-d23ef91776ca.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_103.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_104.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_105.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_106.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_107.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_108.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_109.json | 1 - ...7b914-eda3-40c2-96ac-d23ef91776ca_309.json | 1 - .../f2f46686-6f3c-4724-bd7d-24e31c70f98f.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_103.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_104.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_105.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_106.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_107.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_108.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_109.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_110.json | 1 - ...46686-6f3c-4724-bd7d-24e31c70f98f_111.json | 1 - .../f30f3443-4fbb-4c27-ab89-c3ad49d62315.json | 1 - ...f3443-4fbb-4c27-ab89-c3ad49d62315_102.json | 1 - ...f3443-4fbb-4c27-ab89-c3ad49d62315_103.json | 1 - ...f3443-4fbb-4c27-ab89-c3ad49d62315_104.json | 1 - ...f3443-4fbb-4c27-ab89-c3ad49d62315_205.json | 1 - .../f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_5.json | 1 - ...33e68a4-bd19-11ed-b02f-f661ea17fbcc_6.json | 1 - .../f3403393-1fd9-4686-8f6e-596c58bc00b4.json | 1 - ...3403393-1fd9-4686-8f6e-596c58bc00b4_1.json | 1 - ...3403393-1fd9-4686-8f6e-596c58bc00b4_2.json | 1 - ...3403393-1fd9-4686-8f6e-596c58bc00b4_3.json | 1 - ...3403393-1fd9-4686-8f6e-596c58bc00b4_4.json | 1 - .../f3475224-b179-4f78-8877-c2bd64c26b88.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_103.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_104.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_105.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_106.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_107.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_108.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_109.json | 1 - ...75224-b179-4f78-8877-c2bd64c26b88_110.json | 1 - .../f37f3054-d40b-49ac-aa9b-a786c74c58b8.json | 1 - ...f3054-d40b-49ac-aa9b-a786c74c58b8_101.json | 1 - ...f3054-d40b-49ac-aa9b-a786c74c58b8_102.json | 1 - ...f3054-d40b-49ac-aa9b-a786c74c58b8_103.json | 1 - .../f3818c85-2207-4b51-8a28-d70fb156ee87.json | 1 - ...3818c85-2207-4b51-8a28-d70fb156ee87_1.json | 1 - ...3818c85-2207-4b51-8a28-d70fb156ee87_2.json | 1 - .../f3e22c8b-ea47-45d1-b502-b57b6de950b3.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_5.json | 1 - ...3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json | 1 - .../f41296b4-9975-44d6-9486-514c6f635b2d.json | 1 - ...41296b4-9975-44d6-9486-514c6f635b2d_1.json | 1 - ...41296b4-9975-44d6-9486-514c6f635b2d_2.json | 1 - ...41296b4-9975-44d6-9486-514c6f635b2d_3.json | 1 - ...41296b4-9975-44d6-9486-514c6f635b2d_4.json | 1 - ...41296b4-9975-44d6-9486-514c6f635b2d_5.json | 1 - .../f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json | 1 - ...fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json | 1 - .../f48ecc44-7d02-437d-9562-b838d2c41987.json | 1 - ...48ecc44-7d02-437d-9562-b838d2c41987_1.json | 1 - .../f494c678-3c33-43aa-b169-bb3d5198c41d.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_105.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_106.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_107.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_108.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_109.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_110.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_111.json | 1 - ...4c678-3c33-43aa-b169-bb3d5198c41d_112.json | 1 - .../f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c.json | 1 - ...4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1.json | 1 - ...4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2.json | 1 - .../f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee.json | 1 - ...4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1.json | 1 - .../f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json | 1 - ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json | 1 - ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json | 1 - ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json | 1 - ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json | 1 - ...530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json | 1 - .../f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json | 1 - ...5ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112.json | 1 - .../f5488ac1-099e-4008-a6cb-fb638a0f0828.json | 1 - ...5488ac1-099e-4008-a6cb-fb638a0f0828_1.json | 1 - .../f580bf0a-2d23-43bb-b8e1-17548bb947ec.json | 1 - ...580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json | 1 - ...0bf0a-2d23-43bb-b8e1-17548bb947ec_108.json | 1 - ...580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json | 1 - ...580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json | 1 - ...580bf0a-2d23-43bb-b8e1-17548bb947ec_6.json | 1 - .../f5861570-e39a-4b8a-9259-abd39f84cb97.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_1.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_2.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_3.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_4.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_5.json | 1 - ...5861570-e39a-4b8a-9259-abd39f84cb97_6.json | 1 - .../f59668de-caa0-4b84-94c1-3a1549e1e798.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_1.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_2.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_3.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_4.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_5.json | 1 - ...59668de-caa0-4b84-94c1-3a1549e1e798_6.json | 1 - .../f5c005d3-4e17-48b0-9cd7-444d48857f97.json | 1 - ...5c005d3-4e17-48b0-9cd7-444d48857f97_1.json | 1 - ...5c005d3-4e17-48b0-9cd7-444d48857f97_2.json | 1 - ...5c005d3-4e17-48b0-9cd7-444d48857f97_3.json | 1 - ...5c005d3-4e17-48b0-9cd7-444d48857f97_4.json | 1 - ...5c005d3-4e17-48b0-9cd7-444d48857f97_5.json | 1 - .../f5d9d36d-7c30-4cdb-a856-9f653c13d4e0.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5.json | 1 - ...5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6.json | 1 - .../f5fb4598-4f10-11ed-bdc3-0242ac120002.json | 1 - ...5fb4598-4f10-11ed-bdc3-0242ac120002_2.json | 1 - ...5fb4598-4f10-11ed-bdc3-0242ac120002_3.json | 1 - ...5fb4598-4f10-11ed-bdc3-0242ac120002_4.json | 1 - ...5fb4598-4f10-11ed-bdc3-0242ac120002_5.json | 1 - ...5fb4598-4f10-11ed-bdc3-0242ac120002_6.json | 1 - .../f638a66d-3bbf-46b1-a52c-ef6f39fb6caf.json | 1 - ...638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json | 1 - ...638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json | 1 - .../f63c8e3c-d396-404f-b2ea-0379d3942d73.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_104.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_105.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_106.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_107.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_108.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_109.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_110.json | 1 - ...c8e3c-d396-404f-b2ea-0379d3942d73_310.json | 1 - .../f6652fb5-cd8e-499c-8311-2ce2bb6cac62.json | 1 - ...6652fb5-cd8e-499c-8311-2ce2bb6cac62_1.json | 1 - .../f675872f-6d85-40a3-b502-c0d2ef101e92.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_104.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_105.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_106.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_107.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_108.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_109.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_110.json | 1 - ...5872f-6d85-40a3-b502-c0d2ef101e92_310.json | 1 - .../f683dcdf-a018-4801-b066-193d4ae6c8e5.json | 1 - ...3dcdf-a018-4801-b066-193d4ae6c8e5_102.json | 1 - ...3dcdf-a018-4801-b066-193d4ae6c8e5_103.json | 1 - ...3dcdf-a018-4801-b066-193d4ae6c8e5_104.json | 1 - ...3dcdf-a018-4801-b066-193d4ae6c8e5_105.json | 1 - .../f75f65cf-ed04-48df-a7ff-b02a8bfe636e.json | 1 - ...75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json | 1 - ...75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json | 1 - .../f766ffaf-9568-4909-b734-75d19b35cbf4.json | 1 - ...6ffaf-9568-4909-b734-75d19b35cbf4_101.json | 1 - .../f772ec8a-e182-483c-91d2-72058f76a44c.json | 1 - ...2ec8a-e182-483c-91d2-72058f76a44c_105.json | 1 - ...2ec8a-e182-483c-91d2-72058f76a44c_106.json | 1 - ...2ec8a-e182-483c-91d2-72058f76a44c_107.json | 1 - ...2ec8a-e182-483c-91d2-72058f76a44c_208.json | 1 - .../f7769104-e8f9-4931-94a2-68fc04eadec3.json | 1 - ...7769104-e8f9-4931-94a2-68fc04eadec3_1.json | 1 - ...7769104-e8f9-4931-94a2-68fc04eadec3_2.json | 1 - .../f7c4dc5a-a58d-491d-9f14-9b66507121c0.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_104.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_105.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_106.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_107.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_108.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_109.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_110.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_111.json | 1 - ...4dc5a-a58d-491d-9f14-9b66507121c0_112.json | 1 - .../f7c70f2e-4616-439c-85ac-5b98415042fe.json | 1 - ...7c70f2e-4616-439c-85ac-5b98415042fe_1.json | 1 - ...7c70f2e-4616-439c-85ac-5b98415042fe_2.json | 1 - .../f81ee52c-297e-46d9-9205-07e66931df26.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_102.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_103.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_104.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_105.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_106.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_107.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_108.json | 1 - ...ee52c-297e-46d9-9205-07e66931df26_109.json | 1 - .../f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json | 1 - ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json | 1 - ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json | 1 - ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json | 1 - ...ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json | 1 - ...86cd31c-5c7e-4481-99d7-6875a3e31309_1.json | 1 - .../f874315d-5188-4b4a-8521-d1c73093a7e4.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_104.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_105.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_106.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_107.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_108.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_109.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_110.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_111.json | 1 - ...4315d-5188-4b4a-8521-d1c73093a7e4_112.json | 1 - .../f8822053-a5d2-46db-8c96-d460b12c36ac.json | 1 - ...8822053-a5d2-46db-8c96-d460b12c36ac_1.json | 1 - ...8822053-a5d2-46db-8c96-d460b12c36ac_2.json | 1 - ...8822053-a5d2-46db-8c96-d460b12c36ac_3.json | 1 - .../f94e898e-94f1-4545-8923-03e4b2866211.json | 1 - ...94e898e-94f1-4545-8923-03e4b2866211_1.json | 1 - ...e898e-94f1-4545-8923-03e4b2866211_103.json | 95 ++++++++++++ .../f9590f47-6bd5-4a49-bd49-a2f886476fb9.json | 1 - ...90f47-6bd5-4a49-bd49-a2f886476fb9_101.json | 1 - ...90f47-6bd5-4a49-bd49-a2f886476fb9_102.json | 1 - ...90f47-6bd5-4a49-bd49-a2f886476fb9_103.json | 1 - ...90f47-6bd5-4a49-bd49-a2f886476fb9_104.json | 1 - .../f95972d3-c23b-463b-89a8-796b3f369b49.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_2.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_3.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_4.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_5.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_6.json | 1 - ...95972d3-c23b-463b-89a8-796b3f369b49_7.json | 1 - .../f97504ac-1053-498f-aeaa-c6d01e76b379.json | 1 - ...97504ac-1053-498f-aeaa-c6d01e76b379_1.json | 1 - ...97504ac-1053-498f-aeaa-c6d01e76b379_2.json | 1 - .../f9790abf-bd0c-45f9-8b5f-d0b74015e029.json | 1 - ...790abf-bd0c-45f9-8b5f-d0b74015e029_10.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json | 1 - ...9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json | 1 - .../f994964f-6fce-4d75-8e79-e16ccc412588.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_102.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_103.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_104.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_205.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_206.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_208.json | 1 - ...4964f-6fce-4d75-8e79-e16ccc412588_308.json | 121 +++++++++++++++ .../fa01341d-6662-426b-9d0c-6d81e33c8a9d.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_103.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_104.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_105.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_106.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_107.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_108.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_109.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_110.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_111.json | 1 - ...1341d-6662-426b-9d0c-6d81e33c8a9d_311.json | 1 - .../fa210b61-b627-4e5e-86f4-17e8270656ab.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_1.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_2.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_3.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_4.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_5.json | 1 - ...a210b61-b627-4e5e-86f4-17e8270656ab_6.json | 1 - .../fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json | 1 - ...a3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json | 1 - .../fa488440-04cc-41d7-9279-539387bf2a17.json | 1 - ...88440-04cc-41d7-9279-539387bf2a17_110.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_2.json | 1 - ...88440-04cc-41d7-9279-539387bf2a17_211.json | 1 - ...88440-04cc-41d7-9279-539387bf2a17_212.json | 1 - ...88440-04cc-41d7-9279-539387bf2a17_213.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_3.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_4.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_5.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_6.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_7.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_8.json | 1 - ...a488440-04cc-41d7-9279-539387bf2a17_9.json | 1 - .../fac52c69-2646-4e79-89c0-fd7653461010.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_1.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_2.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_3.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_4.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_5.json | 1 - ...ac52c69-2646-4e79-89c0-fd7653461010_6.json | 1 - .../fb01d790-9f74-4e76-97dd-b4b0f7bf6435.json | 1 - ...b01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json | 1 - ...1d790-9f74-4e76-97dd-b4b0f7bf6435_102.json | 1 - ...1d790-9f74-4e76-97dd-b4b0f7bf6435_103.json | 1 - ...1d790-9f74-4e76-97dd-b4b0f7bf6435_104.json | 1 - .../fb02b8d3-71ee-4af1-bacd-215d23f17efa.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_102.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_103.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_104.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_105.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_106.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_107.json | 1 - ...2b8d3-71ee-4af1-bacd-215d23f17efa_108.json | 1 - .../fb0afac5-bbd6-49b0-b4f8-44e5381e1587.json | 1 - ...b0afac5-bbd6-49b0-b4f8-44e5381e1587_1.json | 1 - ...afac5-bbd6-49b0-b4f8-44e5381e1587_103.json | 93 ++++++++++++ .../fbd44836-0d69-4004-a0b4-03c20370c435.json | 1 - ...44836-0d69-4004-a0b4-03c20370c435_102.json | 1 - ...44836-0d69-4004-a0b4-03c20370c435_103.json | 1 - ...44836-0d69-4004-a0b4-03c20370c435_104.json | 1 - ...44836-0d69-4004-a0b4-03c20370c435_205.json | 1 - .../fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_103.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_104.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_105.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_106.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_107.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_108.json | 1 - ...c0fa4-8f03-4b3e-8336-c5feab0be022_109.json | 1 - .../fc909baa-fb34-4c46-9691-be276ef4234c.json | 1 - ...c909baa-fb34-4c46-9691-be276ef4234c_1.json | 1 - ...09baa-fb34-4c46-9691-be276ef4234c_103.json | 95 ++++++++++++ .../fcf733d5-7801-4eb0-92ac-8ffacf3658f2.json | 1 - ...cf733d5-7801-4eb0-92ac-8ffacf3658f2_1.json | 1 - ...cf733d5-7801-4eb0-92ac-8ffacf3658f2_2.json | 1 - .../fd01b949-81be-46d5-bcf8-284395d5f56d.json | 1 - ...d01b949-81be-46d5-bcf8-284395d5f56d_1.json | 1 - ...1b949-81be-46d5-bcf8-284395d5f56d_103.json | 70 +++++++++ .../fd332492-0bc6-11ef-b5be-f661ea17fbcc.json | 1 - ...d332492-0bc6-11ef-b5be-f661ea17fbcc_1.json | 1 - .../fd4a992d-6130-4802-9ff8-829b89ae801f.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_104.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_105.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_106.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_107.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_108.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_109.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_110.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_111.json | 1 - ...a992d-6130-4802-9ff8-829b89ae801f_311.json | 1 - .../fd70c98a-c410-42dc-a2e3-761c71848acf.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_103.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_104.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_105.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_106.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_107.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_108.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_109.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_110.json | 1 - ...0c98a-c410-42dc-a2e3-761c71848acf_310.json | 1 - .../fd7a6052-58fa-4397-93c3-4795249ccfa2.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_104.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_105.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_106.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_107.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_207.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_208.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_209.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_210.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_211.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_212.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_213.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_216.json | 1 - ...a6052-58fa-4397-93c3-4795249ccfa2_318.json | 1 - .../fd9484f2-1c56-44ae-8b28-dc1354e3a0e8.json | 1 - ...d9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json | 1 - .../fda1d332-5e08-4f27-8a9b-8c802e3292a6.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_1.json | 1 - ...a1d332-5e08-4f27-8a9b-8c802e3292a6_10.json | 1 - ...a1d332-5e08-4f27-8a9b-8c802e3292a6_11.json | 1 - ...a1d332-5e08-4f27-8a9b-8c802e3292a6_12.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_2.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_3.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_4.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_5.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_6.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_7.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_8.json | 1 - ...da1d332-5e08-4f27-8a9b-8c802e3292a6_9.json | 1 - .../fddff193-48a3-484d-8d35-90bb3d323a56.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_1.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_2.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_3.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_4.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_5.json | 1 - ...ddff193-48a3-484d-8d35-90bb3d323a56_6.json | 1 - .../fe25d5bc-01fa-494a-95ff-535c29cc4c96.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_1.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_2.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_3.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_4.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_5.json | 1 - ...e25d5bc-01fa-494a-95ff-535c29cc4c96_6.json | 1 - .../fe794edd-487f-4a90-b285-3ee54f2af2d3.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_104.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_105.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_106.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_107.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_108.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_109.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_110.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_111.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_112.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_113.json | 1 - ...94edd-487f-4a90-b285-3ee54f2af2d3_114.json | 1 - .../feafdc51-c575-4ed2-89dd-8e20badc2d6c.json | 1 - ...eafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json | 1 - ...eafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json | 1 - ...eafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json | 1 - .../fec7ccb7-6ed9-4f98-93ab-d6b366b063a0.json | 1 - ...ec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json | 1 - .../feeed87c-5e95-4339-aef1-47fd79bcfbe3.json | 1 - ...ed87c-5e95-4339-aef1-47fd79bcfbe3_104.json | 1 - ...ed87c-5e95-4339-aef1-47fd79bcfbe3_105.json | 1 - ...ed87c-5e95-4339-aef1-47fd79bcfbe3_106.json | 1 - ...ed87c-5e95-4339-aef1-47fd79bcfbe3_107.json | 1 - ...ed87c-5e95-4339-aef1-47fd79bcfbe3_108.json | 1 - .../ff013cb4-274d-434a-96bb-fe15ddd3ae92.json | 1 - ...13cb4-274d-434a-96bb-fe15ddd3ae92_101.json | 1 - ...13cb4-274d-434a-96bb-fe15ddd3ae92_102.json | 1 - ...13cb4-274d-434a-96bb-fe15ddd3ae92_103.json | 1 - .../ff0d807d-869b-4a0d-a493-52bc46d2f1b1.json | 1 - ...f0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json | 1 - ...f0d807d-869b-4a0d-a493-52bc46d2f1b1_2.json | 1 - ...f0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json | 1 - ...f0d807d-869b-4a0d-a493-52bc46d2f1b1_4.json | 1 - .../ff10d4d8-fea7-422d-afb1-e5a2702369a9.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_1.json | 1 - ...10d4d8-fea7-422d-afb1-e5a2702369a9_10.json | 1 - ...10d4d8-fea7-422d-afb1-e5a2702369a9_11.json | 1 - ...10d4d8-fea7-422d-afb1-e5a2702369a9_12.json | 1 - ...10d4d8-fea7-422d-afb1-e5a2702369a9_13.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_2.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_3.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_4.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_5.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_6.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_7.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_8.json | 1 - ...f10d4d8-fea7-422d-afb1-e5a2702369a9_9.json | 1 - .../ff320c56-f8fa-11ee-8c44-f661ea17fbce.json | 1 - ...f320c56-f8fa-11ee-8c44-f661ea17fbce_1.json | 1 - .../ff4599cb-409f-4910-a239-52e4e6f532ff.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_1.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_2.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_3.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_4.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_5.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_6.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_7.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_8.json | 1 - ...f4599cb-409f-4910-a239-52e4e6f532ff_9.json | 1 - .../ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json | 1 - ...dd44a-0ac6-44c4-8609-3f81bc820f02_101.json | 1 - ...dd44a-0ac6-44c4-8609-3f81bc820f02_102.json | 1 - ...dd44a-0ac6-44c4-8609-3f81bc820f02_103.json | 1 - ...dd44a-0ac6-44c4-8609-3f81bc820f02_105.json | 1 - .../ff6cf8b9-b76c-4cc1-ac1b-4935164d1029.json | 1 - ...f6cf8b9-b76c-4cc1-ac1b-4935164d1029_1.json | 1 - .../ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json | 1 - ...b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json | 1 - .../ff9bc8b9-f03b-4283-be58-ee0a16f5a11b.json | 1 - ...f9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json | 1 - ...f9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json | 1 - ...f9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json | 1 - ...f9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json | 1 - .../security_detection_engine/manifest.yml | 2 +- 7131 files changed, 5696 insertions(+), 7063 deletions(-) delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_414.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415258b-a7b2-48a6-891a-3367cd9d4d31.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/160896de-b66f-42cb-8fef-20f53a9006ea.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_14.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/181f6b23-3799-445e-9589-0018328a9e46_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19be0164-63d2-11ef-8e38-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f45720e-5ea8-11ef-90d2-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/25e7fee6-fc25-11ee-ba0f-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_116.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_415.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_102.json create mode 100644 packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_315.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_415.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/41f7da9e-4e9f-4a81-9b58-40d725d83bc0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/476267ff-e44f-476e-99c1-04c78cb3769d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_214.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/5f3ab3ce-7b41-4168-a06a-68d2af8ebc88.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_214.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_215.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65432f4a-e716-4cc1-ab11-931c4966da2d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68c5c9d1-38e5-48bb-b1b2-8b5951d39738.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_315.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_316.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_416.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ded0996-7d4b-40f2-bf4a-6913e7591795_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_414.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_415.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_305.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_306.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_305.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_306.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_14.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/804a7ac8-fc00-11ee-924b-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_214.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/929223b4-fba3-4a1c-a943-ec4716ad23ec.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97697a52-4a76-4f0a-aa4f-25c178aae6eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212.json create mode 100644 packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_414.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_415.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/986361cd-3dac-47fe-afa1-5c5dd89f2fb4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/999565a2-fc52-4d72-91e4-ba6712c0377e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_115.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6788d4b-b241-4bf0-8986-a3b4315c5b70.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a83b3dac-325a-11ef-b3e6-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac6bc744-e82b-41ad-b58d-90654fa4ebfb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad5a3757-c872-4719-8c72-12d3f08db655_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_411.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c6655282-6c79-11ef-bbb5-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c75d0c86-38d6-4821-98a1-465cff8ff4c8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_210.json create mode 100644 packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_314.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/d9ffc3d6-9de9-4b29-9395-5757d0695ecf_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_214.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_215.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7357fec-6e9c-41b9-b93d-6e4fc40c7d47.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_211.json create mode 100644 packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_312.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_209.json create mode 100644 packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_313.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json create mode 100644 packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef65e82c-d8b4-4895-9824-5f6bc6166804.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_309.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f86cd31c-5c7e-4481-99d7-6875a3e31309_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_206.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_208.json create mode 100644 packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_308.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_1.json create mode 100644 packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_311.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_310.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_209.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_212.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_213.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_216.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_318.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_111.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_112.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_113.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_114.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_108.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_10.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_12.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_13.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_6.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_8.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_9.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json delete mode 100644 packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 54411e675ad..b9e5e92ff8a 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.16.2-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pulls/0000 - version: 8.16.2-beta.1 changes: - description: Release security rules update for testing smart limits diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json deleted file mode 100644 index dfc0529cb1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json deleted file mode 100644 index d4a756b5d64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json deleted file mode 100644 index 06f5d7eb41f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json deleted file mode 100644 index bbf0e928a77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json deleted file mode 100644 index 4104087e9ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json deleted file mode 100644 index 4ec3c75b12f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json deleted file mode 100644 index 94b7945bf67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_208.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_208.json deleted file mode 100644 index c88672bcfd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_210.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_210.json deleted file mode 100644 index a6b06bfd773..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 210}, "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_310.json b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_310.json new file mode 100644 index 00000000000..a47934ea86f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19_310.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy Rule", + "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy Rule\n\nThe modification of an Okta policy rule can be an indication of malicious activity as it may aim to weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the rule modification attempt.\n- Check if there are multiple rule modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:policy.rule.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 310 + }, + "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json deleted file mode 100644 index 67d052e4110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "00140285-b827-4aee-aa09-8113f58a08f3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json deleted file mode 100644 index 964ac6b6066..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n /* update here with any new lolbas with dump capability */\n (process.pe.original_file_name == \"procdump\" and process.args : \"-ma\") or\n (process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\") or\n (process.pe.original_file_name == \"WriteMiniDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\") or\n (process.pe.original_file_name == \"RUNDLL32.EXE\" and (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")) or\n (process.pe.original_file_name == \"RdrLeakDiag.exe\" and process.args : \"/fullmemdmp\") or\n (process.pe.original_file_name == \"SqlDumper.exe\" and process.args : \"0x01100*\") or\n (process.pe.original_file_name == \"TTTracer.exe\" and process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (process.pe.original_file_name == \"ntdsutil.exe\" and process.args : \"create*full*\") or\n (process.pe.original_file_name == \"diskshadow.exe\" and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json deleted file mode 100644 index 0ade6d1bdd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json deleted file mode 100644 index 47b54fca389..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json deleted file mode 100644 index 3c63509c9fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json deleted file mode 100644 index 48c99298e02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json deleted file mode 100644 index 0d43a700c63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json deleted file mode 100644 index 15796179ebd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json deleted file mode 100644 index 9954b73893c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_113.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_113.json deleted file mode 100644 index 6b33eb1f7f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_114.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_114.json deleted file mode 100644 index da4b32eea2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/", "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_314.json b/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_314.json deleted file mode 100644 index 673825c1671..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00140285-b827-4aee-aa09-8113f58a08f3_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Windows Utilities", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Windows Utilities\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThe `Ntds.dit` file is a database that stores Active Directory data, including information about user objects, groups, and group membership.\n\nThis rule looks for the execution of utilities that can extract credential data from the LSASS memory and Active Directory `Ntds.dit` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify what information was targeted.\n- Identify the target computer and its role in the IT environment.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the host is a domain controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs, to ensure that the least privilege principle is being followed and to reduce the attack surface.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (?process.pe.original_file_name : \"procdump\" or process.name : \"procdump.exe\") and process.args : \"-ma\"\n ) or\n (\n process.name : \"ProcessDump.exe\" and not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Cisco Systems\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"WriteMiniDump.exe\" or process.name : \"WriteMiniDump.exe\") and\n not process.parent.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\Steam\\\\.*\"\"\"\n ) or\n (\n (?process.pe.original_file_name : \"RUNDLL32.EXE\" or process.name : \"RUNDLL32.exe\") and\n (process.args : \"MiniDump*\" or process.command_line : \"*comsvcs.dll*#24*\")\n ) or\n (\n (?process.pe.original_file_name : \"RdrLeakDiag.exe\" or process.name : \"RdrLeakDiag.exe\") and\n process.args : \"/fullmemdmp\"\n ) or\n (\n (?process.pe.original_file_name : \"SqlDumper.exe\" or process.name : \"SqlDumper.exe\") and\n process.args : \"0x01100*\") or\n (\n (?process.pe.original_file_name : \"TTTracer.exe\" or process.name : \"TTTracer.exe\") and\n process.args : \"-dumpFull\" and process.args : \"-attach\") or\n (\n (?process.pe.original_file_name : \"ntdsutil.exe\" or process.name : \"ntdsutil.exe\") and\n process.args : \"create*full*\") or\n (\n (?process.pe.original_file_name : \"diskshadow.exe\" or process.name : \"diskshadow.exe\") and process.args : \"/s\")\n)\n", "references": ["https://lolbas-project.github.io/", "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "00140285-b827-4aee-aa09-8113f58a08f3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "00140285-b827-4aee-aa09-8113f58a08f3_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json deleted file mode 100644 index 4d4e97da487..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json deleted file mode 100644 index 8e9ad0205fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json deleted file mode 100644 index 356d80544ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json deleted file mode 100644 index a01a587a2d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json deleted file mode 100644 index bbe6aa3b5fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json deleted file mode 100644 index fee5700587b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_109.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_109.json deleted file mode 100644 index 8f8f09878fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json deleted file mode 100644 index 7006c8f2a7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_211.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_211.json deleted file mode 100644 index c1a788f002d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json deleted file mode 100644 index 2117c6e1a51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_313.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_313.json deleted file mode 100644 index 96bc24e0b7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_314.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_314.json deleted file mode 100644 index d4fad58704b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_414.json b/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_414.json deleted file mode 100644 index 6f9a03c6a21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0022d47d-39c7-4f69-a232-4fe9dc7a3acd_414.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "System Shells via Services", "note": "## Triage and analysis\n\n### Investigating System Shells via Services\n\nAttackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these shells with persistence payloads.\n\nThis rule looks for system shells being spawned by `services.exe`, which is compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check for commands executed under the spawned shell.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"services.exe\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n\n /* Third party FP's */\n not process.args : \"NVDisplay.ContainerLocalSystem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 414}, "id": "0022d47d-39c7-4f69-a232-4fe9dc7a3acd_414", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json deleted file mode 100644 index 7335e57ea75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", "false_positives": ["Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Suspended User Account Renewed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", "references": ["https://support.google.com/a/answer/1110339"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json deleted file mode 100644 index ede593c42e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", "false_positives": ["Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Suspended User Account Renewed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", "references": ["https://support.google.com/a/answer/1110339"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json deleted file mode 100644 index 9f1d1c658f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/00678712-b2df-11ed-afe9-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account.", "false_positives": ["Google Workspace administrators may renew a suspended user account if the user is expected to continue employment at the organization after temporary leave. Suspended user accounts are typically used by administrators to remove access to the user while actions is taken to transfer important documents and roles to other users, prior to deleting the user account and removing the license."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Suspended User Account Renewed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.category:iam and event.action:UNSUSPEND_USER\n", "references": ["https://support.google.com/a/answer/1110339"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "00678712-b2df-11ed-afe9-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "00678712-b2df-11ed-afe9-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json deleted file mode 100644 index 9d3eab63a69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": ["A user sending emails using personal distribution folders may trigger the event."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "0136b315-b566-482f-866c-1d8e2477ba16", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json deleted file mode 100644 index 0f6f7bc3fea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": ["A user sending emails using personal distribution folders may trigger the event."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "0136b315-b566-482f-866c-1d8e2477ba16_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json deleted file mode 100644 index c9e7e136706..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": ["A user sending emails using personal distribution folders may trigger the event."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "0136b315-b566-482f-866c-1d8e2477ba16_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json deleted file mode 100644 index 4c68af89916..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": ["A user sending emails using personal distribution folders may trigger the event."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0136b315-b566-482f-866c-1d8e2477ba16_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json b/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json deleted file mode 100644 index 9157f3bf3e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0136b315-b566-482f-866c-1d8e2477ba16_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has been restricted from sending email due to exceeding sending limits of the service policies per the Security Compliance Center.", "false_positives": ["A user sending emails using personal distribution folders may trigger the event."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 User Restricted from Sending Email", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"User restricted from sending email\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0136b315-b566-482f-866c-1d8e2477ba16", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0136b315-b566-482f-866c-1d8e2477ba16_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json deleted file mode 100644 index eb8fd290032..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Redshift", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "015cca13-8832-49ac-a01b-a396114809f6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json deleted file mode 100644 index 52043d5f8f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "015cca13-8832-49ac-a01b-a396114809f6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json deleted file mode 100644 index d66703285cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "015cca13-8832-49ac-a01b-a396114809f6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json deleted file mode 100644 index da80d3ff128..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "015cca13-8832-49ac-a01b-a396114809f6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json b/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json deleted file mode 100644 index fbbc589941f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/015cca13-8832-49ac-a01b-a396114809f6_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Redshift Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:redshift.amazonaws.com and event.action:CreateCluster and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "015cca13-8832-49ac-a01b-a396114809f6", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "015cca13-8832-49ac-a01b-a396114809f6_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json deleted file mode 100644 index 1a7a3606c95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json deleted file mode 100644 index 244638b0ff9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Detected", "query": "destination.port :* and event.action: (\"network_flow\" or \"connection_accepted\" or \"connection_attempted\" )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}], "risk_score": 47, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "medium", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 20}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 1}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json deleted file mode 100644 index 33c827cc922..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 2}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json deleted file mode 100644 index f3ba9d99cfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 3}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json deleted file mode 100644 index e8900ea9455..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 4}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_5.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_5.json deleted file mode 100644 index 46f49c4876a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_6.json b/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_6.json deleted file mode 100644 index d8c9db579ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0171f283-ade7-4f87-9521-ac346c68cc9b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential port scan. A port scan is a method utilized by attackers to systematically scan a target system or network for open ports, allowing them to identify available services and potential vulnerabilities. By mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from one source host to 20 or more destination ports.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Scan Detected", "query": "destination.port : * and event.action : \"network_flow\" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "0171f283-ade7-4f87-9521-ac346c68cc9b", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "0171f283-ade7-4f87-9521-ac346c68cc9b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49.json b/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49.json deleted file mode 100644 index f58ca9968bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of GitHub User Interaction with Private Repo", "new_terms_fields": ["user.name", "github.repo"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and user.name:* and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_1.json b/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_1.json deleted file mode 100644 index bbe88278925..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of GitHub User Interaction with Private Repo", "new_terms_fields": ["user.name", "github.repo"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and user.name:* and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_103.json b/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_103.json new file mode 100644 index 00000000000..0e097ad6a0e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/01c49712-25bc-49d2-a27d-d7ce52f5dc49_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of GitHub User Interaction with Private Repo", + "new_terms_fields": [ + "user.name", + "github.repo" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and user.name:* and \ngithub.repository_public:false\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repo", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repository_public", + "type": "boolean" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "01c49712-25bc-49d2-a27d-d7ce52f5dc49_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json deleted file mode 100644 index 37b7ebdcfb2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json deleted file mode 100644 index 7183884e687..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json deleted file mode 100644 index d3ebad1509a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json deleted file mode 100644 index ec8818859d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "note": "", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json deleted file mode 100644 index 4c0b93717a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json deleted file mode 100644 index 04418d7d80b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_106.json b/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_106.json deleted file mode 100644 index 6238f08bbdb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/027ff9ea-85e7-42e3-99d2-bbb7069e02eb_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.", "false_positives": ["Developers performing browsers plugin or extension debugging."], "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Potential Cookies Theft via Browser Debugging", "query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n", "references": ["https://github.com/defaultnamehere/cookie_crimes", "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md", "https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2.json b/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2.json deleted file mode 100644 index f710f5480c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of GitHub Repo Interaction From a New IP", "new_terms_fields": ["github.repo", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.repo:* and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "0294f105-d7af-4a02-ae90-35f56763ffa2", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0294f105-d7af-4a02-ae90-35f56763ffa2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_1.json b/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_1.json deleted file mode 100644 index e307993d8e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of GitHub Repo Interaction From a New IP", "new_terms_fields": ["github.repo", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.repo:* and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "0294f105-d7af-4a02-ae90-35f56763ffa2", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0294f105-d7af-4a02-ae90-35f56763ffa2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_103.json b/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_103.json new file mode 100644 index 00000000000..5d164612c62 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0294f105-d7af-4a02-ae90-35f56763ffa2_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of GitHub Repo Interaction From a New IP", + "new_terms_fields": [ + "github.repo", + "github.actor_ip" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.repo:* and \ngithub.repository_public:false\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.actor_ip", + "type": "ip" + }, + { + "ecs": false, + "name": "github.repo", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repository_public", + "type": "boolean" + } + ], + "risk_score": 21, + "rule_id": "0294f105-d7af-4a02-ae90-35f56763ffa2", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "0294f105-d7af-4a02-ae90-35f56763ffa2_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json deleted file mode 100644 index b7172214e9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": ["https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json deleted file mode 100644 index 4a12a921d4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": ["https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json deleted file mode 100644 index 6b240043803..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": ["https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json b/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json deleted file mode 100644 index 0883d054090..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a23ee7-c8f8-4701-b99d-e9038ce313cb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with an Elevated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */\n user.id : \"S-1-5-18\" and\n\n /* Token Theft target process usually running as service are located in one of the following paths */\n process.Ext.effective_parent.executable :\n (\"?:\\\\Windows\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*\") and\n\n/* Ignores Utility Manager in Windows running in debug mode */\n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and process.parent.args : \"/debug\") and\n\n/* Ignores Windows print spooler service with correlation to Access Intelligent Form */\nnot (process.parent.executable : \"?\\\\Windows\\\\System32\\\\spoolsv.exe\" and\n process.executable: \"?:\\\\Program Files*\\\\Access\\\\Intelligent Form\\\\*\\\\LaunchCreate.exe\") and \n\n/* Ignores Windows error reporting executables */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\windows\\\\system32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n /* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */\n not (process.parent.executable : \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\" and\n process.executable : (\"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\iissetup.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\aspnetca.exe\",\n \"?:\\\\Windows\\\\System32\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\",\n \"?:\\\\Windows\\\\System32\\\\netcfg.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\ngen.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*\\\\aspnet_regiis.exe\")) and\n\n\n/* Ignores additional parent executables that run with elevated privileges */\n not process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\AtBroker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\*\") and\n\n/* Ignores Windows binaries with a trusted signature and specific signature name */\n not (process.code_signature.trusted == true and\n process.code_signature.subject_name : \n (\"philandro Software GmbH\", \n \"Freedom Scientific Inc.\", \n \"TeamViewer Germany GmbH\", \n \"Projector.is, Inc.\", \n \"TeamViewer GmbH\", \n \"Cisco WebEx LLC\", \n \"Dell Inc\"))\n", "references": ["https://lengjibo.github.io/token/", "https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "02a23ee7-c8f8-4701-b99d-e9038ce313cb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json deleted file mode 100644 index 1186371bb02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "02a4576a-7480-4284-9327-548a806b5e48", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json deleted file mode 100644 index 4fe10adbc0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "02a4576a-7480-4284-9327-548a806b5e48_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json deleted file mode 100644 index fb657805196..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "02a4576a-7480-4284-9327-548a806b5e48_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json deleted file mode 100644 index 5f5b2a860d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "02a4576a-7480-4284-9327-548a806b5e48_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json deleted file mode 100644 index 2bc6aae46d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 206}, "id": "02a4576a-7480-4284-9327-548a806b5e48_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json deleted file mode 100644 index 38dd181f941..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "02a4576a-7480-4284-9327-548a806b5e48_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json b/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json deleted file mode 100644 index 55bfb98a43c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02a4576a-7480-4284-9327-548a806b5e48_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DuplicateHandle in LSASS", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n\n /* LSASS requesting DuplicateHandle access right to another process */\n process.name : \"lsass.exe\" and winlog.event_data.GrantedAccess == \"0x40\" and\n\n /* call is coming from an unknown executable region */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"\n", "references": ["https://github.com/CCob/MirrorDump"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}], "risk_score": 47, "rule_id": "02a4576a-7480-4284-9327-548a806b5e48", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "02a4576a-7480-4284-9327-548a806b5e48_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5.json b/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5.json deleted file mode 100644 index 811839d589f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Ransomware Note File Dropped via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file creation with similar file naming convention via SMB.\n\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.type == \"ipv4\" and not endswith(source.address, destination.address)]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and file.extension : (\"hta\", \"txt\", \"readme\", \"htm*\") and\n file.path : \"C:\\\\Users\\\\*\" and\n /* ransom file name keywords */\n file.name : (\"*read*me*\", \"*lock*\", \"*@*\", \"*RECOVER*\", \"*decrypt*\", \"*restore*file*\", \"*FILES_BACK*\", \"*how*to*\")] with runs=3\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.address", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_1.json b/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_1.json deleted file mode 100644 index f61120ecf44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Ransomware Note File Dropped via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file creation with similar file naming convention via SMB.\n\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and file.extension : (\"hta\", \"txt\", \"readme\", \"htm*\") and\n /* ransom file name keywords */\n file.name : (\"*read*me*\", \"*lock*\", \"*@*\", \"*RECOVER*\", \"*decrypt*\", \"*restore*file*\", \"*FILES_BACK*\", \"*how*to*\")] with runs=3\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_2.json b/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_2.json deleted file mode 100644 index 33f3bc75f95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02bab13d-fb14-4d7c-b6fe-4a28874d37c5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by the creation of a file with a name similar to ransomware note files. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Ransomware Note File Dropped via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file creation with similar file naming convention via SMB.\n\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and file.extension : (\"hta\", \"txt\", \"readme\", \"htm*\") and\n /* ransom file name keywords */\n file.name : (\"*read*me*\", \"*lock*\", \"*@*\", \"*RECOVER*\", \"*decrypt*\", \"*restore*file*\", \"*FILES_BACK*\", \"*how*to*\")] with runs=3\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "02bab13d-fb14-4d7c-b6fe-4a28874d37c5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json deleted file mode 100644 index c7d5f33036f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": ["https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json deleted file mode 100644 index 8c3a5b99d47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": ["https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json deleted file mode 100644 index 056138f8b8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": ["https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json deleted file mode 100644 index d74ce58395b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": ["https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json b/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json deleted file mode 100644 index 3f3f2f2e244..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/02ea4563-ec10-4974-b7de-12e65aa4f9b3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Dumping Account Hashes via Built-In Commands", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or \"-dump\")\n", "references": ["https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored", "https://www.unix.com/man-page/osx/8/mkpassdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "02ea4563-ec10-4974-b7de-12e65aa4f9b3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json deleted file mode 100644 index d10b5cd78ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": ["A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json deleted file mode 100644 index 3606f1372f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": ["A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json deleted file mode 100644 index c74b8604ea1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": ["A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json deleted file mode 100644 index 562e3c339f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": ["A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json b/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json deleted file mode 100644 index 13002d591c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03024bd9-d23f-4ec1-8674-3cf1a21e130b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a safe attachment rule is disabled in Microsoft 365. Safe attachment rules can extend malware protections to include routing all messages and attachments without a known malware signature to a special hypervisor environment. An adversary or insider threat may disable a safe attachment rule to exfiltrate data or evade defenses.", "false_positives": ["A safe attachment rule may be disabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Attachment Rule Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeAttachmentRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "03024bd9-d23f-4ec1-8674-3cf1a21e130b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json deleted file mode 100644 index ffc2c931567..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 110}, "id": "035889c4-2686-4583-a7df-67f89c292f2c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json deleted file mode 100644 index 79ae87a5a36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "type": "threshold", "version": 104}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json deleted file mode 100644 index 9385405ab1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\")\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "type": "threshold", "version": 105}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json deleted file mode 100644 index 1625b7532e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "type": "threshold", "version": 106}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_107.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_107.json deleted file mode 100644 index c013711bff3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 107}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json deleted file mode 100644 index d1b042b7c1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 108}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json deleted file mode 100644 index 48ef9814355..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 109}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_110.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_110.json deleted file mode 100644 index ada33b7069c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 110}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_111.json b/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_111.json deleted file mode 100644 index 34cb5d794fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035889c4-2686-4583-a7df-67f89c292f2c_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations (stop, delete, or suspend) from the same host within a short time period.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process and/or Service Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process and/or Service Terminations\n\nAttackers can stop services and kill processes for a variety of purposes. For example, they can stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted, or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of service and/or process terminations (stop, delete, or suspend) from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and\n process.args:(stop or pause or delete or \"/PID\" or \"/IM\" or \"/T\" or \"/F\" or \"/t\" or \"/f\" or \"/im\" or \"/pid\") and\n not process.parent.name:osquerybeat.exe\n", "references": ["https://www.elastic.co/security-labs/luna-ransomware-attack-pattern"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "035889c4-2686-4583-a7df-67f89c292f2c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 111}, "id": "035889c4-2686-4583-a7df-67f89c292f2c_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e.json b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e.json deleted file mode 100644 index 3ab5960686c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Memory Seeking Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (process.name == \"tail\" and process.args == \"-c\") or\n (process.name == \"cmp\" and process.args == \"-i\") or\n (process.name in (\"hexdump\", \"xxd\") and process.args == \"-s\") or\n (process.name == \"dd\" and process.args : (\"skip*\", \"seek*\"))\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "035a6f21-4092-471d-9cda-9e379f459b1e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json deleted file mode 100644 index 940e9c90a25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Memory Seeking Activity", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"tail\" and process.args == \"-c\") or\n (process.name == \"cmp\" and process.args == \"-i\") or\n (process.name in (\"hexdump\", \"xxd\") and process.args == \"-s\") or\n (process.name == \"dd\" and process.args : (\"skip*\", \"seek*\"))\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "035a6f21-4092-471d-9cda-9e379f459b1e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json b/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json deleted file mode 100644 index 6499127729e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/035a6f21-4092-471d-9cda-9e379f459b1e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for the execution of Unix utilities that may be leveraged as memory address seekers. Attackers may leverage built-in utilities to seek specific memory addresses, allowing for potential future manipulation/exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Memory Seeking Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (process.name == \"tail\" and process.args == \"-c\") or\n (process.name == \"cmp\" and process.args == \"-i\") or\n (process.name in (\"hexdump\", \"xxd\") and process.args == \"-s\") or\n (process.name == \"dd\" and process.args : (\"skip*\", \"seek*\"))\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "035a6f21-4092-471d-9cda-9e379f459b1e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "035a6f21-4092-471d-9cda-9e379f459b1e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e.json b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e.json deleted file mode 100644 index e98bf8cbd3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Dynamic Linker Discovery via od", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"od\" and process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json b/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json deleted file mode 100644 index 9bcb896f1af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0369e8a6-0fa7-4e7a-961a-53180a4c966e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for dynamic linker discovery via the od utility. od (octal dump) is a command-line utility in Unix operating systems used for displaying data in various formats, including octal, hexadecimal, decimal, and ASCII, primarily used for examining and debugging binary files or data streams. Attackers can leverage od to analyze the dynamic linker by identifying injection points and craft exploits based on the observed behaviors and structures within these files.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Dynamic Linker Discovery via od", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name == \"od\" and process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0369e8a6-0fa7-4e7a-961a-53180a4c966e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c.json b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c.json deleted file mode 100644 index a693c50a95d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.", "false_positives": ["SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Process Launched From Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\nevent.action in (\"fork\", \"exec\") and event.action != \"end\" and \nprocess.name: (\"sshd\", \"ssh\", \"autossh\")\n", "references": ["https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "03a514d9-500e-443e-b6a9-72718c548f6c", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "03a514d9-500e-443e-b6a9-72718c548f6c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json b/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json deleted file mode 100644 index 7f420471ed8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03a514d9-500e-443e-b6a9-72718c548f6c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With valid credentials an attacker may move laterally to other containers or to the underlying host through container breakout. They may also use valid SSH credentials as a persistence mechanism.", "false_positives": ["SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Process Launched From Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\nevent.action in (\"fork\", \"exec\") and event.action != \"end\" and \nprocess.name: (\"sshd\", \"ssh\", \"autossh\")\n", "references": ["https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/", "https://www.blackhillsinfosec.com/sshazam-hide-your-c2-inside-of-ssh/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "03a514d9-500e-443e-b6a9-72718c548f6c", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Persistence", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "03a514d9-500e-443e-b6a9-72718c548f6c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a.json deleted file mode 100644 index 30ed88a33b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Executed From Host", "query": "event.category:process and host.os.type:linux and event.action:(exec or exec_event or executed or process_started) and\nevent.type:start and process.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "threshold": {"cardinality": [{"field": "process.args", "value": 100}], "field": ["host.id", "process.parent.entity_id", "process.executable"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json deleted file mode 100644 index b554796b14b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Executed From Host", "query": "host.os.type:linux and event.action:exec and event.type:start and \nprocess.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "threshold": {"cardinality": [{"field": "process.args", "value": 100}], "field": ["host.id", "process.parent.entity_id", "process.executable"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json b/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json deleted file mode 100644 index f6cbb0886bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This threshold rule monitors for the rapid execution of unix utilities that are capable of conducting network scans. Adversaries may leverage built-in tools such as ping, netcat or socat to execute ping sweeps across the network while attempting to evade detection or due to the lack of network mapping tools available on the compromised host.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Scan Executed From Host", "query": "host.os.type:linux and event.action:exec and event.type:start and \nprocess.name:(ping or nping or hping or hping2 or hping3 or nc or ncat or netcat or socat)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "threshold": {"cardinality": [{"field": "process.args", "value": 100}], "field": ["host.id", "process.parent.entity_id", "process.executable"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415258b-a7b2-48a6-891a-3367cd9d4d31.json b/packages/security_detection_engine/kibana/security_rule/0415258b-a7b2-48a6-891a-3367cd9d4d31.json deleted file mode 100644 index a11f6fc6182..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415258b-a7b2-48a6-891a-3367cd9d4d31.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the first time a principal calls AWS Cloudwatch `CreateStack` or `CreateStackSet` API. Cloudformation is used to create a single collection of cloud resources called a stack, via a defined template file. An attacker with the appropriate privileges could leverage Cloudformation to create specific resources needed to further exploit the environment. This is a new terms rule that looks for the first instance of this behavior in the last 10 days for a role or IAM user within a particular account.", "false_positives": ["Verify whether the user identity should be using the `CreateStack` or `CreateStackSet` APIs. If known behavior is causing false positives, it can be exempted from the rule. The \"history_window_start\" value can be modified to reflect the expected frequency of known activity within a particular environment."], "from": "now-6m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time AWS Cloudformation Stack Creation by User", "new_terms_fields": ["cloud.account.id", "user.name"], "query": "event.dataset:aws.cloudtrail and event.provider:cloudformation.amazonaws.com and\n event.action: (CreateStack or CreateStackSet) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-cli-creating-stack.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStack.html/", "https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackSet.html/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "0415258b-a7b2-48a6-891a-3367cd9d4d31", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Cloudformation", "Use Case: Asset Visibility", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0415258b-a7b2-48a6-891a-3367cd9d4d31", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json deleted file mode 100644 index 0dd73b45a61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "note": "## Triage and analysis\n\n### Investigating Modification of OpenSSH Binaries\n\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\n\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\n\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json deleted file mode 100644 index e2b2e106f95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and\n process.name:* and\n (file.path:(/usr/sbin/sshd or /usr/bin/ssh or /usr/bin/sftp or /usr/bin/scp) or file.name:libkeyutils.so) and\n not process.name:(\"dpkg\" or \"yum\" or \"dnf\" or \"dnf-automatic\")\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json deleted file mode 100644 index de2de9657a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json deleted file mode 100644 index 723c4237fc3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so)\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json deleted file mode 100644 index 00c025b40e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json deleted file mode 100644 index 917cf3f71fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_108.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_108.json deleted file mode 100644 index 2d774d3027d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "note": "## Triage and analysis\n\n### Investigating Modification of OpenSSH Binaries\n\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\n\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\n\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json b/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json deleted file mode 100644 index b4520d647e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0415f22a-2336-45fa-ba07-618a5942e22c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify SSH related binaries for persistence or credential access by patching sensitive functions to enable unauthorized access or by logging SSH credentials for exfiltration.", "false_positives": ["Trusted OpenSSH executable updates. It's recommended to verify the integrity of OpenSSH binary changes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of OpenSSH Binaries", "note": "## Triage and analysis\n\n### Investigating Modification of OpenSSH Binaries\n\nOpenSSH is a widely used suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides encrypted communication sessions over a computer network.\n\nAdversaries may exploit OpenSSH by modifying its binaries, such as `/usr/bin/scp`, `/usr/bin/sftp`, `/usr/bin/ssh`, `/usr/sbin/sshd`, or `libkeyutils.so`, to gain unauthorized access or exfiltrate SSH credentials.\n\nThe detection rule 'Modification of OpenSSH Binaries' is designed to identify such abuse by monitoring file changes in the Linux environment. It triggers an alert when a process, modifies any of the specified OpenSSH binaries or libraries. This helps security analysts detect potential malicious activities and take appropriate action.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- Regular users should not need to modify OpenSSH binaries, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:linux and event.type:change and \n process.name:(* and not (dnf or dnf-automatic or dpkg or yum or rpm or yum-cron or anacron or platform-python)) and \n (file.path:(/usr/bin/scp or \n /usr/bin/sftp or \n /usr/bin/ssh or \n /usr/sbin/sshd) or \n file.name:libkeyutils.so) and\n not process.executable:/usr/share/elasticsearch/*\n", "references": ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusion-part-ii.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0415f22a-2336-45fa-ba07-618a5942e22c", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "0415f22a-2336-45fa-ba07-618a5942e22c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_101.json b/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_101.json deleted file mode 100644 index d30144411b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.", "from": "now-9m", "index": ["winlogbeat-*", "endgame-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Escalation via Vulnerable MSI Repair", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.domain : (\"NT AUTHORITY\", \"AUTORITE NT\", \"AUTORIDADE NT\") and\n process.parent.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\",\n \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\", \"tor.exe\", \"safari.exe\") and\n process.parent.command_line : \"*go.microsoft.com*\"\n", "references": ["https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 73, "rule_id": "043d80a3-c49e-43ef-9c72-1088f0c7b278", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "043d80a3-c49e-43ef-9c72-1088f0c7b278_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_201.json b/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_201.json deleted file mode 100644 index 3ddb4ab7a73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/043d80a3-c49e-43ef-9c72-1088f0c7b278_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a browser process navigates to the Microsoft Help page followed by spawning an elevated process. This may indicate a successful exploitation for privilege escalation abusing a vulnerable Windows Installer repair setup.", "from": "now-9m", "index": ["winlogbeat-*", "endgame-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Escalation via Vulnerable MSI Repair", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.domain : (\"NT AUTHORITY\", \"AUTORITE NT\", \"AUTORIDADE NT\") and\n process.parent.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\",\n \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\", \"tor.exe\", \"safari.exe\") and\n process.parent.command_line : \"*go.microsoft.com*\"\n", "references": ["https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/", "https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-38014"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 73, "rule_id": "043d80a3-c49e-43ef-9c72-1088f0c7b278", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 201}, "id": "043d80a3-c49e-43ef-9c72-1088f0c7b278_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json deleted file mode 100644 index 749cde9a978..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure AD Global Administrator Role Assigned", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json b/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json deleted file mode 100644 index 044f165ebef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/04c5a96f-19c5-44fd-9571-a0b033f9086f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure AD Global Administrator Role Assigned", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\nazure.auditlogs.operation_name:\"Add member to role\" and\nazure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:\"\\\"Global Administrator\\\"\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "04c5a96f-19c5-44fd-9571-a0b033f9086f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "04c5a96f-19c5-44fd-9571-a0b033f9086f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json deleted file mode 100644 index 0eedd2beb2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json deleted file mode 100644 index f02c09e4a22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json deleted file mode 100644 index d9a434e3c7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json deleted file mode 100644 index 0468ce3fba3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json deleted file mode 100644 index fd1ceadf324..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json deleted file mode 100644 index ed289bddb8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json deleted file mode 100644 index 702124ee875..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json b/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json deleted file mode 100644 index 4f301ccb87f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/053a0387-f3b5-4ba5-8245-8002cca2bd08_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Dennis Perto"], "description": "Identifies a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of one of those processes.", "false_positives": ["Microsoft Antimalware Service Executable installed on non default installation path."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Microsoft Antimalware Service Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.pe.original_file_name == \"MsMpEng.exe\" and not process.name : \"MsMpEng.exe\") or\n (process.name : \"MsMpEng.exe\" and not\n process.executable : (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Security Client\\\\*.exe\"))\n)\n", "references": ["https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "053a0387-f3b5-4ba5-8245-8002cca2bd08", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "053a0387-f3b5-4ba5-8245-8002cca2bd08_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964.json deleted file mode 100644 index f8cbe0319a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd-udevd Rule File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and file.extension == \"rules\" and\nfile.path : (\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/lib/systemd/system-generators/netplan\", \"/lib/systemd/systemd\", \"/usr/bin/containerd\", \"/usr/sbin/sshd\",\n \"/kaniko/executor\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}, {"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json deleted file mode 100644 index 55280da53ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Systemd-udevd", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:\"linux\" and event.category:\"file\" and \nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 1}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_2.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_2.json deleted file mode 100644 index c5d1670f06f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Systemd-udevd", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:\"linux\" and event.category:\"file\" and\nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json deleted file mode 100644 index ce04a4f86d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Systemd-udevd", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:\"linux\" and event.category:\"file\" and\nevent.type:(\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path:/lib/udev/* and process.executable:* and not (\n process.name:(\"dockerd\" or \"docker\" or \"dpkg\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"systemd-hwdb\" or\n \"podman\" or \"buildah\") or file.extension : (\"swp\" or \"swpx\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json deleted file mode 100644 index 3ca27fca42d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd-udevd Rule File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and \nfile.path : (\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_5.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_5.json deleted file mode 100644 index 4d041d57b7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd-udevd Rule File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and file.extension == \"rules\" and\nfile.path : (\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/lib/systemd/system-generators/netplan\", \"/lib/systemd/systemd\", \"/usr/bin/containerd\", \"/usr/sbin/sshd\",\n \"/kaniko/executor\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}, {"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_6.json b/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_6.json deleted file mode 100644 index 7b49fa48d0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/054db96b-fd34-43b3-9af2-587b3bd33964_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the creation of rule files that are used by systemd-udevd to manage device nodes and handle kernel device events in the Linux operating system. Systemd-udevd can be exploited for persistence by adversaries by creating malicious udev rules that trigger on specific events, executing arbitrary commands or payloads whenever a certain device is plugged in or recognized by the system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd-udevd Rule File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and file.extension == \"rules\" and\nfile.path : (\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/lib/systemd/system-generators/netplan\", \"/lib/systemd/systemd\", \"/usr/bin/containerd\", \"/usr/sbin/sshd\",\n \"/kaniko/executor\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "054db96b-fd34-43b3-9af2-587b3bd33964", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "054db96b-fd34-43b3-9af2-587b3bd33964_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json deleted file mode 100644 index 131ef97832b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"list\" and process.args : \"/text*\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json deleted file mode 100644 index 0cb91d7653d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json deleted file mode 100644 index 7322f240d45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json deleted file mode 100644 index e06332fe850..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json deleted file mode 100644 index ffdc5f6ec5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_108.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_108.json deleted file mode 100644 index 255fe481273..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json deleted file mode 100644 index a22c4e6e26a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json deleted file mode 100644 index 5e69f6545ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/list\" and process.args : \"/text*password\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_111.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_111.json deleted file mode 100644 index c1c9d12dbaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"list\" and process.args : \"/text*\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_112.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_112.json deleted file mode 100644 index ec35bc06c29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"list\" and process.args : \"/text*\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_113.json b/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_113.json deleted file mode 100644 index 0fb9ce365c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0564fb9d-90b9-4234-a411-82a546dc1343_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft IIS Service Account Password Dumped", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"list\" and process.args : \"/text*\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0564fb9d-90b9-4234-a411-82a546dc1343", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "0564fb9d-90b9-4234-a411-82a546dc1343_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json deleted file mode 100644 index 6ed15f96846..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json deleted file mode 100644 index 0e5e7f475f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json deleted file mode 100644 index d511251652a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json deleted file mode 100644 index 3e4308e4dc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json deleted file mode 100644 index 75b52c7012c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json deleted file mode 100644 index b809a2dd572..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json deleted file mode 100644 index b5e38d5b4de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json b/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json deleted file mode 100644 index 902a1976cea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05b358de-aa6d-4f6c-89e6-78f74018b43b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be indicative of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Conhost Spawned By Suspicious Parent Process", "note": "## Triage and analysis\n\n### Investigating Conhost Spawned By Suspicious Parent Process\n\nThe Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications.\n\nAttackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the parent process executable and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Process from Conhost - 28896382-7d4f-4d50-9b72-67091901fd26\n- Suspicious PowerShell Engine ImageLoad - 852c1f19-68e8-43a6-9dce-340771fe1be3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"conhost.exe\" and\n process.parent.name : (\"lsass.exe\", \"services.exe\", \"smss.exe\", \"winlogon.exe\", \"explorer.exe\", \"dllhost.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"userinit.exe\", \"wininit.exe\", \"spoolsv.exe\", \"ctfmon.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : (\"?:\\\\Windows\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\",\n \"?:\\\\WINDOWS\\\\system32\\\\PcaSvc.dll,PcaPatchSdbTask\",\n \"?:\\\\WINDOWS\\\\system32\\\\davclnt.dll,DavSetCookie\"))\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05b358de-aa6d-4f6c-89e6-78f74018b43b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "05b358de-aa6d-4f6c-89e6-78f74018b43b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a.json deleted file mode 100644 index 2afccc34308..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json deleted file mode 100644 index 30500a2f532..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json deleted file mode 100644 index e884202b630..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json b/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json deleted file mode 100644 index b919511cb5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05cad2fb-200c-407f-b472-02ea8c9e5e4a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"module verification failed: signature and/or required key missing - tainting kernel\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "05cad2fb-200c-407f-b472-02ea8c9e5e4a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json deleted file mode 100644 index 7aa8263abd8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json deleted file mode 100644 index 73141933686..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json deleted file mode 100644 index 91f31a9ad9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json deleted file mode 100644 index 09283574324..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json deleted file mode 100644 index 3fccc85e99d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json b/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json deleted file mode 100644 index 97d286d942f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/05e5a668-7b51-4a67-93ab-e9af405c9ef3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Perl", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:perl and\n process.args:(\"exec \\\"/bin/sh\\\";\" or \"exec \\\"/bin/dash\\\";\" or \"exec \\\"/bin/bash\\\";\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "05e5a668-7b51-4a67-93ab-e9af405c9ef3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json deleted file mode 100644 index 206c08f079b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\"))) and\n not\n (\n (\n process.name : \"arp.exe\" and\n process.parent.executable : (\n \"?:\\\\ProgramData\\\\CentraStage\\\\AEMAgent\\\\AEMAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\Workspace Environment Management Agent\\\\Citrix.Wem.Agent.Service.exe\",\n \"?:\\\\Program Files (x86)\\\\Lansweeper\\\\Service\\\\LansweeperService.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "0635c542-1b96-4335-9b47-126582d2c19a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json deleted file mode 100644 index e1e3911446b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json deleted file mode 100644 index 9481bedd4ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json deleted file mode 100644 index 6e0a51af473..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json deleted file mode 100644 index d264c490773..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json deleted file mode 100644 index bce5a517fe8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json deleted file mode 100644 index de3e0f9be94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json deleted file mode 100644 index 5a951181366..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\")))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_112.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_112.json deleted file mode 100644 index 851451c2e90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\"))) and\n not\n (\n (\n process.name : \"arp.exe\" and\n process.parent.executable : (\n \"?:\\\\ProgramData\\\\CentraStage\\\\AEMAgent\\\\AEMAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\Workspace Environment Management Agent\\\\Citrix.Wem.Agent.Service.exe\",\n \"?:\\\\Program Files (x86)\\\\Lansweeper\\\\Service\\\\LansweeperService.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_113.json b/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_113.json deleted file mode 100644 index 50eae4253d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0635c542-1b96-4335-9b47-126582d2c19a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Discovery of remote system information using built-in commands, which may be used to move laterally.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote System Discovery Commands", "note": "## Triage and analysis\n\n### Investigating Remote System Discovery Commands\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `arp` or `nbstat` utilities to enumerate remote systems in the environment, which is useful for attackers to identify lateral movement targets.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"nbtstat.exe\" and process.args : (\"-n\", \"-s\")) or\n (process.name : \"arp.exe\" and process.args : \"-a\") or\n (process.name : \"nltest.exe\" and process.args : (\"/dclist\", \"/dsgetdc\")) or\n (process.name : \"nslookup.exe\" and process.args : \"*_ldap._tcp.dc.*\") or\n (process.name: (\"dsquery.exe\", \"dsget.exe\") and process.args: \"subnet\") or\n ((((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and not \n process.parent.name : \"net.exe\")) and \n process.args : \"group\" and process.args : \"/domain\" and not process.args : \"/add\"))) and\n not\n (\n (\n process.name : \"arp.exe\" and\n process.parent.executable : (\n \"?:\\\\ProgramData\\\\CentraStage\\\\AEMAgent\\\\AEMAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\Workspace Environment Management Agent\\\\Citrix.Wem.Agent.Service.exe\",\n \"?:\\\\Program Files (x86)\\\\Lansweeper\\\\Service\\\\LansweeperService.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0635c542-1b96-4335-9b47-126582d2c19a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "0635c542-1b96-4335-9b47-126582d2c19a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json deleted file mode 100644 index bae0f316633..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "06568a02-af29-4f20-929c-f3af281e41aa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json deleted file mode 100644 index 9c2e3998296..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json deleted file mode 100644 index ff5ffc83f8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json deleted file mode 100644 index 97e6b0b418d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json deleted file mode 100644 index c4b27c2d892..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\") or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json deleted file mode 100644 index 7a35a89e12f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_7.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_7.json deleted file mode 100644 index 8827250b746..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_8.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_8.json deleted file mode 100644 index 98fb5d8d5f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_9.json b/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_9.json deleted file mode 100644 index 46116399d7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06568a02-af29-4f20-929c-f3af281e41aa_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system time discovery techniques, which attackers may use during the reconnaissance phase after compromising a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Time Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name: \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and \n process.args : \"time\" and not process.args : \"/set\"\n ) or \n (process.name: \"w32tm.exe\" and process.args: \"/tz\") or \n (process.name: \"tzutil.exe\" and process.args: \"/g\")\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "06568a02-af29-4f20-929c-f3af281e41aa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1124", "name": "System Time Discovery", "reference": "https://attack.mitre.org/techniques/T1124/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "06568a02-af29-4f20-929c-f3af281e41aa_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131.json deleted file mode 100644 index d749466951e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_file_size_remote_file_transfer", "name": "Unusual Remote File Size", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json deleted file mode 100644 index 0fda9cd61e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_file_size_remote_file_transfer", "name": "Unusual Remote File Size", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "0678bc9c-b71a-433b-87e6-2f664b6b3131_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_2.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_2.json deleted file mode 100644 index d672480794d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_file_size_remote_file_transfer", "name": "Unusual Remote File Size", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "0678bc9c-b71a-433b-87e6-2f664b6b3131_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json b/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json deleted file mode 100644 index d9681e70bf0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0678bc9c-b71a-433b-87e6-2f664b6b3131_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_file_size_remote_file_transfer", "name": "Unusual Remote File Size", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "0678bc9c-b71a-433b-87e6-2f664b6b3131", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "0678bc9c-b71a-433b-87e6-2f664b6b3131_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json deleted file mode 100644 index c40f93f9634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json deleted file mode 100644 index 56b7137968a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_209.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_209.json deleted file mode 100644 index c41e7b9d39d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json deleted file mode 100644 index ab8a61c2647..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json deleted file mode 100644 index 5246c225f93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json deleted file mode 100644 index 24fe77d8ba4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_6.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_6.json deleted file mode 100644 index c08e4cb77d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json deleted file mode 100644 index edc64fe33cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_8.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_8.json deleted file mode 100644 index ce38123a201..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_9.json b/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_9.json deleted file mode 100644 index ace0eb33a55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06a7a03c-c735-47a6-a313-51c354aef6c3_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of dsquery.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate trust relationships that may be used for Lateral Movement opportunities in Windows multi-domain forest environments.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via DSQUERY.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via DSQUERY.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `dsquery.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via NLTEST.EXE - 84da2554-e12a-11ec-b896-f661ea17fbcd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"dsquery.exe\" or ?process.pe.original_file_name: \"dsquery.exe\") and \n process.args : \"*objectClass=trustedDomain*\"\n", "references": ["https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)", "https://posts.specterops.io/a-guide-to-attacking-domain-trusts-971e52cb2944"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "06a7a03c-c735-47a6-a313-51c354aef6c3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "06a7a03c-c735-47a6-a313-51c354aef6c3_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json deleted file mode 100644 index d4522bbc634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json deleted file mode 100644 index d5d81556996..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json deleted file mode 100644 index 7754e8bd56a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json deleted file mode 100644 index 502ae2011e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json deleted file mode 100644 index b959a07f373..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_108.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_108.json deleted file mode 100644 index e3e596f83d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json deleted file mode 100644 index d4131ea14d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json deleted file mode 100644 index 3681dac14d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_111.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_111.json deleted file mode 100644 index ec8c89c48ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_112.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_112.json deleted file mode 100644 index 00e826fb93a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_212.json b/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_212.json deleted file mode 100644 index ffe10504598..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/06dceabf-adca-48af-ac79-ffdf4c3b1e9a_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Filter Manager", "note": "## Triage and analysis\n\n### Investigating Potential Evasion via Filter Manager\n\nA file system filter driver, or minifilter, is a specialized type of filter driver designed to intercept and modify I/O requests sent to a file system or another filter driver. Minifilters are used by a wide range of security software, including EDR, antivirus, backup agents, encryption products, etc.\n\nAttackers may try to unload minifilters to avoid protections such as malware detection, file system monitoring, and behavior-based detections.\n\nThis rule identifies the attempt to unload a minifilter using the `fltmc.exe` command-line utility, a tool used to manage and query the filter drivers loaded on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line event to identify the target driver.\n - Identify the minifilter's role in the environment and if it is security-related. Microsoft provides a [list](https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes) of allocated altitudes that may provide more context, such as the manufacturer.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for the action.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"fltMC.exe\" and process.args : \"unload\" and\n not\n (\n (\n process.executable : \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\DCFAService64.exe\" and\n process.args : (\"DFMFilter\", \"DRMFilter\")\n ) or\n (\n process.executable : \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" and\n process.args : (\"BrFilter_*\", \"BrCow_*\") and\n user.id : \"S-1-5-18\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "06dceabf-adca-48af-ac79-ffdf4c3b1e9a_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json deleted file mode 100644 index bf541177daa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json deleted file mode 100644 index 749a72a4e8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json deleted file mode 100644 index c719d390e2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json deleted file mode 100644 index d58ed867ab4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json deleted file mode 100644 index c491a17b032..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_108.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_108.json deleted file mode 100644 index 442c95d3795..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json deleted file mode 100644 index 310e56fa3f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json deleted file mode 100644 index 5a1512cf2be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_111.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_111.json deleted file mode 100644 index e268a7b5fd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_311.json b/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_311.json deleted file mode 100644 index eb2c3fc6961..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/074464f9-f30d-4029-8c03-0ed237fffec7_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the network shell utility (netsh.exe) to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Desktop Enabled in Windows Firewall by Netsh", "note": "## Triage and analysis\n\n### Investigating Remote Desktop Enabled in Windows Firewall by Netsh\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects the creation of a Windows Firewall inbound rule that would allow inbound RDP traffic using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- The `netsh.exe` utility can be used legitimately. Check whether the user should be performing this kind of activity, whether the user is aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : (\"localport=3389\", \"RemoteDesktop\", \"group=\\\"remote desktop\\\"\") and\n process.args : (\"action=allow\", \"enable=Yes\", \"enable\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "074464f9-f30d-4029-8c03-0ed237fffec7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "074464f9-f30d-4029-8c03-0ed237fffec7_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50.json deleted file mode 100644 index 4c123f7ee35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Protected Branch Settings Changed", "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "keyword"}], "risk_score": 47, "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json deleted file mode 100644 index c421950fd5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Protected Branch Settings Changed", "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\" \n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "unknown"}], "risk_score": 47, "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_105.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_105.json new file mode 100644 index 00000000000..d654fc1b9df --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_105.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Protected Branch Settings Changed", + "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.category", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.001", + "name": "Disable or Modify Tools", + "reference": "https://attack.mitre.org/techniques/T1562/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json deleted file mode 100644 index 7781ec350f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Protected Branch Settings Changed", "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\" \n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "keyword"}], "risk_score": 47, "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_3.json b/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_3.json deleted file mode 100644 index 072c2ec6b74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07639887-da3a-4fbf-9532-8ce748ff8c50_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects setting modifications for protected branches of a GitHub repository. Branch protection rules can be used to enforce certain workflows or requirements before a contributor can push changes to a branch in your repository. Changes to these protected branch settings should be investigated and verified as legitimate activity. Unauthorized changes could be used to lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Protected Branch Settings Changed", "query": "configuration where event.dataset == \"github.audit\" \n and github.category == \"protected_branch\" and event.type == \"change\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "keyword"}], "risk_score": 47, "rule_id": "07639887-da3a-4fbf-9532-8ce748ff8c50", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "07639887-da3a-4fbf-9532-8ce748ff8c50_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json deleted file mode 100644 index fbb32194e98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 7}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json deleted file mode 100644 index a2d14eaffdb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.parent.pid : 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 47, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 25}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json deleted file mode 100644 index d15f22eee63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json deleted file mode 100644 index a2e8fa9974f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : \"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : \"pidof\" and \nnot process.parent.pid : 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json deleted file mode 100644 index 0a5850aa0c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 4}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json deleted file mode 100644 index 3a1e200cdb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json b/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json deleted file mode 100644 index c6eedf7c643..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0787daa6-f8c5-453b-a4ec-048037f6c1cd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for a rapid enumeration of 25 different proc cmd, stat, and exe files, which suggests an abnormal activity pattern. Such behavior could be an indicator of a malicious process scanning or gathering information about running processes, potentially for reconnaissance, privilege escalation, or identifying vulnerable targets.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Proc Pseudo File System Enumeration", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and \nfile.path : (/proc/*/cmdline or /proc/*/stat or /proc/*/exe) and not process.name : (\n ps or netstat or landscape-sysin or w or pgrep or pidof or needrestart or apparmor_status\n) and not process.parent.pid : 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 21, "rule_id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "threshold": {"cardinality": [{"field": "file.path", "value": 100}], "field": ["host.id", "process.pid", "process.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "0787daa6-f8c5-453b-a4ec-048037f6c1cd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json deleted file mode 100644 index 661740c1da8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"LocalAccountTokenFilterPolicy\" and\n registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_109.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_109.json deleted file mode 100644 index 51eef5afc86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json deleted file mode 100644 index 3a4ab91b1c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 210}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_211.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_211.json deleted file mode 100644 index 90952029fbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_212.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_212.json deleted file mode 100644 index a832170286b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"LocalAccountTokenFilterPolicy\" and\n registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json deleted file mode 100644 index 0a3e09f2b8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json deleted file mode 100644 index eb1cd9f5ff6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json deleted file mode 100644 index 9c8d0abb815..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json deleted file mode 100644 index d5c88e2e0c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json deleted file mode 100644 index d5a7aa55971..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json b/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json deleted file mode 100644 index c35107f1042..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b1ef73-1fde-4a49-a34a-5dd40011b076_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modification to the LocalAccountTokenFilterPolicy policy. If this value exists (which doesn't by default) and is set to 1, then remote connections from all local members of Administrators are granted full high-integrity tokens during negotiation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Account TokenFilter Policy Disabled", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\*\\\\LocalAccountTokenFilterPolicy\",\n \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\LocalAccountTokenFilterPolicy\") and\n registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2014-04-02/finding/V-36439", "https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "07b1ef73-1fde-4a49-a34a-5dd40011b076", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "07b1ef73-1fde-4a49-a34a-5dd40011b076_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json deleted file mode 100644 index db48b1f43cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": ["Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": ["https://support.google.com/a/answer/1247799?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json deleted file mode 100644 index 41cf03dca4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": ["Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": ["https://support.google.com/a/answer/1247799?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json deleted file mode 100644 index fe5d0eae2a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": ["Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": ["https://support.google.com/a/answer/1247799?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json deleted file mode 100644 index e799b3118e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/07b5f85a-240f-11ed-b3d9-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.", "false_positives": ["Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Drive Ownership Transferred via Google Workspace", "note": "## Triage and analysis\n\n### Investigating Google Drive Ownership Transferred via Google Workspace\n\nGoogle Drive is a cloud storage service that allows users to store and access files. It is available to users with a Google Workspace account.\n\nGoogle Workspace administrators consider users' roles and organizational units when assigning permissions to files or shared drives. Owners of sensitive files and folders can grant permissions to users who make internal or external access requests. Adversaries abuse this trust system by accessing Google Drive resources with improperly scoped permissions and shared settings. Distributing phishing emails is another common approach to sharing malicious Google Drive documents. With this approach, adversaries aim to inherit the recipient's Google Workspace privileges when an external entity grants ownership.\n\nThis rule identifies when the ownership of a shared drive within a Google Workspace organization is transferred to another internal user.\n\n#### Possible investigation steps\n\n- From the admin console, review admin logs for involved user accounts. To find admin logs, go to `Security > Reporting > Audit and investigation > Admin log events`.\n- Determine if involved user accounts are active. To view user activity, go to `Directory > Users`.\n- Check if the involved user accounts were recently disabled, then re-enabled.\n- Review involved user accounts for potentially misconfigured permissions or roles.\n- Review the involved shared drive or files and related policies to determine if this action was expected and appropriate.\n- If a shared drive, access requirements based on Organizational Units in `Apps > Google Workspace > Drive and Docs > Manage shared drives`.\n- Triage potentially related alerts based on the users involved. To find alerts, go to `Security > Alerts`.\n\n### False positive analysis\n\n- Transferring drives requires Google Workspace administration permissions related to Google Drive. Check if this action was planned/expected from the requester and is appropriately targeting the correct receiver.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n", "references": ["https://support.google.com/a/answer/1247799?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}], "risk_score": 47, "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.002", "name": "Remote Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json deleted file mode 100644 index c4e7efe9451..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/*/Helpers/Google Chrome Helper (Renderer).app/Contents/MacOS/Google Chrome Helper (Renderer)\",\n \"/Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "080bc66a-5d56-4d1f-8071-817671716db9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json deleted file mode 100644 index 74a12760570..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "080bc66a-5d56-4d1f-8071-817671716db9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json deleted file mode 100644 index 2e0e7ebe79c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "080bc66a-5d56-4d1f-8071-817671716db9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json deleted file mode 100644 index 00f0ed48070..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "080bc66a-5d56-4d1f-8071-817671716db9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json deleted file mode 100644 index 4b8305fd74a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "080bc66a-5d56-4d1f-8071-817671716db9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json b/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json deleted file mode 100644 index 2b62a9dfdc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/080bc66a-5d56-4d1f-8071-817671716db9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Browser Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : (\"Google Chrome\", \"Google Chrome Helper*\", \"firefox\", \"Opera\", \"Safari\", \"com.apple.WebKit.WebContent\", \"Microsoft Edge\") and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"osascript\", \"pwsh\") and\n process.command_line != null and\n not process.command_line : \"*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*\" and\n not process.args :\n (\n \"hw.model\",\n \"IOPlatformExpertDevice\",\n \"/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh\",\n \"--defaults-torrc\",\n \"*Chrome.app\",\n \"Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh\",\n \"/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery\",\n \"$DISPLAY\",\n \"*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*\",\n \"/opt/homebrew/*\",\n \"/usr/local/*brew*\"\n )\n", "references": ["https://objective-see.com/blog/blog_0x43.html", "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "080bc66a-5d56-4d1f-8071-817671716db9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "080bc66a-5d56-4d1f-8071-817671716db9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json deleted file mode 100644 index e8fd27b4b07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": ["Trusted applications persisting via LaunchAgent"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}], "type": "eql", "version": 106}, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json deleted file mode 100644 index 2de72b9da73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": ["Trusted applications persisting via LaunchAgent"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}], "type": "eql", "version": 102}, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json deleted file mode 100644 index 87246e9ec5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": ["Trusted applications persisting via LaunchAgent"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}], "type": "eql", "version": 103}, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json deleted file mode 100644 index 9a7e2d3a34b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": ["Trusted applications persisting via LaunchAgent"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}], "type": "eql", "version": 104}, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json b/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json deleted file mode 100644 index 6519eab1f46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/082e3f8c-6f80-485c-91eb-5b112cb79b28_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.", "false_positives": ["Trusted applications persisting via LaunchAgent"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Launch Agent Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/System/Library/LaunchAgents/*\", \"/Library/LaunchAgents/*\", \"/Users/*/Library/LaunchAgents/*\")\n ]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "082e3f8c-6f80-485c-91eb-5b112cb79b28", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}], "type": "eql", "version": 105}, "id": "082e3f8c-6f80-485c-91eb-5b112cb79b28_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json deleted file mode 100644 index c5092085ab7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": ["https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "083fa162-e790-4d85-9aeb-4fea04188adb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json deleted file mode 100644 index 5c60b75cfb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": ["https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json deleted file mode 100644 index c03eee0078c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": ["https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json deleted file mode 100644 index 452142fd6a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": ["https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json b/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json deleted file mode 100644 index 048f28235bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/083fa162-e790-4d85-9aeb-4fea04188adb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Hidden Child Process of Launchd", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", "references": ["https://objective-see.com/blog/blog_0x61.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "083fa162-e790-4d85-9aeb-4fea04188adb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json deleted file mode 100644 index 87194a4c330..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json deleted file mode 100644 index b1d9eead033..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_109.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_109.json deleted file mode 100644 index 805bfd48dd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 109}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json deleted file mode 100644 index 5e76c0275dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json deleted file mode 100644 index e0b51696d34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json deleted file mode 100644 index 8654d7ecd2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_7.json b/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_7.json deleted file mode 100644 index 9054cda6d36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0859355c-0f08-4b43-8ff5-7d2a4789fc08_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies newly seen removable devices by device friendly name using registry modification events. While this activity is not inherently malicious, analysts can use those events to aid monitoring for data exfiltration over those devices.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Removable Device", "new_terms_fields": ["registry.path"], "query": "event.category:\"registry\" and host.os.type:\"windows\" and registry.value:\"FriendlyName\" and registry.path:*USBSTOR*\n", "references": ["https://winreg-kb.readthedocs.io/en/latest/sources/system-keys/USB-storage.html", "https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/", "subtechnique": [{"id": "T1052.001", "name": "Exfiltration over USB", "reference": "https://attack.mitre.org/techniques/T1052/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "0859355c-0f08-4b43-8ff5-7d2a4789fc08_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0.json deleted file mode 100644 index 76b42892da7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"accounts\", \"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not process.parent.args: \"C:\\\\Program Files (x86)\\\\Microsoft Intune Management Extension\\\\Content\\\\DetectionScripts\\\\*.ps1\"\nand not process.parent.name : \"LTSVC.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "089db1af-740d-4d84-9a5b-babd6de143b0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json deleted file mode 100644 index 657733a962d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json deleted file mode 100644 index 4611ec0ed0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"accounts\", \"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json deleted file mode 100644 index 3f21b5ca53f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"accounts\", \"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not process.parent.args: \"C:\\\\Program Files (x86)\\\\Microsoft Intune Management Extension\\\\Content\\\\DetectionScripts\\\\*.ps1\"\nand not process.parent.name : \"LTSVC.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_4.json b/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_4.json deleted file mode 100644 index 76fdf91965e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/089db1af-740d-4d84-9a5b-babd6de143b0_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that enumerates account or group information. Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Account or Group Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"accounts\", \"group\", \"user\", \"localgroup\") and not process.args : \"/add\"\n ) or\n (process.name:(\"dsquery.exe\", \"dsget.exe\") and process.args:(\"*members*\", \"user\")) or\n (process.name:\"dsquery.exe\" and process.args:\"*filter*\") or\n process.name:(\"quser.exe\", \"qwinsta.exe\", \"PsGetSID.exe\", \"PsLoggedOn.exe\", \"LogonSessions.exe\", \"whoami.exe\") or\n (\n process.name: \"cmd.exe\" and\n (\n process.args : \"echo\" and process.args : (\n \"%username%\", \"%userdomain%\", \"%userdnsdomain%\",\n \"%userdomain_roamingprofile%\", \"%userprofile%\",\n \"%homepath%\", \"%localappdata%\", \"%appdata%\"\n ) or\n process.args : \"set\"\n )\n )\n) and not process.parent.args: \"C:\\\\Program Files (x86)\\\\Microsoft Intune Management Extension\\\\Content\\\\DetectionScripts\\\\*.ps1\"\nand not process.parent.name : \"LTSVC.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "089db1af-740d-4d84-9a5b-babd6de143b0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "089db1af-740d-4d84-9a5b-babd6de143b0_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json deleted file mode 100644 index 3019e2a74a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json deleted file mode 100644 index b2f93893a29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json deleted file mode 100644 index d1a41b98b12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json deleted file mode 100644 index 9ba1e08e0da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json deleted file mode 100644 index c534d74b412..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json b/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json deleted file mode 100644 index abc9281074c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/092b068f-84ac-485d-8a55-7dd9e006715f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Launch Agent or Daemon", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path :\n (\n \"/System/Library/LaunchAgents/.*.plist\",\n \"/Library/LaunchAgents/.*.plist\",\n \"/Users/*/Library/LaunchAgents/.*.plist\",\n \"/System/Library/LaunchDaemons/.*.plist\",\n \"/Library/LaunchDaemons/.*.plist\"\n )\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "092b068f-84ac-485d-8a55-7dd9e006715f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.001", "name": "Launch Agent", "reference": "https://attack.mitre.org/techniques/T1543/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "092b068f-84ac-485d-8a55-7dd9e006715f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json deleted file mode 100644 index 52cf43e9091..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WinREAgent\\\\Scratch\\\\*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\LogiUI\\\\Pak\\\\uninstall.exe\"\n )\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 109}, "id": "09443c92-46b3-45a4-8f25-383b028b258d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json deleted file mode 100644 index 783c97071ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 103}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json deleted file mode 100644 index 82db35597a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 104}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json deleted file mode 100644 index 03b0c236350..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 105}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json deleted file mode 100644 index ac628ec9b93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 106}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json deleted file mode 100644 index 0e28446382f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\")\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 107}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json deleted file mode 100644 index 169c3069d21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WinREAgent\\\\Scratch\\\\*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\LogiUI\\\\Pak\\\\uninstall.exe\"\n )\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 108}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_109.json b/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_109.json deleted file mode 100644 index fa30f4aa86c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09443c92-46b3-45a4-8f25-383b028b258d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a process termination event quickly followed by the deletion of its executable file. Malware tools and other non-native files dropped or created on a system by an adversary may leave traces to indicate to what occurred. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Termination followed by Deletion", "note": "## Triage and analysis\n\n### Investigating Process Termination followed by Deletion\n\nThis rule identifies an unsigned process termination event quickly followed by the deletion of its executable file. Attackers can delete programs after their execution in an attempt to cover their tracks in a host.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately, as programs that exhibit this behavior, such as installers and similar utilities, should be signed. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"end\" and\n process.code_signature.trusted != true and\n not process.executable : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*.exe\", \"C:\\\\Windows\\\\WinSxS\\\\*.exe\")\n ] by process.executable\n [file where host.os.type == \"windows\" and event.type == \"deletion\" and file.extension : (\"exe\", \"scr\", \"com\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\") and\n not file.path : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\DismHost.exe\",\n \"?:\\\\$WinREAgent\\\\Scratch\\\\*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\LogiUI\\\\Pak\\\\uninstall.exe\"\n )\n ] by file.path\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "09443c92-46b3-45a4-8f25-383b028b258d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "type": "eql", "version": 109}, "id": "09443c92-46b3-45a4-8f25-383b028b258d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759.json b/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759.json deleted file mode 100644 index 1d0ee42ac4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A member was removed or their invitation to join was removed from a GitHub Organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "Member Removed From GitHub Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.remove_member\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "095b6a58-8f88-4b59-827c-ab584ad4e759", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "095b6a58-8f88-4b59-827c-ab584ad4e759", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_1.json b/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_1.json deleted file mode 100644 index 03c832b7e4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A member was removed or their invitation to join was removed from a GitHub Organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "Member Removed From GitHub Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.remove_member\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "095b6a58-8f88-4b59-827c-ab584ad4e759", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "095b6a58-8f88-4b59-827c-ab584ad4e759_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_103.json b/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_103.json new file mode 100644 index 00000000000..ca2e069a3e1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/095b6a58-8f88-4b59-827c-ab584ad4e759_103.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "A member was removed or their invitation to join was removed from a GitHub Organization.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Member Removed From GitHub Organization", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.remove_member\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "095b6a58-8f88-4b59-827c-ab584ad4e759", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "095b6a58-8f88-4b59-827c-ab584ad4e759_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233.json deleted file mode 100644 index d33977526d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 4}, "id": "09bc6c90-7501-494d-b015-5d988dc3f233", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json deleted file mode 100644 index 1dc1805c09b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 1}, "id": "09bc6c90-7501-494d-b015-5d988dc3f233_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json deleted file mode 100644 index d23b9e706de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 2}, "id": "09bc6c90-7501-494d-b015-5d988dc3f233_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json deleted file mode 100644 index a03f6ddb16b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 3}, "id": "09bc6c90-7501-494d-b015-5d988dc3f233_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json b/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json deleted file mode 100644 index cad553da531..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09bc6c90-7501-494d-b015-5d988dc3f233_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation of a file, followed by its execution and self-deletion in a short timespan within a directory often used for malicious purposes by threat actors. This behavior is often used by malware to execute malicious code and delete itself to hide its tracks.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation, Execution and Self-Deletion in Suspicious Directory", "query": "sequence by host.id, user.id with maxspan=1m\n [file where host.os.type == \"linux\" and event.action == \"creation\" and \n process.name in (\"curl\", \"wget\", \"fetch\", \"ftp\", \"sftp\", \"scp\", \"rsync\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.name\n [file where host.os.type == \"linux\" and event.action == \"deletion\" and not process.name in (\"rm\", \"ld\") and \n file.path : (\"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\",\n \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\")] by file.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "09bc6c90-7501-494d-b015-5d988dc3f233", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 4}, "id": "09bc6c90-7501-494d-b015-5d988dc3f233_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json deleted file mode 100644 index f827444dd46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": ["Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "09d028a5-dcde-409f-8ae0-557cef1b7082", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json b/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json deleted file mode 100644 index 5a6ebf9bb31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/09d028a5-dcde-409f-8ae0-557cef1b7082_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": ["Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#networking"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "09d028a5-dcde-409f-8ae0-557cef1b7082", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "09d028a5-dcde-409f-8ae0-557cef1b7082_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json deleted file mode 100644 index eedf0bad803..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0a97b20f-4144-49ea-be32-b540ecc445de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json deleted file mode 100644 index 607fa49fb36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", "tags": ["Elastic", "Elastic Endgame"], "type": "query", "version": 100}, "id": "0a97b20f-4144-49ea-be32-b540ecc445de_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json deleted file mode 100644 index 797a11a1856..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "type": "query", "version": 101}, "id": "0a97b20f-4144-49ea-be32-b540ecc445de_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_102.json b/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_102.json deleted file mode 100644 index 6ba2ca937c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0a97b20f-4144-49ea-be32-b540ecc445de_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "0a97b20f-4144-49ea-be32-b540ecc445de", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "0a97b20f-4144-49ea-be32-b540ecc445de_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93.json deleted file mode 100644 index 8eab7459b3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "query": "beacon_stats.beaconing_score: 3\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.beaconing_score", "type": "unknown"}], "risk_score": 21, "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json deleted file mode 100644 index bdbf175d5a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "note": "", "query": "beacon_stats.beaconing_score: 3\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.beaconing_score", "type": "unknown"}], "risk_score": 21, "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "setup": "The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_2.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_2.json deleted file mode 100644 index 5d8b0ffcaff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "query": "beacon_stats.beaconing_score: 3\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.beaconing_score", "type": "unknown"}], "risk_score": 21, "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "setup": "The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. \n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "type": "query", "version": 2}, "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_3.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_3.json deleted file mode 100644 index d9ef01a33b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "query": "beacon_stats.beaconing_score: 3\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.beaconing_score", "type": "unknown"}], "risk_score": 21, "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "setup": "The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json b/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json deleted file mode 100644 index e7f3d65f89e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ab319ef-92b8-4c7f-989b-5de93c852e93_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity with high confidence. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "query": "beacon_stats.beaconing_score: 3\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.beaconing_score", "type": "unknown"}], "risk_score": 21, "rule_id": "0ab319ef-92b8-4c7f-989b-5de93c852e93", "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "0ab319ef-92b8-4c7f-989b-5de93c852e93_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83.json deleted file mode 100644 index d842ffc0a51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\ExchangeServer\\\\bin*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\"\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json deleted file mode 100644 index bb5796524fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json deleted file mode 100644 index 643081c8542..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\ExchangeServer\\\\bin*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\"\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107.json deleted file mode 100644 index 2351289204e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\allcommands.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\*\\\\bin"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.directory": {"case_insensitive": true, "value": "?:\\\\ExchangeServer\\\\bin*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\"\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json deleted file mode 100644 index b765f4e4f2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json deleted file mode 100644 index d361f061f41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json deleted file mode 100644 index e8d8c48f0d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json deleted file mode 100644 index ac1e7ed383c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json b/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json deleted file mode 100644 index 95e4e52949e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Remote Execution Capabilities via WinRM", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"Invoke-WmiMethod\" or \"Invoke-Command\" or \"Enter-PSSession\") and \"ComputerName\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.directory : (\n \"C:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\tmp\" or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft\\\\\\\\Exchange?Server\\\\\\\\*\\\\\\\\bin or\n ?\\:\\\\\\\\Logicmonitor\\\\\\\\tmp* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\dbatools\\\\\\\\* or\n ?\\:\\\\\\\\ExchangeServer\\\\\\\\bin*\n ) and not\n powershell.file.script_block_text : (\n \"Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')\" and\n \"function Invoke-Command {\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1021/006/", "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07.json b/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07.json deleted file mode 100644 index 47e239a961f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Yum Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n process.name == \"yumBackend.py\" or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_1.json b/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_1.json deleted file mode 100644 index e1f9c687934..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Yum Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n process.name == \"yumBackend.py\" or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_2.json b/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_2.json deleted file mode 100644 index d45c23a9f38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Yum Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n process.name == \"yumBackend.py\" or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_3.json b/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_3.json deleted file mode 100644 index bf8931efa1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b15bcad-aff1-4250-a5be-5d1b7eb56d07_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Yum Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n process.name == \"yumBackend.py\" or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "0b15bcad-aff1-4250-a5be-5d1b7eb56d07_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json deleted file mode 100644 index 36883516cc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 106}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json deleted file mode 100644 index 3ab6c3e2c1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 102}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json deleted file mode 100644 index 9a08a3fb821..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 103}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json deleted file mode 100644 index b19d56b3c24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 104}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json deleted file mode 100644 index a5c9d88bbbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 105}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json deleted file mode 100644 index 1c00629817a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 106}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107.json b/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107.json deleted file mode 100644 index cfdfe8305e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.", "false_positives": ["Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_creation"], "name": "Anomalous Windows Process Creation", "note": "## Triage and analysis\n\n### Investigating Anomalous Windows Process Creation\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect an anomalous Windows process with an unusual parent-child relationship, which could indicate malware execution or persistence activities on the host machine.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "machine_learning", "version": 107}, "id": "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json deleted file mode 100644 index e2f4b4dc8a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json deleted file mode 100644 index e6f5b184010..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and\n event.code:5136 and winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json deleted file mode 100644 index 256562e5829..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json deleted file mode 100644 index e567d6698cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json deleted file mode 100644 index b09ba94b8d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json deleted file mode 100644 index 71b0308f541..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_110.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_110.json deleted file mode 100644 index 113169caa26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_111.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_111.json deleted file mode 100644 index 3e1173c3844..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_112.json b/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_112.json deleted file mode 100644 index 37f62058b58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b2f3da5-b5ec-47d1-908b-6ebb74814289_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user account has the servicePrincipalName attribute modified. Attackers can abuse write privileges over a user to configure Service Principle Names (SPNs) so that they can perform Kerberoasting. Administrators can also configure this for legitimate purposes, exposing the account to Kerberoasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "User account exposed to Kerberoasting", "note": "## Triage and analysis\n\n### Investigating User account exposed to Kerberoasting\n\nService Principal Names (SPNs) are names by which Kerberos clients uniquely identify service instances for Kerberos target computers.\n\nBy default, only computer accounts have SPNs, which creates no significant risk, since machine accounts have a default domain policy that rotates their passwords every 30 days, and the password is composed of 120 random characters, making them invulnerable to Kerberoasting.\n\nA user account with an SPN assigned is considered a service account, and is accessible to the entire domain. If any user in the directory requests a ticket-granting service (TGS), the domain controller will encrypt it with the secret key of the account executing the service. An attacker can potentially perform a Kerberoasting attack with this information, as the human-defined password is likely to be less complex.\n\nFor scenarios where SPNs cannot be avoided on user accounts, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that account passwords are robust and changed regularly and automatically. More information can be found [here](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).\n\nAttackers can also perform \"Targeted Kerberoasting\", which consists of adding fake SPNs to user accounts that they have write privileges to, making them potentially vulnerable to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate if the target account is a member of privileged groups (Domain Admins, Enterprise Admins, etc.).\n- Investigate if tickets have been requested for the target account.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The use of user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positive (B-TP), especially if the account is privileged. Domain Administrators that define this kind of setting can put the domain at risk as user accounts don't have the same security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.OperationType:\"%%14674\" and\n winlog.event_data.ObjectClass:\"user\" and\n winlog.event_data.AttributeLDAPDisplayName:\"servicePrincipalName\"\n", "references": ["https://www.thehacker.recipes/ad/movement/access-controls/targeted-kerberoasting", "https://www.qomplx.com/qomplx-knowledge-kerberoasting-attacks-explained/", "https://www.thehacker.recipes/ad/movement/kerberos/kerberoast", "https://attack.stealthbits.com/cracking-kerberos-tgs-tickets-using-kerberoasting", "https://adsecurity.org/?p=280", "https://github.com/OTRF/Set-AuditRule"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}], "risk_score": 73, "rule_id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the servicePrincipalName Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID f3a64788-5306-11d1-a9c5-0000f80367c1 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "0b2f3da5-b5ec-47d1-908b-6ebb74814289_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205.json b/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205.json deleted file mode 100644 index 845f539b760..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b79f5c0-2c31-4fea-86cd-e62644278205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the `CompromisedKeyQuarantine` or `CompromisedKeyQuarantineV2` AWS managed policies to an existing IAM user. This policy denies access to certain actions and is applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly.", "false_positives": ["This is an intentional action taken by AWS in the event of compromised credentials. Follow the instructions specified in the support case created for you regarding this event."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS IAM CompromisedKeyQuarantine Policy Attached to User", "note": "## Triage and Analysis\n\n### Investigating AWS IAM CompromisedKeyQuarantine Policy Attached to User\n\nThe AWS IAM `CompromisedKeyQuarantine` and `CompromisedKeyQuarantineV2` managed policies deny certain action and is applied by the AWS team to a user with exposed credentials. \nThis action is accompanied by a support case which specifies instructions to follow before detaching the policy. \n\n#### Possible Investigation Steps\n\n- **Identify Potentially Compromised Identity**: Review the `userName` parameter of the `aws.cloudtrail.request_parameters` to determine the quarantined IAM entity.\n- **Contextualize with AWS Support Case**: Review any information from AWS comtaining additional information about the quarantined account and the reasoning for quarantine.\n- **Follow Support Case Instructions**: Do not revert the quarantine policy attachment or delete the compromised keys. Instead folow the instructions given in your support case.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in potentially suspicious activities.\n- **Interview Relevant Personnel**: If the compromised key belongs to a user, verify the intent and authorization for these correlated actions with the person or team responsible for managing the compromised key.\n\n### False Positive Analysis\n\n- There shouldn't be many false positives related to this action as it is inititated by AWS in response to compromised or publicly exposed credentials.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: Update the user IAM permissions to remove the quarantine policy and disable the compromised credentials.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on credential storage to tighten control and prevent public exposure.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing and securing credentials in AWS environments, refer to the [AWS IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) regarding security best practices and guidance on [Remediating Potentially Compromised AWS Credentials](https://docs.aws.amazon.com/guardduty/latest/ug/compromised-creds.html).\n", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.action == \"AttachUserPolicy\"\n and event.outcome == \"success\" \n and stringContains(aws.cloudtrail.request_parameters, \"AWSCompromisedKeyQuarantine\")\n", "references": ["https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantine.html/", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantineV2.html/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 73, "rule_id": "0b79f5c0-2c31-4fea-86cd-e62644278205", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0b79f5c0-2c31-4fea-86cd-e62644278205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a.json deleted file mode 100644 index 94d8cf35ff5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\")\n ) and not process.executable : \"/tmp/newroot/*\"\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n ] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 6}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json deleted file mode 100644 index 0d213e64ed0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 1}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json deleted file mode 100644 index 6776211595e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 2}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json deleted file mode 100644 index d5de9a35407..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 3}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json deleted file mode 100644 index b906a13c28a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 4}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json b/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json deleted file mode 100644 index 137dc1dd0a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b803267-74c5-444d-ae29-32b5db2d562a_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a set of linux binaries, that are potentially vulnerable to wildcard injection, with suspicious command line flags followed by a shell spawn event. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shell via Wildcard Injection Detected", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"tar\" and process.args : \"--checkpoint=*\" and process.args : \"--checkpoint-action=*\") or\n (process.name == \"rsync\" and process.args : \"-e*\") or\n (process.name == \"zip\" and process.args == \"--unzip-command\") )] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.parent.name : (\"tar\", \"rsync\", \"zip\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b803267-74c5-444d-ae29-32b5db2d562a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 5}, "id": "0b803267-74c5-444d-ae29-32b5db2d562a_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_1.json b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_1.json deleted file mode 100644 index 2ca841722ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Establish VScode Remote Tunnel", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"tunnel\" and (process.args : \"--accept-server-license-terms\" or process.name : \"code*.exe\")\n", "references": ["https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_102.json b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_102.json deleted file mode 100644 index ea71529c702..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Establish VScode Remote Tunnel", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"tunnel\" and (process.args : \"--accept-server-license-terms\" or process.name : \"code*.exe\") and \n not (process.name == \"code-tunnel.exe\" and process.args == \"status\" and process.parent.name == \"Code.exe\")\n", "references": ["https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_103.json b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_103.json deleted file mode 100644 index b7440ba4a90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Establish VScode Remote Tunnel", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"tunnel\" and (process.args : \"--accept-server-license-terms\" or process.name : \"code*.exe\") and \n not (process.name == \"code-tunnel.exe\" and process.args == \"status\" and process.parent.name == \"Code.exe\")\n", "references": ["https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_2.json b/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_2.json deleted file mode 100644 index efaf80f9a23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0b96dfd8-5b8c-4485-9a1c-69ff7839786a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of the VScode portable binary with the tunnel command line option indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Establish VScode Remote Tunnel", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"tunnel\" and (process.args : \"--accept-server-license-terms\" or process.name : \"code*.exe\") and \n not (process.name == \"code-tunnel.exe\" and process.args == \"status\" and process.parent.name == \"Code.exe\")\n", "references": ["https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0b96dfd8-5b8c-4485-9a1c-69ff7839786a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4.json b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4.json deleted file mode 100644 index 76682228026..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Processes with Trailing Spaces", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name : \"* \"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json b/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json deleted file mode 100644 index f027ecb5bde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c093569-dff9-42b6-87b1-0242d9f7d9b4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Processes with Trailing Spaces", "query": "process where event.type in (\"start\", \"process_started\") and process.name : \"* \"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0c093569-dff9-42b6-87b1-0242d9f7d9b4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json deleted file mode 100644 index 7d8d9f05d55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 7}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json deleted file mode 100644 index 9dcf09bc55c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 1}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json deleted file mode 100644 index ac3b10ac9ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 2}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json deleted file mode 100644 index 4de3a137648..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 3}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json deleted file mode 100644 index 4787d8142b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 4}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_5.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_5.json deleted file mode 100644 index d229e924cab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 5}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json b/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json deleted file mode 100644 index ccd9d09d1fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c41e478-5263-4c69-8f9e-7dfd2c22da64_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when an IP address indicator from the Threat Intel Filebeat module or integrations has a match against a network event.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel IP Address Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel IP Address Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when an IP address indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against a network event.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field:\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- When a match is found, it's important to consider the indicator's initial release date. Threat intelligence is useful for augmenting existing security processes but can quickly become outdated. In other words, some threat intelligence only represents a specific set of activity observed at a specific time. For example, an IP address may have hosted malware observed in a Dridex campaign months ago, but it's possible that IP has been remediated and no longer represents any threat.\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "source.ip:* or destination.ip:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 99, "rule_id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "source.ip", "type": "mapping", "value": "threat.indicator.ip"}]}, {"entries": [{"field": "destination.ip", "type": "mapping", "value": "threat.indicator.ip"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 6}, "id": "0c41e478-5263-4c69-8f9e-7dfd2c22da64_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json deleted file mode 100644 index d6db5607b17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json deleted file mode 100644 index 9bd44de9cf6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json deleted file mode 100644 index 2c4682573f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json deleted file mode 100644 index 184f3a89c73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json deleted file mode 100644 index 22e477cad2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json deleted file mode 100644 index 51b43d4a3bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json deleted file mode 100644 index b2dd71b7db8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110.json deleted file mode 100644 index c4056511bb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310.json b/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310.json deleted file mode 100644 index 8fa8d774a47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows file system utility (fsutil.exe) to gather information about attached peripheral devices and components connected to a computer system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Peripheral Device Discovery", "note": "## Triage and analysis\n\n### Investigating Peripheral Device Discovery\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `fsutil` utility with the `fsinfo` subcommand to enumerate drives attached to the computer, which can be used to identify secondary drives used for backups, mapped network drives, and removable media. These devices can contain valuable information for attackers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Determine whether this activity was followed by suspicious file access/copy operations or uploads to file storage services.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"fsinfo\" and process.args : \"drives\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": "https://attack.mitre.org/techniques/T1120/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6.json b/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6.json deleted file mode 100644 index 29568301f7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.compliance.violation_detected\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\n| where violations > 1\n| sort violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_1.json b/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_1.json deleted file mode 100644 index 9651aff6d3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.compliance.violation_detected\n| stats violations = count(*) by user.id, gen_ai.model.id, cloud.account.id\n| where violations > 1\n| sort violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_2.json b/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_2.json deleted file mode 100644 index 4d60f384b88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.compliance.violation_detected\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\n| where violations > 1\n| sort violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_3.json b/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_3.json deleted file mode 100644 index 03b2c2633ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0cd2f3e6-41da-40e6-b28b-466f688f00a6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails by the same user in the same account over a session. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.compliance.violation_detected\n| keep user.id, gen_ai.request.model.id, cloud.account.id\n| stats violations = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\n| where violations > 1\n| sort violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 3}, "id": "0cd2f3e6-41da-40e6-b28b-466f688f00a6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json deleted file mode 100644 index b5eefa18eab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": ["Assignment of rights to a service account."], "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json deleted file mode 100644 index 7aa9117917c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": ["Assignment of rights to a service account."], "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json deleted file mode 100644 index bddb0f36d92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": ["Assignment of rights to a service account."], "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json deleted file mode 100644 index 191b40d3668..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": ["Assignment of rights to a service account."], "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json b/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json deleted file mode 100644 index 59648ddc2a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ce6487d-8069-4888-9ddd-61b52490cebc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms.", "false_positives": ["Assignment of rights to a service account."], "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Exchange Suspicious Mailbox Right Delegation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and\no365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and\nnot user.id : \"NT AUTHORITY\\SYSTEM (Microsoft.Exchange.Servicehost)\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AccessRights", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "0ce6487d-8069-4888-9ddd-61b52490cebc", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0ce6487d-8069-4888-9ddd-61b52490cebc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json deleted file mode 100644 index b01be7f3628..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", "false_positives": ["False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident."], "from": "now-24h", "index": [".alerts-security.*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts Involving a User", "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "required_fields": [{"ecs": false, "name": "signal.rule.name", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", "severity": "high", "tags": ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"], "threshold": {"cardinality": [{"field": "signal.rule.rule_id", "value": 5}], "field": ["user.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json b/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json deleted file mode 100644 index d60b17fa5cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d160033-fab7-4e72-85a3-3a9d80c8bff7_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when multiple different alerts involving the same user are triggered. Analysts can use this to prioritize triage and response, as these users are more likely to be compromised.", "false_positives": ["False positives can occur with Generic built-in accounts, such as Administrator, admin, etc. if they are widespread used in your environment. As a best practice, they shouldn't be used in day-to-day tasks, as it prevents the ability to quickly identify and contact the account owner to find out if an alert is a planned activity, regular business activity, or an upcoming incident."], "from": "now-24h", "index": [".alerts-security.*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts Involving a User", "query": "signal.rule.name:* and user.name:* and not user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "required_fields": [{"ecs": false, "name": "signal.rule.name", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7", "severity": "high", "tags": ["Elastic", "Threat Detection", "Higher-Order Rules"], "threshold": {"cardinality": [{"field": "signal.rule.rule_id", "value": 5}], "field": ["user.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "0d160033-fab7-4e72-85a3-3a9d80c8bff7_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json deleted file mode 100644 index 9b520b6cdca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"nping\"\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json deleted file mode 100644 index 2d22e9dfb48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json deleted file mode 100644 index a34c9af8359..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:nping\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json deleted file mode 100644 index 42aba750e9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"nping\"\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json deleted file mode 100644 index bb6882eeb87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"nping\"\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json b/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json deleted file mode 100644 index 315b78c9e01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d69150b-96f8-467c-a86d-a67a3378ce77_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Nping ran on a Linux host. Nping is part of the Nmap tool suite and has the ability to construct raw packets for a wide variety of security testing applications, including denial of service testing.", "false_positives": ["Some normal use of this command may originate from security engineers and network or server administrators, but this is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Nping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"nping\"\n", "references": ["https://en.wikipedia.org/wiki/Nmap"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0d69150b-96f8-467c-a86d-a67a3378ce77", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "0d69150b-96f8-467c-a86d-a67a3378ce77_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json deleted file mode 100644 index 5e18c4ceeb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true) and \n not (process.name : \"ShareFileForOutlook-v*.exe\" and process.code_signature.subject_name : \"Citrix Systems, Inc.\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 111}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json deleted file mode 100644 index 262e726858b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 104}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json deleted file mode 100644 index f0600e1c87b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 105}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json deleted file mode 100644 index 4be56b05fc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 106}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json deleted file mode 100644 index 5ef19fa7f57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 107}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json deleted file mode 100644 index 0374d498cc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 108}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json deleted file mode 100644 index 84941887b55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 109}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110.json b/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110.json deleted file mode 100644 index f5d1f6dc12c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable created by a Microsoft Office application and subsequently executed. These processes are often launched via scripts inside documents or during exploitation of Microsoft Office applications.", "from": "now-120m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by Microsoft Office", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by Microsoft Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. Attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\nThis rule searches for executable files written by MS Office applications executed in sequence. This is most likely the result of the execution of malicious documents or exploitation for initial access or privilege escalation. This rule can also detect suspicious processes masquerading as the MS Office applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"WINWORD.EXE\" or\n process.name : \"EXCEL.EXE\" or\n process.name : \"OUTLOOK.EXE\" or\n process.name : \"POWERPNT.EXE\" or\n process.name : \"eqnedt32.exe\" or\n process.name : \"fltldr.exe\" or\n process.name : \"MSPUB.EXE\" or\n process.name : \"MSACCESS.EXE\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and \n not (process.name : \"NewOutlookInstaller.exe\" and process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 110}, "id": "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd.json b/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd.json deleted file mode 100644 index ff6b59505ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.user_agent"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.user_agent", "type": "keyword"}], "risk_score": 21, "rule_id": "0e4367a0-a483-439d-ad2e-d90500b925fd", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0e4367a0-a483-439d-ad2e-d90500b925fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_1.json b/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_1.json deleted file mode 100644 index 1b9c868e9bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.user_agent"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.user_agent", "type": "keyword"}], "risk_score": 21, "rule_id": "0e4367a0-a483-439d-ad2e-d90500b925fd", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "0e4367a0-a483-439d-ad2e-d90500b925fd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_103.json b/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_103.json new file mode 100644 index 00000000000..b29efe6da09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/0e4367a0-a483-439d-ad2e-d90500b925fd_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new user agent used for a GitHub PAT not previously seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of User Agent For a GitHub Personal Access Token (PAT)", + "new_terms_fields": [ + "github.hashed_token", + "github.user_agent" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.hashed_token", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.user_agent", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "0e4367a0-a483-439d-ad2e-d90500b925fd", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "0e4367a0-a483-439d-ad2e-d90500b925fd_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json deleted file mode 100644 index c9ce632f554..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json deleted file mode 100644 index 876856d3629..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json deleted file mode 100644 index 076d9128b3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json deleted file mode 100644 index 08564044dc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json b/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json deleted file mode 100644 index 29810ee8787..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e52157a-8e96-4a95-a6e3-5faae5081a74_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "SharePoint Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:SharePoint and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "0e52157a-8e96-4a95-a6e3-5faae5081a74", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0e52157a-8e96-4a95-a6e3-5faae5081a74_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json deleted file mode 100644 index 8799fca31e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", "false_positives": ["Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json b/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json deleted file mode 100644 index c7e0aed862a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new key is created for a service account in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If private keys are not tracked and managed properly, they can present a security risk. An adversary may create a new key for a service account in order to attempt to abuse the permissions assigned to that account and evade detection.", "false_positives": ["Service account keys may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Key Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccountKey and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0e5acaae-6a64-4bbc-adb8-27649c03f7e1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json deleted file mode 100644 index 57d3ec2087b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Performance\n\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n /* Look for MSBuild.exe process execution */\n /* The events for this first sequence may be noisy, consider adding exceptions */\n [process where host.os.type == \"windows\"\n and (\n process.pe.original_file_name: \"MSBuild.exe\" or\n process.name: \"MSBuild.exe\"\n )\n and event.type == \"start\" and user.id != \"S-1-5-18\"]\n\n /* Followed by a network connection to an external address */\n /* Exclude domains that are known to be benign */\n [network where host.os.type == \"windows\"\n and event.action: (\"connection_attempted\", \"lookup_requested\")\n and (\n process.pe.original_file_name: \"MSBuild.exe\" or\n process.name: \"MSBuild.exe\"\n )\n and not user.id != \"S-1-5-18\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : (\n \"localhost\",\n \"dc.services.visualstudio.com\",\n \"vortex.data.microsoft.com\",\n \"api.nuget.org\")]\n", "references": ["https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 110}, "id": "0e79980b-4250-4a50-a509-69294c14e84b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json deleted file mode 100644 index f17c3bd1c7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 102}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json deleted file mode 100644 index 87a70eb7d82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 103}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json deleted file mode 100644 index ee9cbf39545..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 104}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json deleted file mode 100644 index 4087d7c78c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 105}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json deleted file mode 100644 index 4dc0460ba20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\", \"localhost\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 106}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_107.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_107.json deleted file mode 100644 index 03521fbb863..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : \"localhost\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 107}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json deleted file mode 100644 index c5e4b1945b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : \"localhost\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 108}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_109.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_109.json deleted file mode 100644 index a1116bd75eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"MSBuild.exe\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : \"localhost\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 109}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_110.json b/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_110.json deleted file mode 100644 index b68881d5631..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0e79980b-4250-4a50-a509-69294c14e84b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "MsBuild Making Network Connections", "note": "## Triage and analysis\n\n### Performance\n\nThe performance impact of this rule is expected to be low to medium because of the first sequence, which looks for MsBuild.exe process execution. The events for this first sequence may be noisy, consider adding exceptions.\n\n### Investigating MsBuild Making Network Connections\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThe Microsoft Build Engine, also known as MSBuild, is a platform for building applications. This engine provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy code execution.\n\nThis rule looks for the `Msbuild.exe` utility execution, followed by a network connection to an external address. Attackers can abuse MsBuild to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n /* Look for MSBuild.exe process execution */\n /* The events for this first sequence may be noisy, consider adding exceptions */\n [process where host.os.type == \"windows\"\n and (\n process.pe.original_file_name: \"MSBuild.exe\" or\n process.name: \"MSBuild.exe\"\n )\n and event.type == \"start\" and user.id != \"S-1-5-18\"]\n\n /* Followed by a network connection to an external address */\n /* Exclude domains that are known to be benign */\n [network where host.os.type == \"windows\"\n and event.action: (\"connection_attempted\", \"lookup_requested\")\n and (\n process.pe.original_file_name: \"MSBuild.exe\" or\n process.name: \"MSBuild.exe\"\n )\n and not user.id != \"S-1-5-18\" and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\") and\n not dns.question.name : (\n \"localhost\",\n \"dc.services.visualstudio.com\",\n \"vortex.data.microsoft.com\",\n \"api.nuget.org\")]\n", "references": ["https://riccardoancarani.github.io/2019-10-19-hunting-covenant-msbuild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "0e79980b-4250-4a50-a509-69294c14e84b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 110}, "id": "0e79980b-4250-4a50-a509-69294c14e84b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json deleted file mode 100644 index 78ac218ddde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "rc.local/rc.common File Creation", "note": "## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\n\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path in (\"/etc/rc.local\", \"/etc/rc.common\") and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/platform-python\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json deleted file mode 100644 index 201fe9ab439..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd, however through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "RC Script Creation", "note": "## Triage and analysis\n### Investigating RC script creation\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. The rc.local file has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. There might still be users that use rc.local in a benign matter, so investigation to see whether the file is malicious is vital. The first file to check can be found here:\n- /etc/rc.local\n\nThis file may contain a path to an executable, script or a command. Additionally, the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator` is used to convert rc.local into rc-local.service. The service and wants files can be found in the following directories:\n- /lib/systemd/system/rc-local.service\n- /run/systemd/generator/multi-user.target.wants/rc-local.service\n\nIn case the file is not present here, the `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file. Make sure to investigate all files mentioned above, and files that these scripts may link to establish whether the alert is malicious or benign behavior.\n\n### Investigating RC script execution\nThe detection rule queries for the creation of these files, but manual analysis is required to check for rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. The following command can be used to check for the execution of this service:\n\n`sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"`\n\nIf logging is found, analyze it, and chances are that the contents of the rc.local file have been executed. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/rc.local files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by user.id, host.id with maxspan=15s\n[file where host.os.type == \"linux\" and \n event.type == \"creation\" and\n file.path == \"/etc/rc.local\"]\n[process where host.os.type == \"linux\" and \n event.type == \"start\" and\n process.name == \"chmod\" and\n process.args == \"+x\" and process.args == \"/etc/rc.local\"]\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "eql", "version": 1}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json deleted file mode 100644 index 707d8930b58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "auditbeat-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 103}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json deleted file mode 100644 index f3fef6b86ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not file.extension : \"swp\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 104}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json deleted file mode 100644 index 63170ee4b0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 105}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json deleted file mode 100644 index 06cfa9ab257..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\"dockerd\" or \"docker\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 106}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json deleted file mode 100644 index 562fa014846..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 107}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json deleted file mode 100644 index 0c1721c00ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. \n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. \n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and \nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "type": "new_terms", "version": 108}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_109.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_109.json deleted file mode 100644 index 2c4c28916a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and\nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 109}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json deleted file mode 100644 index 607f65529c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path = '/run/systemd/generator/multi-user.target.wants/rc-local.service')\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and\nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 110}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_111.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_111.json deleted file mode 100644 index 3149462ee72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through Run Control Detected", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through Run Control Detected\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\n\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and\nevent.type : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and\nfile.path : \"/etc/rc.local\" and not process.name : (\n \"dockerd\" or \"docker\" or \"dnf\" or \"dnf-automatic\" or \"yum\" or \"rpm\" or \"dpkg\"\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 111}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_112.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_112.json deleted file mode 100644 index 6fac6128a78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "rc.local/rc.common File Creation", "note": "## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\n\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path in (\"/etc/rc.local\", \"/etc/rc.common\") and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_113.json b/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_113.json deleted file mode 100644 index 0328335d6fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f4d35e4-925e-4959-ab24-911be207ee6f_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of the rc.local/rc.common file. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. However, through the \"systemd-rc-local-generator\", rc.local files can be converted to services that run at boot. Adversaries may alter rc.local/rc.common to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "rc.local/rc.common File Creation", "note": "## Triage and analysis\n\n### Investigating rc.local/rc.common File Creation\n\nThe `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution.\n\nThere might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital.\n\nDetection alerts from this rule indicate the creation of a new `/etc/rc.local` file.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate whether the `/lib/systemd/system/rc-local.service` and `/run/systemd/generator/multi-user.target.wants/rc-local.service` files were created through the `systemd-rc-local-generator` located at `/usr/lib/systemd/system-generators/systemd-rc-local-generator`.\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/run/systemd/generator/multi-user.target.wants/rc-local.service' OR path =\\n'/run/systemd/generator/multi-user.target.wants/rc-local.service')\\n\"}}\n - In case the file is not present here, `sudo systemctl status rc-local` can be executed to find the location of the rc-local unit file.\n - If `rc-local.service` is found, manual investigation is required to check for the rc script execution. Systemd will generate syslogs in case of the execution of the rc-local service. `sudo cat /var/log/syslog | grep \"rc-local.service|/etc/rc.local Compatibility\"` can be executed to check for the execution of the service.\n - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the `service/rc.local` files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path in (\"/etc/rc.local\", \"/etc/rc.common\") and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/platform-python\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "0f4d35e4-925e-4959-ab24-911be207ee6f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "0f4d35e4-925e-4959-ab24-911be207ee6f_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5.json deleted file mode 100644 index b1ed694a91c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established via rlwrap", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"rlwrap\" and process.args in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\") and\nprocess.args : \"*l*\" and process.args_count >= 4\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json deleted file mode 100644 index b10c825d826..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established via rlwrap", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count >= 4\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json b/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json deleted file mode 100644 index 407237b800b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a netcat listener via rlwrap. rlwrap is a 'readline wrapper', a small utility that uses the GNU Readline library to allow the editing of keyboard input for any command. This utility can be used in conjunction with netcat to gain a more stable reverse shell.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established via rlwrap", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"rlwrap\" and process.args in (\n \"nc\", \"ncat\", \"netcat\", \"nc.openbsd\", \"socat\"\n) and process.args : \"*l*\" and process.args_count >= 4\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json deleted file mode 100644 index d71c32ba47a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "## Setup\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json deleted file mode 100644 index 5df1132cad0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 103}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json deleted file mode 100644 index 4939d0451fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 104}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json deleted file mode 100644 index c1c22160e30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 105}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json deleted file mode 100644 index d8f1f1e327b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "note": "", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 206}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json deleted file mode 100644 index a9d3da3adc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json deleted file mode 100644 index f4a66bd9ed4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "## Setup\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_209.json b/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_209.json deleted file mode 100644 index cd9b56c250e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0f93cb9a-1931-48c2-8cd0-f173fd3e5283_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to an LSASS handle via PssCaptureSnapShot where two successive process accesses are performed by the same process and target two different instances of LSASS. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential LSASS Memory Dump via PssCaptureSnapShot", "query": "event.category:process and host.os.type:windows and event.code:10 and\n winlog.event_data.TargetImage:(\"C:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\system32\\\\lsass.exe\" or\n \"c:\\\\Windows\\\\System32\\\\lsass.exe\")\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/sbousseaden/status/1280619931516747777?lang=en"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283", "setup": "## Setup\n\nThis is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold\nrule cardinality feature.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "threshold": {"cardinality": [{"field": "winlog.event_data.TargetProcessId", "value": 2}], "field": ["process.entity_id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 209}, "id": "0f93cb9a-1931-48c2-8cd0-f173fd3e5283_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json deleted file mode 100644 index 17ac86d02ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": ["https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json deleted file mode 100644 index da4872a46d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": ["https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json deleted file mode 100644 index 49f9bbceadd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": ["https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json deleted file mode 100644 index 50eb62c0c0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": ["https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json b/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json deleted file mode 100644 index 2d7f83c5889..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/0ff84c42-873d-41a2-a4ed-08d74d352d01_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Privilege Escalation via Root Crontab File Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab\n", "references": ["https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "0ff84c42-873d-41a2-a4ed-08d74d352d01_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc.json deleted file mode 100644 index 87f0c2189db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who typically does not have one and is used only for programmatic access. This can be used to maintain access to the account even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.", "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Login Profile Added to User", "query": "event.dataset: aws.cloudtrail and event.provider: \"iam.amazonaws.com\"\n and event.action: \"CreateLoginProfile\" and event.outcome: success\n", "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "10445cf0-0748-11ef-ba75-f661ea17fbcc", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "10445cf0-0748-11ef-ba75-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc_1.json deleted file mode 100644 index 5b2a0d4eb07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10445cf0-0748-11ef-ba75-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies when an AWS IAM login profile is added to a user. Adversaries may add a login profile to an IAM user who typically does not have one and is used only for programmatic access. This can be used to maintain access to the account even if the original access key is rotated or disabled. This is a building block rule and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity.", "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Login Profile Added to User", "query": "event.dataset: aws.cloudtrail and event.provider: \"iam.amazonaws.com\"\n and event.action: \"CreateLoginProfile\" and event.outcome: success\n", "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "10445cf0-0748-11ef-ba75-f661ea17fbcc", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "10445cf0-0748-11ef-ba75-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json deleted file mode 100644 index 22e0e402b74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\") and\n not process.Ext.effective_parent.executable : (\"/Applications/Proxyman.app/Contents/MacOS/Proxyman\" or \"/Applications/Incoggo.app/Contents/MacOS/Incoggo.app\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json deleted file mode 100644 index 60bc700be01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json deleted file mode 100644 index 66361cb4535..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json deleted file mode 100644 index 0dc220a2e68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json deleted file mode 100644 index 38a3dd11140..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json b/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json deleted file mode 100644 index 2f134f5be58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.", "false_positives": ["Legitimate WebProxy Settings Modification"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "WebProxy Settings Modification", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name : networksetup and process.args : ((\"-setwebproxy\" or \"-setsecurewebproxy\" or \"-setautoproxyurl\") and not (Bluetooth or off)) and\n not process.parent.executable : (\"/Library/PrivilegedHelperTools/com.80pct.FreedomHelper\" or\n \"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi\" or\n \"/usr/libexec/xpcproxy\")\n", "references": ["https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json deleted file mode 100644 index dbbb92904ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", "false_positives": ["Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."], "index": ["packetbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", "query": "(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "network.bytes", "type": "long"}, {"ecs": false, "name": "type", "type": "keyword"}], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "11013227-0301-4a8c-b150-4db924484475", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json deleted file mode 100644 index 91f203da5f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", "false_positives": ["Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."], "index": ["packetbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", "query": "event.category:(network or network_traffic) and destination.port:53 and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "network.bytes", "type": "long"}, {"ecs": false, "name": "type", "type": "keyword"}], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", "tags": ["Elastic", "Network", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "11013227-0301-4a8c-b150-4db924484475_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json b/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json deleted file mode 100644 index 20538397b23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11013227-0301-4a8c-b150-4db924484475_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.", "false_positives": ["Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an authorized vulnerability scan or compromise assessment."], "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormally Large DNS Response", "note": "## Triage and analysis\n\n### Investigating Abnormally Large DNS Response\n\nDetection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.\n\n#### Possible investigation steps\n\n- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.\n- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.\n- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.\n- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.\n- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.\n\n#### False positive analysis\n\n- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.\n- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.\n\n### Related rules\n\n- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45\n- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn\u2019t require a restart. This can be used as a temporary solution before the patch is applied.\n- Maintain backups of your critical systems to aid in quick recovery.\n- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.\n- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.\n", "query": "event.dataset: network_traffic.dns and\n (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "network.bytes", "type": "long"}, {"ecs": false, "name": "type", "type": "keyword"}], "risk_score": 47, "rule_id": "11013227-0301-4a8c-b150-4db924484475", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "11013227-0301-4a8c-b150-4db924484475_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json deleted file mode 100644 index 307eb76ea38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json deleted file mode 100644 index 9b7c03367cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json deleted file mode 100644 index 2dc99ac5558..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json deleted file mode 100644 index 88f482372e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json deleted file mode 100644 index fe95c753817..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL SideLoading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json deleted file mode 100644 index 49f1829de6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json deleted file mode 100644 index 25bd8826528..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json deleted file mode 100644 index db949e0b773..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json b/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json deleted file mode 100644 index 5496d9cc5d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1160dcdb-0a0a-4a79-91d8-9b84616edebd_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an instance of a Windows trusted program that is known to be vulnerable to DLL Search Order Hijacking starting after being renamed or from a non-standard path. This is uncommon behavior and may indicate an attempt to evade defenses via side loading a malicious DLL within the memory space of one of those processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DLL Side-Loading via Trusted Microsoft Programs", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"WinWord.exe\", \"EXPLORER.EXE\", \"w3wp.exe\", \"DISM.EXE\") and\n not (process.name : (\"winword.exe\", \"explorer.exe\", \"w3wp.exe\", \"Dism.exe\") or\n process.executable : (\"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files?(x86)\\\\Microsoft Office\\\\root\\\\Office*\\\\WINWORD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\Dism.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Dism.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1160dcdb-0a0a-4a79-91d8-9b84616edebd_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json deleted file mode 100644 index 7c953a6edf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json deleted file mode 100644 index 2b73ec4a087..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json deleted file mode 100644 index f250c8619db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json deleted file mode 100644 index 420703f3f28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json deleted file mode 100644 index 37083a0237c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json deleted file mode 100644 index e60ee4dc8b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json deleted file mode 100644 index 6c7b06ed2f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json deleted file mode 100644 index b55a1c74b4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json deleted file mode 100644 index c5308c74e38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_112.json b/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_112.json deleted file mode 100644 index 327dbefae37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1178ae09-5aff-460a-9f2f-455cd0ac4d8e_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via Windows Firewall Snap-In Hijack", "note": "## Triage and analysis\n\n### Investigating UAC Bypass via Windows Firewall Snap-In Hijack\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in. Attackers bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"mmc.exe\" and\n /* process.Ext.token.integrity_level_name == \"high\" can be added in future for tuning */\n /* args of the Windows Firewall SnapIn */\n process.parent.args == \"WF.msc\" and process.name != \"WerFault.exe\"\n", "references": ["https://github.com/AzAgarampur/byeintegrity-uac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "1178ae09-5aff-460a-9f2f-455cd0ac4d8e_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json deleted file mode 100644 index e0745d94031..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": ["Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "119c8877-8613-416d-a98a-96b6664ee73a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json deleted file mode 100644 index ed8351f6e8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": ["Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "119c8877-8613-416d-a98a-96b6664ee73a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json deleted file mode 100644 index c2155acc813..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": ["Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "119c8877-8613-416d-a98a-96b6664ee73a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json deleted file mode 100644 index 78c288a9110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": ["Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "119c8877-8613-416d-a98a-96b6664ee73a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json b/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json deleted file mode 100644 index 48d67f1ab36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/119c8877-8613-416d-a98a-96b6664ee73a_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot.", "false_positives": ["Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Export", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "119c8877-8613-416d-a98a-96b6664ee73a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "119c8877-8613-416d-a98a-96b6664ee73a_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json deleted file mode 100644 index fb802cd32d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not (\n powershell.file.script_block_text : \"New-HPPrivateToastNotificationLogo\" and\n file.path : \"C:\\Program Files\\HPConnect\\hp-cmsl-wl\\modules\\HP.Notifications\\HP.Notifications.psm1\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 12}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json deleted file mode 100644 index fcd276e7f13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 10}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json deleted file mode 100644 index d381d0781a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 11}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_12.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_12.json deleted file mode 100644 index 9c80f75148b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not (\n powershell.file.script_block_text : \"New-HPPrivateToastNotificationLogo\" and\n file.path : \"C:\\Program Files\\HPConnect\\hp-cmsl-wl\\modules\\HP.Notifications\\HP.Notifications.psm1\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 12}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_13.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_13.json deleted file mode 100644 index 208d411ef2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Token Impersonation Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries can abuse PowerShell to perform token impersonation, which involves duplicating and impersonating another user's token to escalate privileges and bypass access controls. This rule identifies scripts containing PowerShell functions, structures, or Windows API functions related to token impersonation/theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine PowerShell process creation and script block logs to identify command line arguments or hardcoded information that can indicate which user was the target of the impersonation.\n- Investigate any abnormal behavior by the subject process (PowerShell), such as network connections, registry or file modifications, and any spawned child processes.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Regular users should not need to impersonate other users, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related Rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not (\n powershell.file.script_block_text : \"New-HPPrivateToastNotificationLogo\" and\n file.path : \"C:\\Program Files\\HPConnect\\hp-cmsl-wl\\modules\\HP.Notifications\\HP.Notifications.psm1\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 13}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json deleted file mode 100644 index 0359724bce9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json deleted file mode 100644 index c12bc2037bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json deleted file mode 100644 index a63b39bdbf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json deleted file mode 100644 index 438a13c3cb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json deleted file mode 100644 index a57d77fc85e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json b/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json deleted file mode 100644 index 6ec211306d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11dd9713-0ec6-4110-9707-32daae1ee68c_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to token impersonation/theft. Attackers may duplicate then impersonate another user's token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Token Impersonation Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-TokenManipulation\" or\n \"ImpersonateNamedPipeClient\" or\n \"NtImpersonateThread\" or\n (\n \"STARTUPINFOEX\" and\n \"UpdateProcThreadAttribute\"\n ) or\n (\n \"AdjustTokenPrivileges\" and\n \"SeDebugPrivilege\"\n ) or\n (\n (\"DuplicateToken\" or\n \"DuplicateTokenEx\") and\n (\"SetThreadToken\" or\n \"ImpersonateLoggedOnUser\" or\n \"CreateProcessWithTokenW\" or\n \"CreatePRocessAsUserW\" or\n \"CreateProcessAsUserA\")\n ) \n ) and\n not (\n user.id:(\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/decoder-it/psgetsystem", "https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/Get-System.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-MS16032.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "11dd9713-0ec6-4110-9707-32daae1ee68c", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "11dd9713-0ec6-4110-9707-32daae1ee68c_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json deleted file mode 100644 index 8b48a7f1275..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json deleted file mode 100644 index 8111155e892..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not process.executable : (\"?:\\\\Windows\\\\Veeam\\\\Backup\\\\*\",\n \"?:\\\\Program Files\\\\Veeam\\\\Backup and Replication\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veeam\\\\Backup and Replication\\\\*\")) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json deleted file mode 100644 index 68c72b7ee46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json deleted file mode 100644 index 260c0949709..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json deleted file mode 100644 index 0921cdff6b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json deleted file mode 100644 index e55e37b7cac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json deleted file mode 100644 index 7dea41de6b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\")\n )) or\n\n /* Veritas Backup Exec Related Backup File */\n (file.extension : \"BKF\" and\n not process.executable : (\"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\") and\n not file.path : (\"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"))\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_110.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_110.json deleted file mode 100644 index e42c3346d58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json deleted file mode 100644 index b50d42efe5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json deleted file mode 100644 index 1dc1902f5a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_113.json b/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_113.json deleted file mode 100644 index f09c2ac3b93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/11ea6bec-ebde-4d71-a8e9-784948f8e3e9_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely.", "false_positives": ["Certain utilities that delete files for disk cleanup or Administrators manually removing backup files."], "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Third-party Backup Files Deleted via Unexpected Process", "note": "## Triage and analysis\n\n### Investigating Third-party Backup Files Deleted via Unexpected Process\n\nBackups are a significant obstacle for any ransomware operation. They allow the victim to resume business by performing data recovery, making them a valuable target.\n\nAttackers can delete backups from the host and gain access to backup servers to remove centralized backups for the environment, ensuring that victims have no alternatives to paying the ransom.\n\nThis rule identifies file deletions performed by a process that does not belong to the backup suite and aims to delete Veritas or Veeam backups.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- This rule can be triggered by the manual removal of backup files and by removal using other third-party tools that are not from the backup suite. Exceptions can be added for specific accounts and executables, preferably tied together.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Perform data recovery locally or restore the backups from replicated copies (Cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"deletion\" and\n (\n /* Veeam Related Backup Files */\n (\n file.extension : (\"VBK\", \"VIB\", \"VBM\") and\n not (\n process.executable : (\"?:\\\\Windows\\\\*\", \"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n (process.code_signature.trusted == true and process.code_signature.subject_name : (\"Veeam Software Group GmbH\", \"Veeam Software AG\"))\n )\n ) or\n /* Veritas Backup Exec Related Backup File */\n (\n file.extension : \"BKF\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\Veritas\\\\Backup Exec\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Veritas\\\\Backup Exec\\\\*\"\n )\n )\n ) and\n not (\n process.name : (\"MSExchangeMailboxAssistants.exe\", \"Microsoft.PowerBI.EnterpriseGateway.exe\") and\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) and\n not file.path : (\n \"?:\\\\ProgramData\\\\Trend Micro\\\\*\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\",\n \"?:\\\\$RECYCLE.BIN\\\\*\"\n )\n", "references": ["https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "11ea6bec-ebde-4d71-a8e9-784948f8e3e9_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json deleted file mode 100644 index e7156dde7b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": ["A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "12051077-0124-4394-9522-8f4f4db1d674", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json deleted file mode 100644 index 7fffdb48952..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": ["A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "12051077-0124-4394-9522-8f4f4db1d674_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json deleted file mode 100644 index a2e43142553..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": ["A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "12051077-0124-4394-9522-8f4f4db1d674_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json deleted file mode 100644 index bd732feb5b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": ["A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "12051077-0124-4394-9522-8f4f4db1d674_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json b/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json deleted file mode 100644 index d801453f93d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12051077-0124-4394-9522-8f4f4db1d674_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar.", "false_positives": ["A domain transfer lock may be disabled by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Activity from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transfer Lock Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:DisableDomainTransferLock and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html", "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "12051077-0124-4394-9522-8f4f4db1d674", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "12051077-0124-4394-9522-8f4f4db1d674_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b.json deleted file mode 100644 index 250bc548483..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json deleted file mode 100644 index 169522b98a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 1}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_2.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_2.json deleted file mode 100644 index 09b7f5d6b2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 2}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json deleted file mode 100644 index fab543176f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 3}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json deleted file mode 100644 index 773ada2d0e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 4}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_5.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_5.json deleted file mode 100644 index a2e7dfc9c38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_6.json b/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_6.json deleted file mode 100644 index 1fc6de7804d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1224da6c-0326-4b4f-8454-68cdc5ae542b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_user", "name": "Suspicious Windows Process Cluster Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1224da6c-0326-4b4f-8454-68cdc5ae542b", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 6}, "id": "1224da6c-0326-4b4f-8454-68cdc5ae542b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce.json deleted file mode 100644 index a7ea275eb9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.", "false_positives": ["Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Lambda Function Created or Updated", "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.outcome: \"success\"\n and event.action: (CreateFunction* or UpdateFunctionCode*)\n", "references": ["https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/", "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1251b98a-ff45-11ee-89a1-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Asset Visibility", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "1251b98a-ff45-11ee-89a1-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json deleted file mode 100644 index 5efd51a5a77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1251b98a-ff45-11ee-89a1-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies when an AWS Lambda function is created or updated. AWS Lambda lets you run code without provisioning or managing servers. Adversaries can create or update Lambda functions to execute malicious code, exfiltrate data, or escalate privileges. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) that does not generate alerts, but signals when a Lambda function is created or updated that matches the rule's conditions. To generate alerts, create a rule that uses this signal as a building block.", "false_positives": ["Legitimate changes to Lambda functions can trigger this signal. Ensure that the changes are authorized and align with your organization's policies."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Lambda Function Created or Updated", "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"lambda.amazonaws.com\"\n and event.outcome: \"success\"\n and event.action: (CreateFunction* or UpdateFunctionCode*)\n", "references": ["https://mattslifebytes.com/2023/04/14/from-rebuilds-to-reloads-hacking-aws-lambda-to-enable-instant-code-updates/", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-overwrite-code/", "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1251b98a-ff45-11ee-89a1-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Asset Visibility", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "1251b98a-ff45-11ee-89a1-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json deleted file mode 100644 index b9a997cf1b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\SystemTemp\\\\GUM*.tmp\\\\GoogleUpdate.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe\"\n ) and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json deleted file mode 100644 index 0769aff40c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json deleted file mode 100644 index 382264712b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\SystemTemp\\\\GUM*.tmp\\\\GoogleUpdate.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe\"\n ) and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json deleted file mode 100644 index 6a40b47fc3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\SystemTemp\\\\GUM*.tmp\\\\GoogleUpdate.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe\"\n ) and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json deleted file mode 100644 index 8fd3ae13533..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_207.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_207.json deleted file mode 100644 index df1a7ca96c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess :\n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and\n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\",\n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\system32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsm.exe\",\n \"?:\\\\Windows\\\\system32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\",\n \"?:\\\\Windows\\\\system32\\\\wininit.exe\",\n \"?:\\\\Windows\\\\SystemTemp\\\\GUM*.tmp\\\\GoogleUpdate.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\wbem\\\\wmiprvse.exe\"\n ) and\n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json deleted file mode 100644 index 523d7df4038..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json b/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json deleted file mode 100644 index 50c19b818aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/128468bf-cab1-4637-99ea-fdf3780a4609_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to LSASS handle, this may indicate an attempt to dump credentials from Lsass memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Lsass Process Access", "note": "## Setup", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n not winlog.event_data.GrantedAccess : \n (\"0x1000\", \"0x1400\", \"0x101400\", \"0x101000\", \"0x101001\", \"0x100000\", \"0x100040\", \"0x3200\", \"0x40\", \"0x3200\") and \n not process.name : (\"procexp64.exe\", \"procmon.exe\", \"procexp.exe\", \"Microsoft.Identity.AadConnect.Health.AadSync.Host.ex\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\lsm.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\system32\\\\csrss.exe\", \n \"?:\\\\Windows\\\\system32\\\\wininit.exe\", \n \"?:\\\\Windows\\\\system32\\\\wbem\\\\wmiprvse.exe\", \n \"?:\\\\Windows\\\\system32\\\\MRT.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\platform\\\\*\", \n \"?:\\\\ProgramData\\\\WebEx\\\\webex\\\\*\", \n \"?:\\\\Windows\\\\LTSvc\\\\LTSVC.exe\") and \n not winlog.event_data.CallTrace : (\"*mpengine.dll*\", \"*appresolver.dll*\", \"*sysmain.dll*\") \n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 47, "rule_id": "128468bf-cab1-4637-99ea-fdf3780a4609", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "128468bf-cab1-4637-99ea-fdf3780a4609_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json deleted file mode 100644 index 4d8252a4e54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", "false_positives": ["An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.impersonatedUser.username", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json deleted file mode 100644 index 68d5a5a1d9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", "false_positives": ["An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.impersonatedUser.username", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json b/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json deleted file mode 100644 index dda0b8f80ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12a2f15d-597e-4334-88ff-38a02cb1330b_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account or node attempts to enumerate their own permissions via the selfsubjectaccessreview or selfsubjectrulesreview APIs. This is highly unusual behavior for non-human identities like service accounts and nodes. An adversary may have gained access to credentials/tokens and this could be an attempt to determine what privileges they have to facilitate further movement or execution within the cluster.", "false_positives": ["An administrator may submit this request as an \"impersonatedUser\" to determine what privileges a particular service account has been granted. However, an adversary may utilize the same technique as a means to determine the privileges of another token other than that of the compromised account."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Self-Subject Review", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:(\"selfsubjectaccessreviews\" or \"selfsubjectrulesreviews\")\n and (kubernetes.audit.user.username:(system\\:serviceaccount\\:* or system\\:node\\:*)\n or kubernetes.audit.impersonatedUser.username:(system\\:serviceaccount\\:* or system\\:node\\:*))\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms", "https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.impersonatedUser.username", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "12a2f15d-597e-4334-88ff-38a02cb1330b", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "12a2f15d-597e-4334-88ff-38a02cb1330b_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json deleted file mode 100644 index 6b034339d2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "12cbf709-69e8-4055-94f9-24314385c27e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json deleted file mode 100644 index 08750f8e755..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "12cbf709-69e8-4055-94f9-24314385c27e_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json deleted file mode 100644 index ad91e9739f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "12cbf709-69e8-4055-94f9-24314385c27e_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json b/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json deleted file mode 100644 index 7f227d7cb2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12cbf709-69e8-4055-94f9-24314385c27e_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules detects an attempt to create or modify a pod attached to the host network. HostNetwork allows a pod to use the node network namespace. Doing so gives the pod access to any service running on localhost of the host. An attacker could use this access to snoop on network activity of other pods on the same node or bypass restrictive network policies applied to its given namespace.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostNetwork", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostNetwork:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostNetwork", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "12cbf709-69e8-4055-94f9-24314385c27e", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "12cbf709-69e8-4055-94f9-24314385c27e_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870.json deleted file mode 100644 index 7a2235d632d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "12de29d4-bbb0-4eef-b687-857e8a163870", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json deleted file mode 100644 index db0900cab44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "12de29d4-bbb0-4eef-b687-857e8a163870_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json deleted file mode 100644 index 5fda2a7ee72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "12de29d4-bbb0-4eef-b687-857e8a163870_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_3.json b/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_3.json deleted file mode 100644 index 3893261232e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12de29d4-bbb0-4eef-b687-857e8a163870_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may leverage unquoted service path vulnerabilities to escalate privileges. By placing an executable in a higher-level directory within the path of an unquoted service executable, Windows will natively launch this executable from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Exploitation of an Unquoted Service Path Vulnerability", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (\n process.executable : \"?:\\\\Program.exe\" or \n process.executable regex \"\"\"(C:\\\\Program Files \\(x86\\)\\\\|C:\\\\Program Files\\\\)\\w+.exe\"\"\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "12de29d4-bbb0-4eef-b687-857e8a163870", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.009", "name": "Path Interception by Unquoted Path", "reference": "https://attack.mitre.org/techniques/T1574/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "12de29d4-bbb0-4eef-b687-857e8a163870_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json deleted file mode 100644 index d8d6744fb81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json deleted file mode 100644 index ed90477df33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json deleted file mode 100644 index 15c59186478..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json deleted file mode 100644 index dccc1d725f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json deleted file mode 100644 index 01d5c00bd01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json deleted file mode 100644 index cacccf16d9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_109.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_109.json deleted file mode 100644 index db6d1d4b950..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json deleted file mode 100644 index 020d383623b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json deleted file mode 100644 index 8df4db7ff54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_112.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_112.json deleted file mode 100644 index 7f14939cdb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_113.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_113.json deleted file mode 100644 index 5c447ae3f8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "references": ["https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", "https://www.elastic.co/security-labs/operation-bleeding-bear"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_313.json b/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_313.json deleted file mode 100644 index 8aaf9276442..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/12f07955-1674-44f7-86b5-c35da0a6f41a_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Cmd Execution via WMI", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"WmiPrvSE.exe\" and process.name : \"cmd.exe\" and\n process.args : \"\\\\\\\\127.0.0.1\\\\*\" and process.args : (\"2>&1\", \"1>\")\n", "references": ["https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", "https://www.elastic.co/security-labs/operation-bleeding-bear"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "12f07955-1674-44f7-86b5-c35da0a6f41a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "12f07955-1674-44f7-86b5-c35da0a6f41a_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json deleted file mode 100644 index ed213f765b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json deleted file mode 100644 index db1ff17ad5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json deleted file mode 100644 index c4f50ca983b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json deleted file mode 100644 index 457ff354702..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json deleted file mode 100644 index 32f4ba4715d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_106.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_106.json deleted file mode 100644 index 91ac235681a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json deleted file mode 100644 index e22bfaf91d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json deleted file mode 100644 index 2f860edba19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_209.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_209.json deleted file mode 100644 index 2783ad273f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json b/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json deleted file mode 100644 index 0722cb824a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1327384f-00f3-44d5-9a8c-2373ba071e92_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A job can be used to schedule programs or scripts to be executed at a specified date and time. Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code.", "false_positives": ["Legitimate scheduled jobs may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Scheduled Job Creation", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\*\" and file.extension : \"job\" and\n not (\n (\n process.executable : \"?:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\" and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\CCleanerCrashReporting.job\"\n ) or\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\ManageEngine\\\\UEMS_Agent\\\\bin\\\\dcagentregister.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcagentregister.exe\"\n ) and\n file.path : \"?:\\\\Windows\\\\Tasks\\\\DCAgentUpdater.job\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1327384f-00f3-44d5-9a8c-2373ba071e92", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "1327384f-00f3-44d5-9a8c-2373ba071e92_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json deleted file mode 100644 index dc7f50a69fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": ["User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json deleted file mode 100644 index f5770b0eb8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": ["User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 102}, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json deleted file mode 100644 index 63c4b1f2db4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": ["User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 103}, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json b/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json deleted file mode 100644 index 84656643daf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/138c5dd5-838b-446e-b1ac-c995c7f8108a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusual user name in the authentication logs. An unusual user name is one way of detecting credentialed access by means of a new or dormant user account. An inactive user account (because the user has left the organization) that becomes active may be due to credentialed access using a compromised account password. Threat actors will sometimes also create new users as a means of persisting in a compromised web application.", "false_positives": ["User accounts that are rarely active, such as a site reliability engineer (SRE) or developer logging into a production server for troubleshooting, may trigger this alert. Under some conditions, a newly created user account may briefly trigger this alert while the model is learning."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_user", "name": "Rare User Logon", "note": "## Triage and analysis\n\n### Investigating Rare User Logon\n\nThis rule uses a machine learning job to detect an unusual user name in authentication logs, which could detect new accounts created for persistence.\n\n#### Possible investigation steps\n\n- Check if the user was newly created and if the company policies were followed.\n - Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Accounts that are used for specific purposes \u2014 and therefore not normally active \u2014 may trigger the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "138c5dd5-838b-446e-b1ac-c995c7f8108a", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "138c5dd5-838b-446e-b1ac-c995c7f8108a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a.json b/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a.json deleted file mode 100644 index 79e131beec9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Ransomware Behavior - High count of Readme files by System", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the content of the readme files.\n- Investigate any file names with unusual extensions.\n- Investigate any incoming network connection to port 445 on this host.\n- Investigate any network logon events to this host.\n- Identify the total number and type of modified files by pid 4.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Local file modification from a Kernel mode driver.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "threshold": {"field": ["host.id", "file.name"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1.json b/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1.json deleted file mode 100644 index 0584b4dd8d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.", "from": "now-1m", "index": ["logs-endpoint.events.file-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Ransomware Behavior - High count of Readme files by System", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the content of the readme files.\n- Investigate any file names with unusual extensions.\n- Investigate any incoming network connection to port 445 on this host.\n- Investigate any network logon events to this host.\n- Identify the total number and type of modified files by pid 4.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Local file modification from a Kernel mode driver.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "threshold": {"field": ["host.id", "file.name"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_107.json b/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_107.json deleted file mode 100644 index ebbffd268db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Ransomware Behavior - High count of Readme files by System", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the content of the readme files.\n- Investigate any file names with unusual extensions.\n- Investigate any incoming network connection to port 445 on this host.\n- Investigate any network logon events to this host.\n- Identify the total number and type of modified files by pid 4.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Local file modification from a Kernel mode driver.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "threshold": {"field": ["host.id", "file.name"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 107}, "id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2.json b/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2.json deleted file mode 100644 index 2feb3483334..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Ransomware Behavior - High count of Readme files by System", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the content of the readme files.\n- Investigate any file names with unusual extensions.\n- Investigate any incoming network connection to port 445 on this host.\n- Investigate any network logon events to this host.\n- Identify the total number and type of modified files by pid 4.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Local file modification from a Kernel mode driver.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "threshold": {"field": ["host.id", "file.name"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5.json b/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5.json deleted file mode 100644 index b4f9e800ba3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (20) of file creation event by the System virtual process from the same host and with same file name containing keywords similar to ransomware note files and all within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Ransomware Behavior - High count of Readme files by System", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the content of the readme files.\n- Investigate any file names with unusual extensions.\n- Investigate any incoming network connection to port 445 on this host.\n- Investigate any network logon events to this host.\n- Identify the total number and type of modified files by pid 4.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Local file modification from a Kernel mode driver.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n- Suspicious File Renamed via SMB - 78e9b5d5-7c07-40a7-a591-3dbbf464c386\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:file and host.os.type:windows and process.pid:4 and event.action:creation and\n file.name:(*read*me* or *README* or *lock* or *LOCK* or *how*to* or *HOW*TO* or *@* or *recover* or *RECOVER* or *decrypt* or *DECRYPT* or *restore* or *RESTORE* or *FILES_BACK* or *files_back*)\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "threshold": {"field": ["host.id", "file.name"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "1397e1b9-0c90-4d24-8d7b-80598eb9bc9a_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad.json deleted file mode 100644 index 3fabed20d2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json deleted file mode 100644 index 4b8f2c22c92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "note": "", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_2.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_2.json deleted file mode 100644 index 3e51d57972a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json deleted file mode 100644 index 0ad61cec992..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json deleted file mode 100644 index 4008c80b354..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_5.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_5.json deleted file mode 100644 index 7bd26168ae2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json deleted file mode 100644 index 9e8470e6e2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_7.json b/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_7.json deleted file mode 100644 index b6c4eececd8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/13e908b9-7bf0-4235-abc9-b5deb500d0ad_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity", "query": "process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "13e908b9-7bf0-4235-abc9-b5deb500d0ad_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json deleted file mode 100644 index f5966305638..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", "false_positives": ["Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json b/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json deleted file mode 100644 index ffae0dc669a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/141e9b3a-ff37-4756-989d-05d7cbf35b0e_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.", "false_positives": ["Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure External Guest User Invitation", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Invite external user\" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "141e9b3a-ff37-4756-989d-05d7cbf35b0e_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json deleted file mode 100644 index a5bd310de60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json deleted file mode 100644 index e84b28fd1a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json deleted file mode 100644 index bc1df21837e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json deleted file mode 100644 index 9b56aa1f147..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json b/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json deleted file mode 100644 index af1e59569d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/143cb236-0956-4f42-a706-814bcaa0cf5a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic from the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "143cb236-0956-4f42-a706-814bcaa0cf5a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "143cb236-0956-4f42-a706-814bcaa0cf5a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f.json deleted file mode 100644 index 256698d8c3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Microsoft Office \"Office Test\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Office Test Registry Persistence", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path : \"*\\\\Software\\\\Microsoft\\\\Office Test\\\\Special\\\\Perf\\\\*\"\n", "references": ["https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "14dab405-5dd9-450c-8106-72951af2391f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.002", "name": "Office Test", "reference": "https://attack.mitre.org/techniques/T1137/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "14dab405-5dd9-450c-8106-72951af2391f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json deleted file mode 100644 index 234f251c734..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the modification of the Microsoft Office \"Office Test\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Office Test Registry Persistence", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path : \"*\\\\Software\\\\Microsoft\\\\Office Test\\\\Special\\\\Perf\\\\*\"\n", "references": ["https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "14dab405-5dd9-450c-8106-72951af2391f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.002", "name": "Office Test", "reference": "https://attack.mitre.org/techniques/T1137/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "14dab405-5dd9-450c-8106-72951af2391f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json deleted file mode 100644 index c354943f4f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the modification of the Microsoft Office \"Office Test\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Office Test Registry Persistence", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path : \"*\\\\Software\\\\Microsoft\\\\Office Test\\\\Special\\\\Perf\\\\*\"\n", "references": ["https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "14dab405-5dd9-450c-8106-72951af2391f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.002", "name": "Office Test", "reference": "https://attack.mitre.org/techniques/T1137/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "14dab405-5dd9-450c-8106-72951af2391f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_3.json b/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_3.json deleted file mode 100644 index 60745db3bd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14dab405-5dd9-450c-8106-72951af2391f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Microsoft Office \"Office Test\" Registry key, a registry location that can be used to specify a DLL which will be executed every time an MS Office application is started. Attackers can abuse this to gain persistence on a compromised host.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Office Test Registry Persistence", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path : \"*\\\\Software\\\\Microsoft\\\\Office Test\\\\Special\\\\Perf\\\\*\"\n", "references": ["https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "14dab405-5dd9-450c-8106-72951af2391f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.002", "name": "Office Test", "reference": "https://attack.mitre.org/techniques/T1137/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "14dab405-5dd9-450c-8106-72951af2391f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json deleted file mode 100644 index 00f58a1928a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", "false_positives": ["An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh"], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json deleted file mode 100644 index 68ae5cb5724..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", "false_positives": ["An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh"], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json b/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json deleted file mode 100644 index 00fa665f061..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14de811c-d60f-11ec-9fd7-f661ea17fbce_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a user attempt to establish a shell session into a pod using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/commands in the pod. An adversary may call bash to gain a persistent interactive shell which will allow access to any data the pod has permissions to, including secrets.", "false_positives": ["An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh"], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes User Exec into Pod", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb:\"create\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.objectRef.subresource:\"exec\"\n", "references": ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.subresource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "14de811c-d60f-11ec-9fd7-f661ea17fbce", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "14de811c-d60f-11ec-9fd7-f661ea17fbce_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json deleted file mode 100644 index 8ea02dfd13f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n ) and\n not registry.data.strings : \"C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json deleted file mode 100644 index 2de44ee59bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json deleted file mode 100644 index b8115acf082..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json deleted file mode 100644 index 821ce87111d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json deleted file mode 100644 index 6ca12e8cf71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json deleted file mode 100644 index e8a7ca0fbd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_107.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_107.json deleted file mode 100644 index a2901a8fd0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n )\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json deleted file mode 100644 index 54ddbc13c4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n )\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json deleted file mode 100644 index 7728328370d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n )\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_110.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_110.json deleted file mode 100644 index 04536c12456..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n ) and\n not registry.data.strings : \"C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_111.json b/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_111.json deleted file mode 100644 index f7e75fd8581..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the Time Provider. Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider. Windows uses the time provider architecture to obtain accurate time stamps from other network devices or clients in the network. Time providers are implemented in the form of a DLL file which resides in the System32 folder. The service W32Time initiates during the startup of Windows and loads w32time.dll.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via Time Provider Modification", "note": "## Triage and analysis\n\n### Investigating Potential Persistence via Time Provider Modification\n\nThe Time Provider architecture in Windows is responsible for obtaining accurate timestamps from network devices or clients. It is implemented as a DLL file in the System32 folder and is initiated by the W32Time service during Windows startup. Adversaries may exploit this by registering and enabling a malicious DLL as a time provider to establish persistence. \n\nThis rule identifies changes in the registry paths associated with Time Providers, specifically targeting the addition of new DLL files.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore Time Provider settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path: (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\W32Time\\\\TimeProviders\\\\*\"\n ) and\n registry.data.strings:\"*.dll\" and\n not\n (\n process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and\n registry.data.strings : \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmwTimeProvider\\\\vmwTimeProvider.dll\"\n ) and\n not registry.data.strings : \"C:\\\\Windows\\\\SYSTEM32\\\\w32time.DLL\"\n", "references": ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.003", "name": "Time Providers", "reference": "https://attack.mitre.org/techniques/T1547/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_1.json deleted file mode 100644 index a9e28e7735b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or \"unknown\" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.", "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Successful Application SSO from Rare Unknown Client Device", "new_terms_fields": ["client.user.name", "okta.client.user_agent.raw_user_agent"], "query": "event.dataset: \"okta.system\"\n and event.action: \"user.authentication.sso\"\n and event.outcome: \"success\"\n and okta.client.device: (\"Unknown\" or \"unknown\")\n", "references": ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.client.device", "type": "keyword"}], "risk_score": 47, "rule_id": "1502a836-84b2-11ef-b026-f661ea17fbcc", "severity": "medium", "tags": ["Domain: SaaS", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "1502a836-84b2-11ef-b026-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_103.json b/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_103.json new file mode 100644 index 00000000000..ff88ef56d7b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_103.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or \"unknown\" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Successful Application SSO from Rare Unknown Client Device", + "new_terms_fields": [ + "client.user.name", + "okta.client.user_agent.raw_user_agent" + ], + "query": "event.dataset: \"okta.system\"\n and event.action: \"user.authentication.sso\"\n and event.outcome: \"success\"\n and okta.client.device: (\"Unknown\" or \"unknown\")\n", + "references": [ + "https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.client.device", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1502a836-84b2-11ef-b026-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "1502a836-84b2-11ef-b026-f661ea17fbcc_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_3.json deleted file mode 100644 index 0e076a6c926..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1502a836-84b2-11ef-b026-f661ea17fbcc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects successful single sign-on (SSO) events to Okta applications from an unrecognized or \"unknown\" client device, as identified by the user-agent string. This activity may be indicative of exploitation of a vulnerability in Okta's Classic Engine, which could allow an attacker to bypass application-specific sign-on policies, such as device or network restrictions. The vulnerability potentially enables unauthorized access to applications using only valid, stolen credentials, without requiring additional authentication factors.", "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Successful Application SSO from Rare Unknown Client Device", "new_terms_fields": ["client.user.name", "okta.client.user_agent.raw_user_agent"], "query": "event.dataset: \"okta.system\"\n and event.action: \"user.authentication.sso\"\n and event.outcome: \"success\"\n and okta.client.device: (\"Unknown\" or \"unknown\")\n", "references": ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.client.device", "type": "keyword"}], "risk_score": 47, "rule_id": "1502a836-84b2-11ef-b026-f661ea17fbcc", "severity": "medium", "tags": ["Domain: SaaS", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "1502a836-84b2-11ef-b026-f661ea17fbcc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc.json deleted file mode 100644 index 0bbbcc1b96f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/151d8f72-0747-11ef-a0c2-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an AWS Lambda function policy is updated to allow public invocation. This rule specifically looks for the `AddPermission` API call with the `Principal` set to `*` which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code.", "false_positives": ["Lambda function owners may legitimately update the function policy to allow public invocation."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "note": "## Triage and Analysis\n\n### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation\n\nThis rule detects when an AWS Lambda function policy is updated to allow public invocation. It specifically looks for the `AddPermission` API call with the `Principal` set to `*`, which allows any AWS account to invoke the Lambda function. Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the Lambda function policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the update to allow public invocation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the Lambda function policy to remove the public invocation permission and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of permissions.\n- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda persistence techniques:\n- [AWS Lambda Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence)\n- [AWS Lambda Backdoor Function](https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/)\n- [AWS API AddPermission](https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html)\n\n\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: lambda.amazonaws.com\n and event.outcome: success\n and event.action: AddPermission*\n and aws.cloudtrail.request_parameters: (*lambda\\:InvokeFunction* and *principal=\\**)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.persistence.lambda-backdoor-function/", "https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "151d8f72-0747-11ef-a0c2-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "151d8f72-0747-11ef-a0c2-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f.json b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f.json deleted file mode 100644 index 0ab0723d44f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from a Removable Media with Network Connection", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n \n /* Direct Exec from USB */\n (process.Ext.device.bus_type : \"usb\" or process.Ext.device.product_id : \"USB *\") and\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n \n not process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")]\n [network where host.os.type == \"windows\" and event.action == \"connection_attempted\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.device.bus_type", "type": "unknown"}, {"ecs": false, "name": "process.Ext.device.product_id", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 21, "rule_id": "1542fa53-955e-4330-8e4d-b2d812adeb5f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}], "type": "eql", "version": 3}, "id": "1542fa53-955e-4330-8e4d-b2d812adeb5f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json deleted file mode 100644 index bed6c1af465..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from a Removable Media with Network Connection", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n \n /* Direct Exec from USB */\n (process.Ext.device.bus_type : \"usb\" or process.Ext.device.product_id : \"USB *\") and\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n \n not process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")]\n [network where host.os.type == \"windows\" and event.action == \"connection_attempted\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.device.bus_type", "type": "unknown"}, {"ecs": false, "name": "process.Ext.device.product_id", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 21, "rule_id": "1542fa53-955e-4330-8e4d-b2d812adeb5f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}], "type": "eql", "version": 1}, "id": "1542fa53-955e-4330-8e4d-b2d812adeb5f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json b/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json deleted file mode 100644 index 35c3bc9d7ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1542fa53-955e-4330-8e4d-b2d812adeb5f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from a removable media and by an unusual process. Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from a Removable Media with Network Connection", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n \n /* Direct Exec from USB */\n (process.Ext.device.bus_type : \"usb\" or process.Ext.device.product_id : \"USB *\") and\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n \n not process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")]\n [network where host.os.type == \"windows\" and event.action == \"connection_attempted\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.device.bus_type", "type": "unknown"}, {"ecs": false, "name": "process.Ext.device.product_id", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 21, "rule_id": "1542fa53-955e-4330-8e4d-b2d812adeb5f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1091", "name": "Replication Through Removable Media", "reference": "https://attack.mitre.org/techniques/T1091/"}]}], "type": "eql", "version": 2}, "id": "1542fa53-955e-4330-8e4d-b2d812adeb5f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json deleted file mode 100644 index 2541c869aff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and event.code in (\"5136\", \"5145\") and\n(\n (\n winlog.event_data.AttributeLDAPDisplayName : (\n \"gPCMachineExtensionNames\",\n \"gPCUserExtensionNames\"\n ) and\n winlog.event_data.AttributeValue : \"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\" and\n winlog.event_data.AttributeValue : \"*AADCED64-746C-4633-A97C-D61349046527*\"\n ) or\n (\n winlog.event_data.ShareName : \"\\\\\\\\*\\\\SYSVOL\" and\n winlog.event_data.RelativeTargetName : \"*ScheduledTasks.xml\" and\n winlog.event_data.AccessList:\"*%%4417*\"\n )\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json deleted file mode 100644 index 6b582bdeb74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json deleted file mode 100644 index 042a8435142..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json deleted file mode 100644 index 09e18b70a98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json deleted file mode 100644 index 70a6050ce5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json deleted file mode 100644 index caba54dd1d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json deleted file mode 100644 index cb3cb0e3b4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json deleted file mode 100644 index ad877526878..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "(event.code: \"5136\" and winlog.event_data.AttributeLDAPDisplayName:(\"gPCMachineExtensionNames\" or \"gPCUserExtensionNames\") and\n winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*))\nor\n(event.code: \"5145\" and winlog.event_data.ShareName: \"\\\\\\\\*\\\\SYSVOL\" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and\n (message: WriteData or winlog.event_data.AccessList: *%%4417*))\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_112.json b/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_112.json deleted file mode 100644 index 2b3196e0a9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15a8ba77-1c13-4274-88fe-6bd14133861e_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Object attributes to execute a scheduled task in the objects controlled by the GPO.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Execution at Scale via GPO", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to execute scheduled tasks at scale to compromise objects controlled by a given GPO. This is done by changing the contents of the `\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml` file.\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is allowed and done under change management, and if the execution is legitimate.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scheduled tasks attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and event.code in (\"5136\", \"5145\") and\n(\n (\n winlog.event_data.AttributeLDAPDisplayName : (\n \"gPCMachineExtensionNames\",\n \"gPCUserExtensionNames\"\n ) and\n winlog.event_data.AttributeValue : \"*CAB54552-DEEA-4691-817E-ED4A4D1AFC72*\" and\n winlog.event_data.AttributeValue : \"*AADCED64-746C-4633-A97C-D61349046527*\"\n ) or\n (\n winlog.event_data.ShareName : \"\\\\\\\\*\\\\SYSVOL\" and\n winlog.event_data.RelativeTargetName : \"*ScheduledTasks.xml\" and\n winlog.event_data.AccessList:\"*%%4417*\"\n )\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse", "https://twitter.com/menasec1/status/1106899890377052160", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_gpo_scheduledtasks.yml"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "15a8ba77-1c13-4274-88fe-6bd14133861e", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Lateral Movement", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "15a8ba77-1c13-4274-88fe-6bd14133861e_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json deleted file mode 100644 index 4e97a41ebf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json deleted file mode 100644 index 2b06a1c7c16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json deleted file mode 100644 index 1dc936194d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json deleted file mode 100644 index e5214c0f884..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json deleted file mode 100644 index 05417409878..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json deleted file mode 100644 index a0813776a63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json deleted file mode 100644 index 9996a96e9df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_110.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_110.json deleted file mode 100644 index 98d7008b2ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json deleted file mode 100644 index a055a55c7e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json deleted file mode 100644 index 40a452c726d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_113.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_113.json deleted file mode 100644 index c07b79f5ef2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_313.json b/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_313.json deleted file mode 100644 index 24d4611d5d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15c0b7a7-9c34-4869-b25b-fa6518414899_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Desktopimgdownldr Utility", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Desktopimgdownldr Utility\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `Desktopimgdownldr.exe` utility is used to to configure lockscreen/desktop image, and can be abused with the `lockscreenurl` argument to download remote files and tools, this rule looks for this behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Analysts can dismiss the alert if the downloaded file is a legitimate image.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"desktopimgdownldr.exe\" or ?process.pe.original_file_name == \"desktopimgdownldr.exe\") and\n process.args : \"/lockscreenurl:http*\"\n", "references": ["https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "15c0b7a7-9c34-4869-b25b-fa6518414899", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "15c0b7a7-9c34-4869-b25b-fa6518414899_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json deleted file mode 100644 index c819605ff5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "15dacaa0-5b90-466b-acab-63435a59701a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json deleted file mode 100644 index 8b14d66c3b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "15dacaa0-5b90-466b-acab-63435a59701a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json deleted file mode 100644 index dda05d55965..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "15dacaa0-5b90-466b-acab-63435a59701a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json deleted file mode 100644 index 9ed5ca55e57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "15dacaa0-5b90-466b-acab-63435a59701a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json deleted file mode 100644 index 951eee3d25f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "15dacaa0-5b90-466b-acab-63435a59701a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json b/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json deleted file mode 100644 index ff33a3cd2be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/15dacaa0-5b90-466b-acab-63435a59701a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Private Network Connection Attempt", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n (process.name : \"networksetup\" and process.args : \"-connectpppoeservice\") or\n (process.name : \"scutil\" and process.args : \"--nc\" and process.args : \"start\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*set VPN to service*\")\n )\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", "https://www.unix.com/man-page/osx/8/networksetup/", "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "15dacaa0-5b90-466b-acab-63435a59701a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "15dacaa0-5b90-466b-acab-63435a59701a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/160896de-b66f-42cb-8fef-20f53a9006ea.json b/packages/security_detection_engine/kibana/security_rule/160896de-b66f-42cb-8fef-20f53a9006ea.json deleted file mode 100644 index 757c003423d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/160896de-b66f-42cb-8fef-20f53a9006ea.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Potential Container Escape via Modified release_agent File", "query": "file where event.module == \"cloud_defend\" and event.action == \"open\" and \nevent.type == \"change\" and file.name : \"release_agent\"\n", "references": ["https://blog.aquasec.com/threat-alert-container-escape", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged-escape-abusing-existent-release_agent-cve-2022-0492-poc1"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}], "risk_score": 47, "rule_id": "160896de-b66f-42cb-8fef-20f53a9006ea", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "160896de-b66f-42cb-8fef-20f53a9006ea", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json deleted file mode 100644 index 3f1feb94702..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json b/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json deleted file mode 100644 index 1f8719c0b3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16280f1e-57e6-4242-aa21-bb4d16f13b2f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure Automation runbook to execute malicious code and maintain persistence in their target's environment.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "16280f1e-57e6-4242-aa21-bb4d16f13b2f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json deleted file mode 100644 index d86507dfd53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"temp\", \"tmp\", \"~tmp\", \"xml\", \"newcfg\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\") and\n not file.name : (\"LOG\", \"temp-index\", \"license.rtf\", \"iconcache_*.db\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "166727ab-6768-4e26-b80c-948b228ffc06", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json deleted file mode 100644 index 1ddaeba9542..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "166727ab-6768-4e26-b80c-948b228ffc06_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json deleted file mode 100644 index a5b294f85bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"tmp\", \"~tmp\", \"xml\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "166727ab-6768-4e26-b80c-948b228ffc06_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_4.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_4.json deleted file mode 100644 index 45e20e7481c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"temp\", \"tmp\", \"~tmp\", \"xml\", \"newcfg\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\") and\n not file.name : (\"LOG\", \"temp-index\", \"license.rtf\", \"iconcache_*.db\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "166727ab-6768-4e26-b80c-948b228ffc06_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json b/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json deleted file mode 100644 index 3b5935a8e2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/166727ab-6768-4e26-b80c-948b228ffc06_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of a file creation time. Adversaries may modify file time attributes to blend malicious content with existing files. Timestomping is a technique that modifies the timestamps of a file often to mimic files that are in trusted directories.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "File Creation Time Changed", "query": "file where host.os.type == \"windows\" and event.code : \"2\" and\n\n /* Requires Sysmon EventID 2 - File creation time change */\n event.action : \"File creation time changed*\" and \n \n not process.executable : \n (\"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\", \n \"?:\\\\Windows\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\syswow64\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\app-*\\\\slack.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\GitHubDesktop\\\\app-*\\\\GitHubDesktop.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\") and \n not file.extension : (\"temp\", \"tmp\", \"~tmp\", \"xml\", \"newcfg\") and not user.name : (\"SYSTEM\", \"Local Service\", \"Network Service\") and\n not file.name : (\"LOG\", \"temp-index\", \"license.rtf\", \"iconcache_*.db\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "166727ab-6768-4e26-b80c-948b228ffc06", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "166727ab-6768-4e26-b80c-948b228ffc06_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json deleted file mode 100644 index d052b66ca8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": ["https://github.com/its-a-feature/bifrost"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "16904215-2c95-4ac8-bf5c-12354e047192", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json deleted file mode 100644 index a6f11c47053..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": ["https://github.com/its-a-feature/bifrost"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "16904215-2c95-4ac8-bf5c-12354e047192_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json deleted file mode 100644 index c545e4d044f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": ["https://github.com/its-a-feature/bifrost"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "16904215-2c95-4ac8-bf5c-12354e047192_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json deleted file mode 100644 index f07b3f0d348..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": ["https://github.com/its-a-feature/bifrost"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "16904215-2c95-4ac8-bf5c-12354e047192_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json b/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json deleted file mode 100644 index 0aad1c88598..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16904215-2c95-4ac8-bf5c-12354e047192_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Kerberos Attack via Bifrost", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.args:(\"-action\" and (\"-kerberoast\" or askhash or asktgs or asktgt or s4u or (\"-ticket\" and ptt) or (dump and (tickets or keytab))))\n", "references": ["https://github.com/its-a-feature/bifrost"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "16904215-2c95-4ac8-bf5c-12354e047192", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.003", "name": "Pass the Ticket", "reference": "https://attack.mitre.org/techniques/T1550/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "16904215-2c95-4ac8-bf5c-12354e047192_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json deleted file mode 100644 index e55c4e43b57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": ["A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json deleted file mode 100644 index da0b6e0ac52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": ["A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json deleted file mode 100644 index ed15df9df3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": ["A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json deleted file mode 100644 index b2355db46af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": ["A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json b/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json deleted file mode 100644 index 164e1ef03f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/169f3a93-efc7-4df2-94d6-0d9438c310d1_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group.", "false_positives": ["A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:CreateGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "169f3a93-efc7-4df2-94d6-0d9438c310d1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "169f3a93-efc7-4df2-94d6-0d9438c310d1_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json deleted file mode 100644 index 12deaf0dd5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and process.executable != null and \n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) \n )\n ) and \n\n not (\n process.code_signature.trusted == true and\n process.code_signature.subject_name in \n (\"Island Technology Inc.\", \"Google LLC\", \"Grammarly, Inc.\", \"Dropbox, Inc\", \"REFINITIV US LLC\", \"HP Inc.\",\n \"Citrix Systems, Inc.\", \"Adobe Inc.\", \"Veeam Software Group GmbH\", \"Zhuhai Kingsoft Office Software Co., Ltd.\",\n \"Oracle America, Inc.\")\n ) and \n\n /* excludes Microsoft signed noisy processes */\n not\n (\n process.name : (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\", \"MicrosoftEdgeUpdate.exe\", \"msrdcw.exe\", \"MicrosoftEdgeUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "16a52c14-7883-47af-8745-9357803f0d4c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json deleted file mode 100644 index 51eba5fd7dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n\n(\n (registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\") or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\*\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\\\\*\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL\\\\*\"\n ) and not \n (process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\"))\n\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name : (\"OneDrive.exe\",\"OneDriveSetup.exe\",\"FileSyncConfig.exe\",\"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json deleted file mode 100644 index e166c1a7745..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json deleted file mode 100644 index 2c3fc332fbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json deleted file mode 100644 index f82d4b50a7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json deleted file mode 100644 index 7f74933252d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json deleted file mode 100644 index 346dbd994d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : (\"HK*\\\\InprocServer32\\\\\", \"\\\\REGISTRY\\\\*\\\\InprocServer32\\\\\") and\n registry.data.strings: (\"scrobj.dll\", \"C:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute*\",\n \"HKEY_USERS\\\\*\\\\TreatAs*\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\InprocServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\DelegateExecute*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\TreatAs*\", \n \"\\\\REGISTRY\\\\USER\\\\*\\\\ScriptletURL*\"\n ) and not \n (\n process.executable : \"?:\\\\Program Files*\\\\Veeam\\\\Backup and Replication\\\\Console\\\\veeam.backup.shell.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\"))\n ) or\n\n (\n registry.path : (\"HKLM\\\\*\\\\InProcServer32\\\\*\", \"\\\\REGISTRY\\\\MACHINE\\\\*\\\\InProcServer32\\\\*\") and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_110.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_110.json deleted file mode 100644 index d772f323fef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) and\n not \n (\n (\n process.name : \"svchost.exe\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Windows Publisher\" and\n registry.value : \"DelegateExecute\" and\n registry.data.strings : (\n /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\"\n )\n ) or\n (\n process.name : \"veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Veeam Software Group GmbH\"\n ) or \n (\n process.name : (\"ADNotificationManager.exe\", \"Creative Cloud.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Adobe Creative Cloud\\\\ACC\\\\Creative Cloud.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"IslandUpdateComRegisterShell64.exe\", \"IslandUpdate.exe\", \"GoogleUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"Island Technology Inc.\", \"Google LLC\") and\n registry.data.strings : (\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Update\\\\*\",\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\"\n )\n ) or \n (\n process.name : (\"SelfService.exe\", \"WfShell.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Citrix Systems, Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\SelfServicePlugin\\\\SelfService.exe\\\" -ToastActivated\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\",\n \"%SystemRoot%\\\\sysWOW64\\\\shdocvw.dll\"\n )\n ) or \n (\n process.name : (\"msrdcw.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Corporation\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Apps\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"ssvagent.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Oracle America, Inc.\" and\n registry.data.strings : (\n \"?:\\\\Program Files\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\",\n \"?:\\\\Program Files (x86)\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\"\n )\n ) or \n (\n process.name : (\"hpnotifications.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"HP Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\hpsvcsscancomp.inf_amd64_*\\\\x64\\\\hpnotifications.exe\\\" -ToastActivated\"\n )\n )\n )\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not\n (\n process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json deleted file mode 100644 index c42a8f66cb2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) and\n not \n (\n (\n process.name : \"svchost.exe\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Windows Publisher\" and\n registry.value : \"DelegateExecute\" and\n registry.data.strings : (\n /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\"\n )\n ) or\n (\n process.name : \"veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Veeam Software Group GmbH\"\n ) or \n (\n process.name : (\"ADNotificationManager.exe\", \"Creative Cloud.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Adobe Creative Cloud\\\\ACC\\\\Creative Cloud.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"IslandUpdateComRegisterShell64.exe\", \"IslandUpdate.exe\", \"GoogleUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"Island Technology Inc.\", \"Google LLC\") and\n registry.data.strings : (\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Update\\\\*\",\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\"\n )\n ) or \n (\n process.name : (\"SelfService.exe\", \"WfShell.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Citrix Systems, Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\SelfServicePlugin\\\\SelfService.exe\\\" -ToastActivated\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\",\n \"%SystemRoot%\\\\sysWOW64\\\\shdocvw.dll\"\n )\n ) or \n (\n process.name : (\"msrdcw.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Corporation\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Apps\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"ssvagent.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Oracle America, Inc.\" and\n registry.data.strings : (\n \"?:\\\\Program Files\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\",\n \"?:\\\\Program Files (x86)\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\"\n )\n ) or \n (\n process.name : (\"hpnotifications.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"HP Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\hpsvcsscancomp.inf_amd64_*\\\\x64\\\\hpnotifications.exe\\\" -ToastActivated\"\n )\n )\n )\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not\n (\n process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json deleted file mode 100644 index 88a02fd0784..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and\n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) and\n not \n (\n (\n process.name : \"svchost.exe\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Windows Publisher\" and\n registry.value : \"DelegateExecute\" and\n registry.data.strings : (\n /* https://strontic.github.io/xcyclopedia/library/clsid_4ED3A719-CEA8-4BD9-910D-E252F997AFC2.html */\n \"{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_A56A841F-E974-45C1-8001-7E3F8A085917.html */\n \"{A56A841F-E974-45C1-8001-7E3F8A085917}\",\n\n /* https://strontic.github.io/xcyclopedia/library/clsid_BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78.html */\n \"{BFEC0C93-0B7D-4F2C-B09C-AFFFC4BDAE78}\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\"\n )\n ) or\n (\n process.name : \"veeam.backup.shell.exe\" and\n registry.path : \"HKEY_USERS\\\\S-1-*_Classes\\\\CLSID\\\\*\\\\LocalServer32\\\\\" and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Veeam Software Group GmbH\"\n ) or \n (\n process.name : (\"ADNotificationManager.exe\", \"Creative Cloud.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\ADNotificationManager.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Adobe Creative Cloud\\\\ACC\\\\Creative Cloud.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"IslandUpdateComRegisterShell64.exe\", \"IslandUpdate.exe\", \"GoogleUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and\n process.code_signature.subject_name in (\"Island Technology Inc.\", \"Google LLC\") and\n registry.data.strings : (\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Update\\\\*\",\n \"*?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\"\n )\n ) or \n (\n process.name : (\"SelfService.exe\", \"WfShell.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Citrix Systems, Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\SelfServicePlugin\\\\SelfService.exe\\\" -ToastActivated\",\n \"%SystemRoot%\\\\system32\\\\shdocvw.dll\",\n \"%SystemRoot%\\\\sysWOW64\\\\shdocvw.dll\"\n )\n ) or \n (\n process.name : (\"msrdcw.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Microsoft Corporation\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Apps\\\\Remote Desktop\\\\msrdcw.exe\\\" -ToastActivated\"\n )\n ) or \n (\n process.name : (\"ssvagent.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Oracle America, Inc.\" and\n registry.data.strings : (\n \"?:\\\\Program Files\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\",\n \"?:\\\\Program Files (x86)\\\\Java\\\\jre*\\\\bin\\\\jp2iexp.dll\"\n )\n ) or \n (\n process.name : (\"hpnotifications.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name == \"HP Inc.\" and\n registry.data.strings : (\n \"\\\"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\hpsvcsscancomp.inf_amd64_*\\\\x64\\\\hpnotifications.exe\\\" -ToastActivated\"\n )\n )\n )\n )\n ) and\n\n /* removes false-positives generated by OneDrive and Teams */\n not\n (\n process.name: (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n\n /* Teams DLL loaded by regsvr */\n not (process.name: \"regsvr32.exe\" and registry.data.strings : \"*Microsoft.Teams.*.dll\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_113.json b/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_113.json deleted file mode 100644 index 93ad5a6baed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16a52c14-7883-47af-8745-9357803f0d4c_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Component Object Model (COM) hijacking via registry modification. Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Component Object Model Hijacking", "note": "## Triage and analysis\n\n### Investigating Component Object Model Hijacking\n\nAdversaries can insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means of persistence.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve the file referenced in the registry and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- Some Microsoft executables will reference the LocalServer32 registry key value for the location of external COM objects.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n /* not necessary but good for filtering privileged installations */\n user.domain != \"NT AUTHORITY\" and process.executable != null and \n (\n (\n registry.path : \"HK*\\\\InprocServer32\\\\\" and\n registry.data.strings: (\"scrobj.dll\", \"?:\\\\*\\\\scrobj.dll\") and\n not registry.path : \"*\\\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\\\*\"\n ) or\n\n (\n registry.path : \"HKLM\\\\*\\\\InProcServer32\\\\*\" and\n registry.data.strings : (\"*\\\\Users\\\\*\", \"*\\\\ProgramData\\\\*\")\n ) or\n\n /* in general COM Registry changes on Users Hive is less noisy and worth alerting */\n (\n registry.path : (\n \"HKEY_USERS\\\\*\\\\InprocServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\LocalServer32\\\\\",\n \"HKEY_USERS\\\\*\\\\DelegateExecute\",\n \"HKEY_USERS\\\\*\\\\TreatAs\\\\\",\n \"HKEY_USERS\\\\*\\\\ScriptletURL*\"\n ) \n )\n ) and \n\n not (\n process.code_signature.trusted == true and\n process.code_signature.subject_name in \n (\"Island Technology Inc.\", \"Google LLC\", \"Grammarly, Inc.\", \"Dropbox, Inc\", \"REFINITIV US LLC\", \"HP Inc.\",\n \"Citrix Systems, Inc.\", \"Adobe Inc.\", \"Veeam Software Group GmbH\", \"Zhuhai Kingsoft Office Software Co., Ltd.\",\n \"Oracle America, Inc.\")\n ) and \n\n /* excludes Microsoft signed noisy processes */\n not\n (\n process.name : (\"OneDrive.exe\", \"OneDriveSetup.exe\", \"FileSyncConfig.exe\", \"Teams.exe\", \"MicrosoftEdgeUpdate.exe\", \"msrdcw.exe\", \"MicrosoftEdgeUpdateComRegisterShell64.exe\") and\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\")\n ) and\n \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\")\n", "references": ["https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "16a52c14-7883-47af-8745-9357803f0d4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.015", "name": "Component Object Model Hijacking", "reference": "https://attack.mitre.org/techniques/T1546/015/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "16a52c14-7883-47af-8745-9357803f0d4c_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json deleted file mode 100644 index 291aebfd0aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and event.code in (\"5136\", \"5145\") and\n(\n (\n winlog.event_data.AttributeLDAPDisplayName : (\n \"gPCMachineExtensionNames\",\n \"gPCUserExtensionNames\"\n ) and\n winlog.event_data.AttributeValue : \"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\" and\n winlog.event_data.AttributeValue : (\n \"*40B66650-4972-11D1-A7CA-0000F87571E3*\",\n \"*40B6664F-4972-11D1-A7CA-0000F87571E3*\"\n )\n ) or\n (\n winlog.event_data.ShareName : \"\\\\\\\\*\\\\SYSVOL\" and\n winlog.event_data.RelativeTargetName : (\"*\\\\scripts.ini\", \"*\\\\psscripts.ini\") and\n winlog.event_data.AccessList:\"*%%4417*\"\n )\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json deleted file mode 100644 index 57ec46cb6a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Scheduled Task Execution at Scale via GPO\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and\n(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json deleted file mode 100644 index 888106c2077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json deleted file mode 100644 index 648497c7963..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "The 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json deleted file mode 100644 index 7a37b9cc090..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json deleted file mode 100644 index b7ded95228d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json deleted file mode 100644 index ba0a132046d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "(\n event.code:5136 and winlog.event_data.AttributeLDAPDisplayName:(gPCMachineExtensionNames or gPCUserExtensionNames) and\n winlog.event_data.AttributeValue:(*42B5FAAE-6536-11D2-AE5A-0000F87571E3* and\n (*40B66650-4972-11D1-A7CA-0000F87571E3* or *40B6664F-4972-11D1-A7CA-0000F87571E3*))\n)\nor\n(\n event.code:5145 and winlog.event_data.ShareName:\\\\\\\\*\\\\SYSVOL and\n winlog.event_data.RelativeTargetName:(*\\\\scripts.ini or *\\\\psscripts.ini) and\n (message:WriteData or winlog.event_data.AccessList:*%%4417*)\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_111.json b/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_111.json deleted file mode 100644 index 5c12ca4aa9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/16fac1a1-21ee-4ca6-b720-458e3855d046_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.", "false_positives": ["Legitimate Administrative Activity"], "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup/Logon Script added to Group Policy Object", "note": "## Triage and analysis\n\n### Investigating Startup/Logon Script added to Group Policy Object\n\nGroup Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:\n - `\\Machine\\Scripts\\`\n - `\\User\\Scripts\\`\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `ScheduledTasks.xml` file, and check the `` and `` XML tags for any potentially malicious commands or binaries.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Scope which objects may be compromised by retrieving information about which objects are controlled by the GPO.\n\n### False positive analysis\n\n- Verify if the execution is legitimately authorized and executed under a change management process.\n\n### Related rules\n\n- Group Policy Abuse for Privilege Addition - b9554892-5e0e-424b-83a0-5aef95aa43bf\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and event.code in (\"5136\", \"5145\") and\n(\n (\n winlog.event_data.AttributeLDAPDisplayName : (\n \"gPCMachineExtensionNames\",\n \"gPCUserExtensionNames\"\n ) and\n winlog.event_data.AttributeValue : \"*42B5FAAE-6536-11D2-AE5A-0000F87571E3*\" and\n winlog.event_data.AttributeValue : (\n \"*40B66650-4972-11D1-A7CA-0000F87571E3*\",\n \"*40B6664F-4972-11D1-A7CA-0000F87571E3*\"\n )\n ) or\n (\n winlog.event_data.ShareName : \"\\\\\\\\*\\\\SYSVOL\" and\n winlog.event_data.RelativeTargetName : (\"*\\\\scripts.ini\", \"*\\\\psscripts.ini\") and\n winlog.event_data.AccessList:\"*%%4417*\"\n )\n)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://github.com/atc-project/atc-data/blob/f2bbb51ecf68e2c9f488e3c70dcdd3df51d2a46b/docs/Logging_Policies/LP_0029_windows_audit_detailed_file_share.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 47, "rule_id": "16fac1a1-21ee-4ca6-b720-458e3855d046", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "16fac1a1-21ee-4ca6-b720-458e3855d046_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20.json b/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20.json deleted file mode 100644 index d5001d8d21d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.response.error_code == \"AccessDeniedException\"\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\n| where total_denials > 3\n| sort total_denials desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0015", "https://atlas.mitre.org/techniques/AML.T0034", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "17261da3-a6d0-463c-aac8-ea1718afcd20", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "17261da3-a6d0-463c-aac8-ea1718afcd20", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_1.json b/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_1.json deleted file mode 100644 index 22defd2146b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.response.error_code == \"AccessDeniedException\"\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\n| where total_denials > 3\n| sort total_denials desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0015", "https://atlas.mitre.org/techniques/AML.T0034", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "17261da3-a6d0-463c-aac8-ea1718afcd20", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "17261da3-a6d0-463c-aac8-ea1718afcd20_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_2.json b/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_2.json deleted file mode 100644 index 86af7919c44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17261da3-a6d0-463c-aac8-ea1718afcd20_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.response.error_code == \"AccessDeniedException\"\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code\n| stats total_denials = count(*) by user.id, gen_ai.request.model.id, cloud.account.id\n| where total_denials > 3\n| sort total_denials desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0015", "https://atlas.mitre.org/techniques/AML.T0034", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "17261da3-a6d0-463c-aac8-ea1718afcd20", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "17261da3-a6d0-463c-aac8-ea1718afcd20_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json deleted file mode 100644 index b5aff7776a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json deleted file mode 100644 index 31cbb4f7292..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 102}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json deleted file mode 100644 index f16e8db514d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 103}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json deleted file mode 100644 index 0df1270d1ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json deleted file mode 100644 index ecd894e0832..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_106.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_106.json deleted file mode 100644 index a8c0b21256d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c59-fc0fa58336a5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an administrator or help desk technician logging onto a workstation or server in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_user_name"], "name": "Unusual Windows Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c59-fc0fa58336a5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 106}, "id": "1781d055-5c66-4adf-9c59-fc0fa58336a5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json deleted file mode 100644 index 6af8a5112d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json deleted file mode 100644 index 5c93da3cd77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 101}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json deleted file mode 100644 index d53a5d26abe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 102}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json deleted file mode 100644 index 22f3f7e2ce5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 103}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json deleted file mode 100644 index 739deeb205f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_105.json deleted file mode 100644 index 747e5de439c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9c71-fc0fa58338c7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual Windows service, This can indicate execution of unauthorized services, malware, or persistence mechanisms. In corporate Windows environments, hosts do not generally run many rare or unique services. This job helps detect malware and persistence mechanisms that have been installed and run as a service.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_service"], "name": "Unusual Windows Service", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9c71-fc0fa58338c7", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9c71-fc0fa58338c7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json deleted file mode 100644 index 16f55ccb5e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json deleted file mode 100644 index ece7dc27398..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 102}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json deleted file mode 100644 index da1a2c95b3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 103}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json deleted file mode 100644 index d3bf9f5c0fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json deleted file mode 100644 index 71054aafc6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_106.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_106.json deleted file mode 100644 index ec0d1db32cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d60-fc0fa58337b6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a PowerShell script with unusual data characteristics, such as obfuscation, that may be a characteristic of malicious PowerShell script text blocks.", "false_positives": ["Certain kinds of security testing may trigger this alert. PowerShell scripts that use high levels of obfuscation or have unusual script block payloads may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_script"], "name": "Suspicious Powershell Script", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d60-fc0fa58337b6", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "machine_learning", "version": 106}, "id": "1781d055-5c66-4adf-9d60-fc0fa58337b6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json deleted file mode 100644 index 49c3059c0b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json deleted file mode 100644 index 9b7af72773f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 101}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json deleted file mode 100644 index 16740ce0b2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 102}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json deleted file mode 100644 index b0f5860d0a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 103}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json deleted file mode 100644 index c947b484627..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_105.json deleted file mode 100644 index 41b875b191b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9d82-fc0fa58449c8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual user context switch, using the runas command or similar techniques, which can indicate account takeover or privilege escalation using compromised accounts. Privilege elevation using tools like runas are more commonly used by domain and network administrators than by regular Windows users.", "false_positives": ["Uncommon user privilege elevation activity can be due to an administrator, help desk technician, or a user performing manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_runas_event"], "name": "Unusual Windows User Privilege Elevation Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9d82-fc0fa58449c8", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9d82-fc0fa58449c8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json deleted file mode 100644 index 869775b3c5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json deleted file mode 100644 index 3caf931512a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 101}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json deleted file mode 100644 index ef6c1c14ff7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 102}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json deleted file mode 100644 index 6af07d0fae8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 103}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json deleted file mode 100644 index 54e2544fdc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 104}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_105.json b/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_105.json deleted file mode 100644 index bc09c469032..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1781d055-5c66-4adf-9e93-fc0fa69550c9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual remote desktop protocol (RDP) username, which can indicate account takeover or credentialed persistence using compromised accounts. RDP attacks, such as BlueKeep, also tend to use unusual usernames.", "false_positives": ["Uncommon username activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_user_type10_remote_login"], "name": "Unusual Windows Remote User", "note": "## Triage and analysis\n\n### Investigating an Unusual Windows User\nDetection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user?\n- Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "1781d055-5c66-4adf-9e93-fc0fa69550c9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 105}, "id": "1781d055-5c66-4adf-9e93-fc0fa69550c9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json deleted file mode 100644 index 38bfb491f60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Service Created", "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\", \"/usr/lib/systemd/systemd\",\n \"/usr/sbin/sshd\", \"/usr/bin/gitlab-runner\", \"/opt/gitlab/embedded/bin/ruby\", \"/usr/sbin/gdm\", \"/usr/bin/install\",\n \"/usr/local/manageengine/uems_agent/bin/dcregister\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json deleted file mode 100644 index 8d118638cce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_10.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_10.json deleted file mode 100644 index d2125d353f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\" or \"packagekitd\" or\n \"podman\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json deleted file mode 100644 index 2477f115e20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Service Created", "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_12.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_12.json deleted file mode 100644 index a34c243db67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Service Created", "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_13.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_13.json deleted file mode 100644 index ec29ceb40dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Service Created", "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\", \"/usr/lib/systemd/systemd\",\n \"/usr/sbin/sshd\", \"/usr/bin/gitlab-runner\", \"/opt/gitlab/embedded/bin/ruby\", \"/usr/sbin/gdm\", \"/usr/bin/install\",\n \"/usr/local/manageengine/uems_agent/bin/dcregister\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_14.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_14.json deleted file mode 100644 index f2bac7e295b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_14.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or renaming of a new Systemd file in all of the common Systemd service locations for both root and regular users. Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying services to execute malicious commands or payloads during system startup or at a predefined interval by adding a systemd timer. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Service Created", "note": "## Triage and analysis\n\n### Investigating Systemd Service Created\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\npath LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\nOR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"service\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\", \"/usr/lib/systemd/systemd\",\n \"/usr/sbin/sshd\", \"/usr/bin/gitlab-runner\", \"/opt/gitlab/embedded/bin/ruby\", \"/usr/sbin/gdm\", \"/usr/bin/install\",\n \"/usr/local/manageengine/uems_agent/bin/dcregister\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 14}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_14", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json deleted file mode 100644 index d1d0cb2abee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json deleted file mode 100644 index 8a027b55b72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \n \"elastic-agent\" or \"cinc-client\") or file.extension : (\"swp\" or \"swx\"))\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json deleted file mode 100644 index 57c31f828fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \n(process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \n \"elastic-agent\" or \"cinc-client\") or file.extension : (\"swp\" or \"swx\"))\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json deleted file mode 100644 index e0a276f192d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json deleted file mode 100644 index a3a63171c4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json deleted file mode 100644 index c9b07579266..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_8.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_8.json deleted file mode 100644 index 57626ed33db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\" or \"packagekitd\" or\n \"podman\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json b/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json deleted file mode 100644 index 1a2d7e93eff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17b0a495-4d9f-414c-8ad0-92f018b8e001_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemd service files are configuration files in Linux systems used to define and manage system services. Malicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Service Created by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Service Created by Previously Unknown Process\n\nSystemd service files are configuration files in Linux systems used to define and manage system services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the creation of new systemd service files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the systemd service file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(\"creation\" or \"file_create_event\") and file.path:(\n /etc/systemd/system/* or \n /usr/local/lib/systemd/system/* or \n /lib/systemd/system/* or \n /usr/lib/systemd/system/* or \n /home/*/.config/systemd/user/*\n) and \nnot (\n process.name:(\n \"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"dnf-automatic\" or python* or \"puppetd\" or\n \"elastic-agent\" or \"cinc-client\" or \"chef-client\" or \"pacman\" or \"puppet\" or \"cloudflared\" or \"packagekitd\" or\n \"podman\"\n ) or \n file.extension:(\"swp\" or \"swpx\")\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "17b0a495-4d9f-414c-8ad0-92f018b8e001", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "17b0a495-4d9f-414c-8ad0-92f018b8e001_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json deleted file mode 100644 index 99639debec7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json deleted file mode 100644 index 9daa72363d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json deleted file mode 100644 index b66764a38e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution with a single character process name. This is often done by adversaries while staging or executing temporary utilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution - Short Program Name", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json deleted file mode 100644 index 9b4e51c9bf9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json deleted file mode 100644 index 4af1f59754a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json deleted file mode 100644 index b65e619366d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json b/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json deleted file mode 100644 index 9fa5eee0987..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed Utility Executed with Short Program Name", "note": "## Triage and analysis\n\n### Investigating Renamed Utility Executed with Short Program Name\n\nIdentifies the execution of a process with a single character process name, differing from the original file name. This is often done by adversaries while staging, executing temporary utilities, or trying to bypass security detections based on the process name.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, command line and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and length(process.name) > 0 and\n length(process.name) == 5 and length(process.pe.original_file_name) > 5\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "17c7f6a5-5bc9-4e1f-92bf-13632d24384d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json deleted file mode 100644 index d5326a4d4d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "17e68559-b274-4948-ad0b-f8415bb31126", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json deleted file mode 100644 index 6a3c8aee1f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "17e68559-b274-4948-ad0b-f8415bb31126_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json deleted file mode 100644 index 91d72590a38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "17e68559-b274-4948-ad0b-f8415bb31126_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_103.json b/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_103.json deleted file mode 100644 index 4bbfa796b88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/17e68559-b274-4948-ad0b-f8415bb31126_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual network destination domain name. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon web server name. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_server_domain", "name": "Unusual Network Destination Domain Name", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "17e68559-b274-4948-ad0b-f8415bb31126", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "17e68559-b274-4948-ad0b-f8415bb31126_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/181f6b23-3799-445e-9589-0018328a9e46_101.json b/packages/security_detection_engine/kibana/security_rule/181f6b23-3799-445e-9589-0018328a9e46_101.json deleted file mode 100644 index f7da13b1853..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/181f6b23-3799-445e-9589-0018328a9e46_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Script Execution via Microsoft HTML Application", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\") and\n (\n (process.command_line :\n (\n \"*script*eval(*\",\n \"*script*GetObject*\",\n \"*.regread(*\",\n \"*WScript.Shell*\",\n \"*.run(*\",\n \"*).Exec()*\",\n \"*mshta*http*\",\n \"*mshtml*RunHTMLApplication*\",\n \"*mshtml*,#135*\",\n \"*StrReverse*\",\n \"*.RegWrite*\",\n /* Issue #379 */\n \"*window.close(*\",\n \"* Chr(*\"\n )\n and not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\Citrix\\\\System32\\\\wfshell.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\Office*\\\\MSACCESS.EXE\",\n \"?:\\\\Program Files\\\\Quokka.Works GTInstaller\\\\GTInstaller.exe\")\n ) or\n\n (process.name : \"mshta.exe\" and\n not process.command_line : (\"*.hta*\", \"*.htm*\", \"-Embedding\") and process.args_count >=2) or\n\n /* Execution of HTA file downloaded from the internet */\n (process.name : \"mshta.exe\" and process.command_line : \"*\\\\Users\\\\*\\\\Downloads\\\\*.hta*\") or\n\n /* Execution of HTA file from archive */\n (process.name : \"mshta.exe\" and\n process.args : (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\", \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\", \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\", \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\"))\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "181f6b23-3799-445e-9589-0018328a9e46", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "181f6b23-3799-445e-9589-0018328a9e46_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json deleted file mode 100644 index 2a38ed7140d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", "false_positives": ["Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/export#how_sinks_work"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json b/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json deleted file mode 100644 index af390ffac42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/184dfe52-2999-42d9-b9d1-d1ca54495a61_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification to a Logging sink in Google Cloud Platform (GCP). Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may update a Logging sink to exfiltrate logs to a different export destination.", "false_positives": ["Logging sink modifications may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Sink modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.UpdateSink and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/export#how_sinks_work"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "184dfe52-2999-42d9-b9d1-d1ca54495a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "184dfe52-2999-42d9-b9d1-d1ca54495a61_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce.json deleted file mode 100644 index 479a6e17faa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/185c782e-f86a-11ee-9d9f-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule attempts to identify rapid secret retrieval attempts from AWS SecretsManager. Adversaries may attempt to retrieve secrets from the Secrets Manager programmatically using the `GetSecretValue` or `BatchGetSecretValue` API actions.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString or BatchGetSecretValue APIs for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-5m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "kuery", "license": "Elastic License v2", "name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", "note": "## Triage and analysis\n\n### Investigating Rapid Secret Retrieval Attempts from AWS SecretsManager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the rapid retrieval of credentials using `GetSecretValue` or `BatchGetSecretValue` actions in Secrets Manager programmatically. This is a [Threshold](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-threshold-rule) rule indicating 20 or more successful attempts to retrieve a secret value from Secrets Manager by the same user identity within a short timespan. \n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "185c782e-f86a-11ee-9d9f-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Secrets Manager", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.006", "name": "Cloud Secrets Management Stores", "reference": "https://attack.mitre.org/techniques/T1555/006/"}]}]}], "threshold": {"field": ["user.id"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "185c782e-f86a-11ee-9d9f-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc.json deleted file mode 100644 index 9f6c0590066..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", "name": "Spike in Number of Connections Made to a Destination IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json deleted file mode 100644 index 162905949d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", "name": "Spike in Number of Connections Made to a Destination IP", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2.json deleted file mode 100644 index 61e16e90174..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", "name": "Spike in Number of Connections Made to a Destination IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json b/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json deleted file mode 100644 index 47bad19e58a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_source_ip_for_destination", "name": "Spike in Number of Connections Made to a Destination IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98.json deleted file mode 100644 index f270a1949a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", "from": "now-9m", "index": ["logs-fim.event-*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via File Modification", "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // System V init/Upstart\n \"/etc/init.d/*\", \"/etc/init/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", "related_integrations": [{"package": "fim", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n5. Provide a name and optional description for the integration.\n6. Select the appropriate agent policy for your Linux system or create a new one.\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "192657ba-ab0e-4901-89a2-911d611eee98", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json deleted file mode 100644 index 5355e98e67f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", "from": "now-9m", "index": ["logs-fim.event-*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via File Modification", "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // init daemon\n \"/etc/init.d/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", "related_integrations": [{"package": "fim", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/ingest-management/current/agent-configuration.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n6. Provide a name and optional description for the integration.\n7. Select the appropriate agent policy for your Linux system or create a new one.\n8. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n9. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "192657ba-ab0e-4901-89a2-911d611eee98_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json deleted file mode 100644 index 1451d30d2f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", "from": "now-9m", "index": ["logs-fim.event-*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via File Modification", "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // init daemon\n \"/etc/init.d/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", "related_integrations": [{"package": "fim", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n5. Provide a name and optional description for the integration.\n6. Select the appropriate agent policy for your Linux system or create a new one.\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "192657ba-ab0e-4901-89a2-911d611eee98_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_3.json b/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_3.json deleted file mode 100644 index ec84c4f2137..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/192657ba-ab0e-4901-89a2-911d611eee98_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the File Integrity Monitoring (FIM) integration to detect file modifications of files that are commonly used for persistence on Linux systems. The rule detects modifications to files that are commonly used for cron jobs, systemd services, message-of-the-day (MOTD), SSH configurations, shell configurations, runtime control, init daemon, passwd/sudoers/shadow files, Systemd udevd, and XDG/KDE autostart entries. To leverage this rule, the paths specified in the query need to be added to the FIM policy in the Elastic Security app.", "from": "now-9m", "index": ["logs-fim.event-*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Persistence via File Modification", "query": "file where host.os.type == \"linux\" and event.dataset == \"fim.event\" and event.action == \"updated\" and\nfile.path : (\n // cron, anacron & at\n \"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.monthly/*\",\n \"/etc/cron.weekly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/etc/cron.allow\",\n \"/etc/cron.deny\", \"/var/spool/anacron/*\", \"/var/spool/cron/atjobs/*\",\n\n // systemd services & timers\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\",\n\n // LD_PRELOAD\n \"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\",\n\n // message-of-the-day (MOTD)\n \"/etc/update-motd.d/*\",\n\n // SSH\n \"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\",\n\n // system-wide shell configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\", \"/etc/csh.cshrc\",\n \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n\n // root and user shell configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\",\n\n // runtime control\n \"/etc/rc.common\", \"/etc/rc.local\",\n\n // System V init/Upstart\n \"/etc/init.d/*\", \"/etc/init/*\",\n\n // passwd/sudoers/shadow\n \"/etc/passwd\", \"/etc/shadow\", \"/etc/sudoers\", \"/etc/sudoers.d/*\",\n\n // Systemd udevd\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\", \"/usr/local/lib/udev/rules.d/*\",\n\n // XDG/KDE autostart entries\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\"\n) and not (\n file.path : (\n \"/var/spool/cron/crontabs/tmp.*\", \"/run/udev/rules.d/*rules.*\", \"/home/*/.ssh/known_hosts.*\", \"/root/.ssh/known_hosts.*\"\n ) or\n file.extension in (\"dpkg-new\", \"dpkg-remove\", \"SEQ\")\n)\n", "related_integrations": [{"package": "fim", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "192657ba-ab0e-4901-89a2-911d611eee98", "setup": "## Setup\n\nThis rule requires data coming in from the Elastic File Integrity Monitoring (FIM) integration.\n\n### Elastic FIM Integration Setup\nTo configure the Elastic FIM integration, follow these steps:\n\n1. Install and configure the Elastic Agent on your Linux system. You can refer to the [Elastic Agent documentation](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html) for detailed instructions.\n2. Once the Elastic Agent is installed, navigate to the Elastic Security app in Kibana.\n3. In the Kibana home page, click on \"Integrations\" in the left sidebar.\n4. Search for \"File Integrity Monitoring\" in the search bar and select the integration.\n5. Provide a name and optional description for the integration.\n6. Select the appropriate agent policy for your Linux system or create a new one.\n7. Configure the FIM policy by specifying the paths that you want to monitor for file modifications. You can use the same paths mentioned in the `query` field of the rule. Note that FIM does not accept wildcards in the paths, so you need to specify the exact paths you want to monitor.\n8. Save the configuration and the Elastic Agent will start monitoring the specified paths for file modifications.\n\nFor more details on configuring the Elastic FIM integration, you can refer to the [Elastic FIM documentation](https://docs.elastic.co/integrations/fim).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: File Integrity Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "192657ba-ab0e-4901-89a2-911d611eee98_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6.json deleted file mode 100644 index 184e779d6ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 4}, "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json deleted file mode 100644 index 413f6ae796b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json deleted file mode 100644 index 038c0ffecce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json b/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json deleted file mode 100644 index 12210b4809f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent alteration of UID permissions to root privileges. This behavior can potentially indicate the execution of a kernel or software privilege escalation exploit.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\") and user.id != \"0\"] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and event.type == \"creation\" and \n process.name == \"ld\" and user.id != \"0\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n user.id != \"0\"] by process.name\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"guid_change\") and event.type == \"change\" and \n user.id == \"0\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 3}, "id": "193549e8-bb9e-466a-a7f9-7e783f5cb5a6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19be0164-63d2-11ef-8e38-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/19be0164-63d2-11ef-8e38-f661ea17fbce_1.json deleted file mode 100644 index 4411390dc71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19be0164-63d2-11ef-8e38-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a single AWS resource is making `GetServiceQuota` API calls for the EC2 service quota L-1216C47A in more than 10 regions within a 30-second window. Quota code L-1216C47A represents on-demand instances which are used by adversaries to deploy malware and mine cryptocurrency. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS Service Quotas Multi-Region `GetServiceQuota` Requests", "query": "from logs-aws.cloudtrail-*\n\n// filter for GetServiceQuota API calls\n| where event.dataset == \"aws.cloudtrail\" and event.provider = \"servicequotas.amazonaws.com\" and event.action == \"GetServiceQuota\"\n\n// truncate the timestamp to a 30-second window\n| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)\n\n// pre-process the request parameters to extract the service code and quota code\n| dissect aws.cloudtrail.request_parameters \"{%{?service_code_key}=%{service_code}, %{?quota_code_key}=%{quota_code}}\"\n\n// filter for EC2 service quota L-1216C47A (vCPU on-demand instances)\n| where service_code == \"ec2\" and quota_code == \"L-1216C47A\"\n\n// count the number of unique regions and total API calls within the 30-second window\n| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn\n\n// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window\n| where region_count >= 10 and window_count >= 10\n\n// sort the results by time windows in descending order\n| sort target_time_window desc\n", "references": ["https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/", "https://docs.aws.amazon.com/servicequotas/2019-06-24/apireference/API_GetServiceQuota.html"], "risk_score": 21, "rule_id": "19be0164-63d2-11ef-8e38-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: AWS Service Quotas", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "19be0164-63d2-11ef-8e38-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json deleted file mode 100644 index 1cb53ee08b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 209}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json deleted file mode 100644 index 3e6892f1b06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"], "type": "machine_learning", "version": 104}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json deleted file mode 100644 index 76f14bc2476..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 105}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_106.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_106.json deleted file mode 100644 index 5535df50f49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 106}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_107.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_107.json deleted file mode 100644 index e5dd2f9ef12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 107}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_208.json b/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_208.json deleted file mode 100644 index 9d7d38b96c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19de8096-e2b0-4bd8-80c9-34a820813fff_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected an unusual error in a CloudTrail message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.", "false_positives": ["Rare and unusual errors may indicate an impending service failure state. Rare and unusual user error activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_error_code", "name": "Rare AWS Error Code", "note": "## Triage and analysis\n\n### Investigating Rare AWS Error Code\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an unusual error in a CloudTrail message. This can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.\n\nDetection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "19de8096-e2b0-4bd8-80c9-34a820813fff", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 208}, "id": "19de8096-e2b0-4bd8-80c9-34a820813fff_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03.json deleted file mode 100644 index 051b4f7a485..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_sum_rdp_number_of_processes", "name": "Spike in Number of Processes in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json deleted file mode 100644 index e777bc16f4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_sum_rdp_number_of_processes", "name": "Spike in Number of Processes in an RDP Session", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2.json deleted file mode 100644 index 936603d169a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_sum_rdp_number_of_processes", "name": "Spike in Number of Processes in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json b/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json deleted file mode 100644 index f5ec789aaf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of processes started in a single RDP session. Executing a large number of processes remotely on other machines can be an indicator of lateral movement activity.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_sum_rdp_number_of_processes", "name": "Spike in Number of Processes in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "19e9daf3-f5c5-4bc2-a9af-6b1e97098f03_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50.json b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50.json deleted file mode 100644 index 650c8b80c4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.", "false_positives": ["There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Tool Launched Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and \n(\n(process.name: (\"nc\", \"ncat\", \"nmap\", \"dig\", \"nslookup\", \"tcpdump\", \"tshark\", \"ngrep\", \"telnet\", \"mitmproxy\", \"socat\", \"zmap\", \"masscan\", \"zgrab\")) or \n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n(process.args: (\"nc\", \"ncat\", \"nmap\", \"dig\", \"nslookup\", \"tcpdump\", \"tshark\", \"ngrep\", \"telnet\", \"mitmproxy\", \"socat\", \"zmap\", \"masscan\", \"zgrab\"))\n)\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a289854-5b78-49fe-9440-8a8096b1ab50", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1a289854-5b78-49fe-9440-8a8096b1ab50", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json b/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json deleted file mode 100644 index 612f053a7c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a289854-5b78-49fe-9440-8a8096b1ab50_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects commonly abused network utilities running inside a container. Network utilities like nc, nmap, dig, tcpdump, ngrep, telnet, mitmproxy, zmap can be used for malicious purposes such as network reconnaissance, monitoring, or exploitation, and should be monitored closely within a container.", "false_positives": ["There is a potential for false positives if the container is used for legitimate tasks that require the use of network utilities, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Tool Launched Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and \n(\n(process.name: (\"nc\", \"ncat\", \"nmap\", \"dig\", \"nslookup\", \"tcpdump\", \"tshark\", \"ngrep\", \"telnet\", \"mitmproxy\", \"socat\", \"zmap\", \"masscan\", \"zgrab\")) or \n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n(process.args: (\"nc\", \"ncat\", \"nmap\", \"dig\", \"nslookup\", \"tcpdump\", \"tshark\", \"ngrep\", \"telnet\", \"mitmproxy\", \"socat\", \"zmap\", \"masscan\", \"zgrab\"))\n)\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a289854-5b78-49fe-9440-8a8096b1ab50", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Command and Control", "Reconnaissance", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1a289854-5b78-49fe-9440-8a8096b1ab50_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json deleted file mode 100644 index 12ff61e1924..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", "false_positives": ["Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Application Credential Modification", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json b/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json deleted file mode 100644 index aa609806709..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a36cace-11a7-43a8-9a10-b497c5a02cd3_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.", "false_positives": ["Application credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Application credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Application Credential Modification", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update application - Certificates and secrets management\" and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "1a36cace-11a7-43a8-9a10-b497c5a02cd3_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json deleted file mode 100644 index f5d14d1e686..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json deleted file mode 100644 index be8b85df9f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json deleted file mode 100644 index 9f1665f069a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json deleted file mode 100644 index 4b6c9f3c044..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json deleted file mode 100644 index 99603ec7f0e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"xwizard.exe\" and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json deleted file mode 100644 index 8dce5d4b48d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json deleted file mode 100644 index 6c9a7131b3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_110.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_110.json deleted file mode 100644 index 853d5a2c8de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_310.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_310.json deleted file mode 100644 index 48a9c8fe550..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_311.json b/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_311.json deleted file mode 100644 index 7a9179e50d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1a6075b0-7479-450e-8fe7-b8b8438ac570_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Component Object Model (COM) is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects or executable code. Xwizard can be used to run a COM object created in registry to evade defensive counter measures.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of COM object via Xwizard", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"xwizard.exe\" or ?process.pe.original_file_name : \"xwizard.exe\") and\n (\n (process.args : \"RunWizard\" and process.args : \"{*}\") or\n (process.executable != null and\n not process.executable : (\"C:\\\\Windows\\\\SysWOW64\\\\xwizard.exe\", \"C:\\\\Windows\\\\System32\\\\xwizard.exe\")\n )\n )\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Xwizard/", "http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "1a6075b0-7479-450e-8fe7-b8b8438ac570", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "1a6075b0-7479-450e-8fe7-b8b8438ac570_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json deleted file mode 100644 index 78185bd4414..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", "false_positives": ["Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json deleted file mode 100644 index 279b2a12a4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", "false_positives": ["Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json deleted file mode 100644 index 93c88355ced..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", "false_positives": ["Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json deleted file mode 100644 index 5b291ccd23c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", "false_positives": ["Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json b/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json deleted file mode 100644 index d4d209f0755..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses.", "false_positives": ["Suspending the recording of a trail may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail suspensions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Suspended", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Suspended\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the suspension of an AWS log trail using the API `StopLogging` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:StopLogging and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "1aa8fa52-44a7-4dae-b058-f3333b91c8d7_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json deleted file mode 100644 index dbf063273a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json deleted file mode 100644 index 162e1064ef5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json deleted file mode 100644 index 415bad564e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json deleted file mode 100644 index 0fd675f0682..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json deleted file mode 100644 index 5d110c9e616..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json deleted file mode 100644 index 912f34fbb18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json deleted file mode 100644 index 14de109d3d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_110.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_110.json deleted file mode 100644 index 7caa0bd356d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_310.json b/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_310.json deleted file mode 100644 index 81db9d644fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1aa9181a-492b-4c01-8b16-fa0735786b2b_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. This is sometimes done by attackers to increase access or establish persistence on a system or domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "User Account Creation", "note": "## Triage and analysis\n\n### Investigating User Account Creation\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `net.exe` to create new accounts.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Related rules\n\n- Creation of a Hidden Local User Account - 2edc8076-291e-41e9-81e4-e3fcbc97ae5e\n- Windows User Account Creation - 38e17753-f581-4644-84da-0d60a8318694\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"net.exe\", \"net1.exe\") and\n not process.parent.name : \"net.exe\" and\n (process.args : \"user\" and process.args : (\"/ad\", \"/add\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1aa9181a-492b-4c01-8b16-fa0735786b2b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "1aa9181a-492b-4c01-8b16-fa0735786b2b_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f.json deleted file mode 100644 index c9cda04b264..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with a Duplicated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name) and \n not (process.name : \"powershell.exe\" and process.parent.name : \"wmiprvse.exe\" and process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\sihost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\sethc.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\" and \n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\twain_32\\\\*.exe\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}, {"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1b0b4818-5655-409b-9c73-341cac4bb73f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json deleted file mode 100644 index 00e84e7fe34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with a Duplicated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name)\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}, {"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1b0b4818-5655-409b-9c73-341cac4bb73f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json b/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json deleted file mode 100644 index 88c1bacc199..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b0b4818-5655-409b-9c73-341cac4bb73f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process impersonating the token of another user logon session. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Created with a Duplicated Token", "query": "/* This rule is only compatible with Elastic Endpoint 8.4+ */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n (process.Ext.effective_parent.executable regex~ \"\"\"[C-Z]:\\\\Windows\\\\(System32|SysWOW64)\\\\[a-zA-Z0-9\\-\\_\\.]+\\.exe\"\"\" or\n process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\") and\n\n (\n process.name : (\"powershell.exe\", \"cmd.exe\", \"rundll32.exe\", \"notepad.exe\", \"net.exe\", \"ntdsutil.exe\",\n \"tasklist.exe\", \"reg.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"msbuild.exe\", \"esentutl.exe\") or\n\n ((process.Ext.relative_file_creation_time <= 900 or process.Ext.relative_file_name_modify_time <= 900) and\n not process.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n not process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ) and\n not (process.name : \"rundll32.exe\" and\n process.command_line : (\"*davclnt.dll,DavSetCookie*\", \"*?:\\\\Program Files*\",\n \"*\\\\Windows\\\\System32\\\\winethc.dll*\", \"*\\\\Windows\\\\SYSTEM32\\\\EDGEHTML.dll*\",\n \"*shell32.dll,SHCreateLocalServerRunDll*\")) and\n not startswith~(process.Ext.effective_parent.name, process.parent.name) and \n not (process.name : \"powershell.exe\" and process.parent.name : \"wmiprvse.exe\" and process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\sihost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\System32\\\\sethc.exe\" and process.parent.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\") and \n not (process.Ext.effective_parent.executable : \"?:\\\\Windows\\\\explorer.exe\" and \n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\twain_32\\\\*.exe\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1b0b4818-5655-409b-9c73-341cac4bb73f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}, {"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1b0b4818-5655-409b-9c73-341cac4bb73f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json deleted file mode 100644 index a4fd7dce909..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n ]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 107}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json deleted file mode 100644 index 30daa481ae6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 102}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json deleted file mode 100644 index 9867a34f125..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 103}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json deleted file mode 100644 index fa0688b9f2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 104}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json deleted file mode 100644 index 8e608dea293..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 105}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json b/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json deleted file mode 100644 index a1cd284d7f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to non-publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Internal Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 106}, "id": "1b21abcc-4d9f-4b08-a7f5-316f5f94b973_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json deleted file mode 100644 index cd813e5e6ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been modified or deleted.", "false_positives": ["A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json deleted file mode 100644 index 223a00dc520..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been modified or deleted.", "false_positives": ["A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json deleted file mode 100644 index 26018a6166f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been modified or deleted.", "false_positives": ["A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json deleted file mode 100644 index 3b6225e984f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been modified or deleted.", "false_positives": ["A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json b/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json deleted file mode 100644 index 7f4a493823d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been modified or deleted.", "false_positives": ["A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:(\"Delete Cache Security Group\" or\n\"Authorize Cache Security Group Ingress\" or \"Revoke Cache Security Group Ingress\" or \"AuthorizeCacheSecurityGroupEgress\" or\n\"RevokeCacheSecurityGroupEgress\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json deleted file mode 100644 index 3e0226cf788..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 11}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json deleted file mode 100644 index 2370e40e65a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json deleted file mode 100644 index 4917f106400..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login failures targeting an user account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=10s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json deleted file mode 100644 index ed0218511b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json deleted file mode 100644 index ce7215d9865..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json deleted file mode 100644 index b1f00fb2494..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json deleted file mode 100644 index 8024156e483..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 8}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json b/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json deleted file mode 100644 index dfb08dbcba0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c27fa22-7727-4dd3-81c0-de6da5555feb_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple internal consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Internal Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential Internal Linux SSH Brute Force Detected\n\nThe rule identifies consecutive internal SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential External Linux SSH Brute Force Detected - fa210b61-b627-4e5e-86f4-17e8270656ab\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c27fa22-7727-4dd3-81c0-de6da5555feb", "setup": "\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 9}, "id": "1c27fa22-7727-4dd3-81c0-de6da5555feb_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774.json b/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774.json deleted file mode 100644 index d1798018826..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Process Injection from Malicious Document", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"excel.exe\", \"powerpnt.exe\", \"winword.exe\") and\n process.args_count == 1 and\n process.executable : (\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\", \"?:\\\\Windows\\\\system32\\\\*.exe\"\n ) and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" and\n process.code_signature.trusted == true and not process.code_signature.subject_name : \"Microsoft *\") and\n not process.executable : (\n \"?:\\\\Windows\\\\Sys*\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\ctfmon.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1c5a04ae-d034-41bf-b0d8-96439b5cc774", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1c5a04ae-d034-41bf-b0d8-96439b5cc774", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json b/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json deleted file mode 100644 index 63fbb045d01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c5a04ae-d034-41bf-b0d8-96439b5cc774_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel) with unusual process arguments and path. This behavior is often observed during exploitation of Office applications or from documents with malicious macros.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Process Injection from Malicious Document", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"excel.exe\", \"powerpnt.exe\", \"winword.exe\") and\n process.args_count == 1 and\n process.executable : (\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\", \"?:\\\\Windows\\\\system32\\\\*.exe\"\n ) and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\" and\n process.code_signature.trusted == true and not process.code_signature.subject_name : \"Microsoft *\") and\n not process.executable : (\n \"?:\\\\Windows\\\\Sys*\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\ctfmon.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1c5a04ae-d034-41bf-b0d8-96439b5cc774", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1c5a04ae-d034-41bf-b0d8-96439b5cc774_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json deleted file mode 100644 index 1b866377349..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 212}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json deleted file mode 100644 index 636bd1a1cbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "Microsoft 365", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json deleted file mode 100644 index cfcc7e31e4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json deleted file mode 100644 index d01cab0595f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json deleted file mode 100644 index 2ea5b5173e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json b/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json deleted file mode 100644 index 60d7a01054f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Consent Grant Attack via Azure-Registered Application", "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n - Click on the `Review permissions` button on the `Permissions` blade of the application.\n - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n - A low number of downloads.\n - Low rating or score or bad comments.\n - Apps with a suspicious publisher or website.\n - Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n (\n azure.activitylogs.operation_name:\"Consent to application\" or\n azure.auditlogs.operation_name:\"Consent to application\" or\n o365.audit.Operation:\"Consent to application.\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/", "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}, {"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json deleted file mode 100644 index 653c7809dfb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.name : (\n \"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\", \"dpkg\", \"yum\", \"apt\", \"dnf\", \"rpm\",\n \"systemd\", \"snapd\", \"dnf-automatic\", \"yum-cron\", \"elastic-agent\", \"dnfdaemon-system\", \"dockerd\", \"executor\",\n \"rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\"))\n)\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json deleted file mode 100644 index 9cbf4ac67ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json deleted file mode 100644 index 0a00946925a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\", \"/kaniko/executor\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json deleted file mode 100644 index 29ecf425589..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\")\nand not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/systemd\", \"*/snapd\", \"*/dnf-automatic\",\n \"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\", \"/kaniko/executor\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json deleted file mode 100644 index 0f0e38609d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr//lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension == \"swp\"\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json deleted file mode 100644 index 698119c93f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension in (\"swp\", \"swpx\", \"tmp\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json deleted file mode 100644 index 6c78b650f49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension in (\"swp\", \"swpx\", \"tmp\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json deleted file mode 100644 index 9755ac5b898..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension in (\"swp\", \"swpx\", \"tmp\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json deleted file mode 100644 index 2114e0ac382..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.name == \"root\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not process.executable : (\"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\",\n\"*/snapd\", \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\", \"*/bin/dockerd\", \"*/sbin/dockerd\",\n\"/kaniko/executor\", \"/usr/sbin/rhn_check\") and not file.extension in (\"swp\", \"swpx\", \"tmp\")\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_112.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_112.json deleted file mode 100644 index 211b9f03f20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.executable : (\n \"*/dpkg\", \"*/yum\", \"*/apt\", \"*/dnf\", \"*/rpm\", \"*/systemd\", \"*/snapd\",\n \"*/dnf-automatic\",\"*/yum-cron\", \"*/elastic-agent\", \"*/dnfdaemon-system\",\n \"*/bin/dockerd\", \"*/sbin/dockerd\", \"/kaniko/executor\", \"/usr/sbin/rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\")) or\n (process.name : (\"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\"))\n)\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json deleted file mode 100644 index 6bd1ca0cdf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/ld.so.conf.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/sudoers.d/%' OR\\n path LIKE '/etc/rc%.d/%' OR\\n path LIKE '/etc/init.d/%' OR\\n path LIKE '/etc/systemd/system/%' OR\\n path LIKE '/usr/lib/systemd/system/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.name : (\n \"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\", \"dpkg\", \"yum\", \"apt\", \"dnf\", \"rpm\",\n \"systemd\", \"snapd\", \"dnf-automatic\", \"yum-cron\", \"elastic-agent\", \"dnfdaemon-system\", \"dockerd\", \"executor\",\n \"rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\"))\n)\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_114.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_114.json deleted file mode 100644 index 9fe01ad622e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/rc.d/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.name : (\n \"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\", \"dpkg\", \"yum\", \"apt\", \"dnf\", \"rpm\",\n \"systemd\", \"snapd\", \"dnf-automatic\", \"yum-cron\", \"elastic-agent\", \"dnfdaemon-system\", \"dockerd\", \"executor\",\n \"rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\"))\n)\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_115.json b/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_115.json deleted file mode 100644 index 074f35697f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c84dd64-7e6c-4bad-ac73-a5014ee37042_115.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the manual creation of files in specific etc directories, via user root, used by Linux malware to persist and elevate privileges on compromised systems. File creation in these directories should not be entirely common and could indicate a malicious binary or script installing persistence mechanisms for long term access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation in /etc for Persistence", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation in /etc for Persistence\n\nThe /etc/ directory in Linux is used to store system-wide configuration files and scripts.\n\nBy creating or modifying specific system-wide configuration files, attackers can leverage system services to execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors for the creation of the most common system-wide configuration files and scripts abused by attackers for persistence. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n- Investigate whether any other files in any of the commonly abused directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%' OR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE\\n'/etc/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Cron Job Created or Changed by Previously Unknown Process - ff10d4d8-fea7-422d-afb1-e5a2702369a9\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type in (\"creation\", \"file_create_event\") and user.id == \"0\" and\nfile.path : (\"/etc/ld.so.conf.d/*\", \"/etc/cron.d/*\", \"/etc/sudoers.d/*\", \"/etc/init.d/*\", \"/etc/systemd/system/*\",\n\"/usr/lib/systemd/system/*\") and not (\n (process.name : (\n \"chef-client\", \"ruby\", \"pacman\", \"packagekitd\", \"python*\", \"platform-python\", \"dpkg\", \"yum\", \"apt\", \"dnf\", \"rpm\",\n \"systemd\", \"snapd\", \"dnf-automatic\", \"yum-cron\", \"elastic-agent\", \"dnfdaemon-system\", \"dockerd\", \"executor\",\n \"rhn_check\"\n )\n ) or \n (file.extension in (\"swp\", \"swpx\", \"tmp\"))\n)\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/", "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "1c84dd64-7e6c-4bad-ac73-a5014ee37042_115", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json deleted file mode 100644 index 0b9aca0cb13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "from": "now-20m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Rolebindings Created", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "1c966416-60c1-436b-bfd0-e002fddbfd89", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json b/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json deleted file mode 100644 index ade31e00772..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1c966416-60c1-436b-bfd0-e002fddbfd89_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges roles.", "from": "now-20m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Rolebindings Created", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n\t(\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE\" or\n\t \"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE\") and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "1c966416-60c1-436b-bfd0-e002fddbfd89", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "1c966416-60c1-436b-bfd0-e002fddbfd89_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da.json b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da.json deleted file mode 100644 index fef80ab4212..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub App Installed", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"integration_installation.create\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "1ca62f14-4787-4913-b7af-df11745a49da", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1072", "name": "Software Deployment Tools", "reference": "https://attack.mitre.org/techniques/T1072/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1ca62f14-4787-4913-b7af-df11745a49da", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json deleted file mode 100644 index c82582571fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub App Installed", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"integration_installation.create\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "1ca62f14-4787-4913-b7af-df11745a49da", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1072", "name": "Software Deployment Tools", "reference": "https://attack.mitre.org/techniques/T1072/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1ca62f14-4787-4913-b7af-df11745a49da_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_103.json b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_103.json new file mode 100644 index 00000000000..a95f46ccb74 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1ca62f14-4787-4913-b7af-df11745a49da_103.json @@ -0,0 +1,65 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a new GitHub App has been installed in your organization account. GitHub Apps extend GitHub's functionality both within and outside of GitHub. When an app is installed it is granted permissions to read or modify your repository and organization data. Only trusted apps should be installed and any newly installed apps should be investigated to verify their legitimacy. Unauthorized app installation could lower your organization's security posture and leave you exposed for future attacks.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New GitHub App Installed", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"integration_installation.create\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1ca62f14-4787-4913-b7af-df11745a49da", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1072", + "name": "Software Deployment Tools", + "reference": "https://attack.mitre.org/techniques/T1072/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "1ca62f14-4787-4913-b7af-df11745a49da_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json deleted file mode 100644 index dcb8aebfccd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 108}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json deleted file mode 100644 index 2d341d83465..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 103}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json deleted file mode 100644 index 0e5756785c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.name : \"conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 104}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json deleted file mode 100644 index f79301a67c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 105}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json deleted file mode 100644 index 4906062f81d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 106}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json deleted file mode 100644 index 1ed3a64d856..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 107}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_108.json b/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_108.json deleted file mode 100644 index d75aace6a09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1cd01db9-be24-4bef-8e7c-e923f0ff78ab_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows Remote Management (WinRM) remote shell on a target host. This could be an indication of lateral movement.", "false_positives": ["WinRM is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via WinRM Remote Shell", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and process.pid == 4 and network.direction : (\"incoming\", \"ingress\") and\n destination.port in (5985, 5986) and network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"winrshost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 108}, "id": "1cd01db9-be24-4bef-8e7c-e923f0ff78ab_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd.json deleted file mode 100644 index 745029b8f7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta Sign-In Events via Third-Party IdP", "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.issuer.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.request_uri", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1199", "name": "Trusted Relationship", "reference": "https://attack.mitre.org/techniques/T1199/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json deleted file mode 100644 index c8fe149dd0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta Sign-In Events via Third-Party IdP", "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.issuer.id", "type": "unknown"}, {"ecs": false, "name": "okta.debug_context.debug_data.request_uri", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1199", "name": "Trusted Relationship", "reference": "https://attack.mitre.org/techniques/T1199/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_105.json new file mode 100644 index 00000000000..e5fc74dd471 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_105.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Sign-In Events via Third-Party IdP", + "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", + "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.authentication_context.issuer.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.request_uri", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1199", + "name": "Trusted Relationship", + "reference": "https://attack.mitre.org/techniques/T1199/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json deleted file mode 100644 index d5c292cf811..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta Sign-In Events via Third-Party IdP", "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.issuer.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.request_uri", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1199", "name": "Trusted Relationship", "reference": "https://attack.mitre.org/techniques/T1199/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_3.json deleted file mode 100644 index 2bec05943e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta Sign-In Events via Third-Party IdP", "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.issuer.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.request_uri", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1199", "name": "Trusted Relationship", "reference": "https://attack.mitre.org/techniques/T1199/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_5.json deleted file mode 100644 index 54b492b67bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1ceb05c4-7d25-11ee-9562-f661ea17fbcd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta Sign-In Events via Third-Party IdP", "note": "## Triage and analysis\n\n### Investigating Okta Sign-In Events via Third-Party IdP\n\nThis rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).\n\nAdversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.\n\n#### Possible investigation steps:\n- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.\n- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.\n - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if this IdP is authorized to be used by the tenant.\n- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- Reset the effected user's password and enforce MFA re-enrollment, if applicable.\n- Mobile device forensics may be required to determine if the user's device is compromised.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and\n (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP\n or user.authentication.auth_via_inbound_SAML\n or user.authentication.auth_via_mfa\n or user.authentication.auth_via_social)\n or event.action:user.session.start) or\n (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE\n and okta.outcome.reason:(\"A SAML assert with the same ID has already been processed by Okta for a previous request\"\n or \"Unable to match transformed username\"\n or \"Unable to resolve IdP endpoint\"\n or \"Unable to validate SAML Response\"\n or \"Unable to validate incoming SAML Assertion\"))\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.issuer.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.request_uri", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1199", "name": "Trusted Relationship", "reference": "https://attack.mitre.org/techniques/T1199/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "1ceb05c4-7d25-11ee-9562-f661ea17fbcd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json deleted file mode 100644 index 1fe5db630bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 110}, "id": "1d276579-3380-4095-ad38-e596a01bc64f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json deleted file mode 100644 index ee7b0baaa4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 104}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json deleted file mode 100644 index d69e2b48b5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 105}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json deleted file mode 100644 index 392374cd3e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 106}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json deleted file mode 100644 index 0a75995bdfd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 107}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json deleted file mode 100644 index 6e32d9a8f7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 108}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json deleted file mode 100644 index b69621e25f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 109}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_110.json b/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_110.json deleted file mode 100644 index c247834b06c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d276579-3380-4095-ad38-e596a01bc64f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies built-in Windows script interpreters (cscript.exe or wscript.exe) being used to download an executable file from a remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Remote File Download via Script Interpreter\n\nThe Windows Script Host (WSH) is a Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for DLLs and executables downloaded using `cscript.exe` or `wscript.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze both the script and the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id\n [network where host.os.type == \"windows\" and process.name : (\"wscript.exe\", \"cscript.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and network.type == \"ipv4\" and destination.ip != \"127.0.0.1\"\n ]\n [file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1d276579-3380-4095-ad38-e596a01bc64f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 110}, "id": "1d276579-3380-4095-ad38-e596a01bc64f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce.json deleted file mode 100644 index 245cad842e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.", "false_positives": ["AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the profile created is expected and that the trust policy is configured securely."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Roles Anywhere Profile Creation", "note": "## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Profile Creation\n\nThis rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.\n- **Check the Created Profile\u2019s Permissions**: Review the `roleArns` associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.\n- **Verify the Profile\u2019s Configuration**: Ensure that the profile's `durationSeconds`, `enabled`, and `tags` are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the profile creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.\n- **Audit IAM Policies and Permissions**: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the [AWS Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:\n- [AWS IAM Roles Anywhere Profile Creation API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html)\n- [Ermetic Blog - Managing Third Party Access](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n\n", "query": "event.dataset:aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateProfile\n and event.outcome: success\n", "references": ["https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json deleted file mode 100644 index f3b2e20ecec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere is a feature that allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. This rule detects the creation of a profile that can be assumed from any service. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. Ensure that the profile creation is expected and that the trust policy is configured securely.", "false_positives": ["AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the profile created is expected and that the trust policy is configured securely."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Roles Anywhere Profile Creation", "note": "\n## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Profile Creation\n\nThis rule detects the creation of an AWS Roles Anywhere profile. AWS Roles Anywhere allows you to use AWS Identity and Access Management (IAM) profiles to manage access to your AWS resources from any location via trusted anchors. Adversaries may create profiles tied to overly permissive roles to maintain access to AWS resources. It is crucial to ensure that the profile creation is expected and that the trust policy is configured securely.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who created the profile. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the profile creation. Look for any unusual parameters or overly permissive roles that could suggest unauthorized or malicious activity.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the location and origin of the request. Ensure the request originated from a known and trusted location.\n- **Check the Created Profile\u2019s Permissions**: Review the `roleArns` associated with the created profile. Verify that the roles are appropriate for the user's intended actions and do not grant excessive permissions.\n- **Verify the Profile\u2019s Configuration**: Ensure that the profile's `durationSeconds`, `enabled`, and `tags` are configured according to your organization's security policies. Pay particular attention to any configuration that might allow prolonged access or concealment of activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the profile creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the profile creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the profile creation was unauthorized, disable or delete the created profile and review the associated roles and permissions for any potential misuse.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive roles or unexpected locations.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning profile and role management and the risks of unauthorized profile creation.\n- **Audit IAM Policies and Permissions**: Conduct a comprehensive audit of all IAM policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing AWS IAM Roles Anywhere profiles and securing AWS environments, refer to the [AWS Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on profile management and potential abuse:\n- [AWS IAM Roles Anywhere Profile Creation API Reference](https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html)\n- [Ermetic Blog - Managing Third Party Access](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n\n", "query": "event.dataset:aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateProfile\n and event.outcome: success\n", "references": ["https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json deleted file mode 100644 index 9684edc667e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", "false_positives": ["If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."], "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Prey\\\\versions\\\\*\\\\bin\\\\node.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"Evernote.exe\" and process.code_signature.subject_name : \"Evernote Corporation\" and process.code_signature.trusted == true) or\n (process.name : \"firefox.exe\" and process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true) or\n (process.name : \"Loom.exe\" and process.code_signature.subject_name : \"Loom, Inc.\" and process.code_signature.trusted == true) or\n (process.name : \"opera.exe\" and process.code_signature.subject_name : \"Opera Norway AS\" and process.code_signature.trusted == true) or\n (process.name : \"brave.exe\" and process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true) or\n (process.name : \"vivaldi.exe\" and process.code_signature.subject_name : \"Vivaldi Technologies AS\" and process.code_signature.trusted == true)\n )\n )\n", "references": ["https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1614", "name": "System Location Discovery", "reference": "https://attack.mitre.org/techniques/T1614/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json deleted file mode 100644 index 3d1bdadc722..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", "false_positives": ["If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", "references": ["https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1614", "name": "System Location Discovery", "reference": "https://attack.mitre.org/techniques/T1614/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json deleted file mode 100644 index 0a20de3d5f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", "false_positives": ["If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", "references": ["https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1614", "name": "System Location Discovery", "reference": "https://attack.mitre.org/techniques/T1614/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json deleted file mode 100644 index 170acee7089..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", "false_positives": ["If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", "references": ["https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1614", "name": "System Location Discovery", "reference": "https://attack.mitre.org/techniques/T1614/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json b/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json deleted file mode 100644 index 5082276929e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d72d014-e2ab-4707-b056-9b96abe7b511_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies domains commonly used by adversaries for post-exploitation IP lookups. It is common for adversaries to test for Internet access and acquire their external IP address after they have gained access to a system. Among others, this has been observed in campaigns leveraging the information stealer, Trickbot.", "false_positives": ["If the domains listed in this rule are used as part of an authorized workflow, this rule will be triggered by those events. Validate that this is expected activity and tune the rule to fit your environment variables."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "External IP Lookup from Non-Browser Process", "note": "## Triage and analysis\n\n### Investigating External IP Lookup from Non-Browser Process\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for connections to known IP lookup services through non-browser processes or non-installed programs. Using only the IP address of the compromised system, attackers can obtain valuable information such as the system's geographic location, the company that owns the IP, whether the system is cloud-hosted, and more.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-19\", \"S-1-5-20\") and\n event.action == \"lookup_requested\" and\n /* Add new external IP lookup services here */\n dns.question.name :\n (\n \"*api.ipify.org\",\n \"*freegeoip.app\",\n \"*checkip.amazonaws.com\",\n \"*checkip.dyndns.org\",\n \"*freegeoip.app\",\n \"*icanhazip.com\",\n \"*ifconfig.*\",\n \"*ipecho.net\",\n \"*ipgeoapi.com\",\n \"*ipinfo.io\",\n \"*ip.anysrc.net\",\n \"*myexternalip.com\",\n \"*myipaddress.com\",\n \"*showipaddress.com\",\n \"*whatismyipaddress.com\",\n \"*wtfismyip.com\",\n \"*ipapi.co\",\n \"*ip-lookup.net\",\n \"*ipstack.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\"\n )\n", "references": ["https://community.jisc.ac.uk/blogs/csirt/article/trickbot-analysis-and-mitigation", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1d72d014-e2ab-4707-b056-9b96abe7b511", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1614", "name": "System Location Discovery", "reference": "https://attack.mitre.org/techniques/T1614/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1d72d014-e2ab-4707-b056-9b96abe7b511_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json deleted file mode 100644 index 076f9834589..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.name : \"Bootstrap.Octopus.FunctionAppenderContext.ps1\" and\n powershell.file.script_block_text : (\"function Decrypt-Variables\" or \"github.com/OctopusDeploy\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json deleted file mode 100644 index 5837c35ab7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}, {"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json deleted file mode 100644 index ec437fec6b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : (\n CipherMode and \n PaddingMode and \n ( \n Cryptography.AESManaged or \n Cryptography.RijndaelManaged or \n Cryptography.SHA1Managed or \n Cryptography.SHA256Managed or \n Cryptography.SHA384Managed or \n Cryptography.SHA512Managed or \n Cryptography.SymmetricAlgorithm or \n PasswordDeriveBytes or \n Rfc2898DeriveBytes\n ) and (.CreateDecryptor or .CreateEncryptor)) and not user.id:S-1-5-18\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json deleted file mode 100644 index cb33b933e2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json deleted file mode 100644 index c079718d616..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json deleted file mode 100644 index 7788c654642..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7.json deleted file mode 100644 index 9c30fccd48f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.name : \"Bootstrap.Octopus.FunctionAppenderContext.ps1\" and\n powershell.file.script_block_text : (\"function Decrypt-Variables\" or \"github.com/OctopusDeploy\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8.json b/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8.json deleted file mode 100644 index 208bdd6b9c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Cmdlets and methods related to encryption/decryption of files in PowerShell scripts, which malware and offensive security tools can abuse to encrypt data or decrypt payloads to bypass security solutions.", "false_positives": ["Legitimate PowerShell Scripts which makes use of encryption."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Encryption/Decryption Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Script with Encryption/Decryption Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nPowerShell offers encryption and decryption functionalities that attackers can abuse for various purposes, such as concealing payloads, C2 communications, and encrypting data as part of ransomware operations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Cryptography.AESManaged\" or\n \"Cryptography.RijndaelManaged\" or\n \"Cryptography.SHA1Managed\" or\n \"Cryptography.SHA256Managed\" or\n \"Cryptography.SHA384Managed\" or\n \"Cryptography.SHA512Managed\" or\n \"Cryptography.SymmetricAlgorithm\" or\n \"PasswordDeriveBytes\" or\n \"Rfc2898DeriveBytes\"\n ) and\n (\n CipherMode and PaddingMode\n ) and\n (\n \".CreateEncryptor\" or\n \".CreateDecryptor\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.name : \"Bootstrap.Octopus.FunctionAppenderContext.ps1\" and\n powershell.file.script_block_text : (\"function Decrypt-Variables\" or \"github.com/OctopusDeploy\")\n )\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json deleted file mode 100644 index 86df119100a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json deleted file mode 100644 index 4e22fbf0f7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json deleted file mode 100644 index 64d519c4732..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json deleted file mode 100644 index 49198b3c2a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json deleted file mode 100644 index 2c6dc5456af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json deleted file mode 100644 index 914fd2d74e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_107.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_107.json deleted file mode 100644 index 63ec5ead9aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json deleted file mode 100644 index 89f2ac3bc0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json deleted file mode 100644 index bcf0b3aafee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_110.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_110.json deleted file mode 100644 index f09aa5cfb33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_310.json b/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_310.json deleted file mode 100644 index 6c3abd6f82c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dcc51f6-ba26-49e7-9ef4-2655abb2361e_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via DiskCleanup Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"/autoclean\" and process.args : \"/d\" and process.executable != null and \n not process.executable : (\"C:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\cleanmgr.exe\",\n \"C:\\\\Windows\\\\System32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "1dcc51f6-ba26-49e7-9ef4-2655abb2361e_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json deleted file mode 100644 index ad5fa8558c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)\n )\n )\n] by process.entity_id\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.entity_id", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 7}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json deleted file mode 100644 index 4dd0cf2635b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json deleted file mode 100644 index e7f7e42d892..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json deleted file mode 100644 index c35bbea3bcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null and\n not process.Ext.effective_parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json deleted file mode 100644 index 462a1f24d21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)\n )\n )\n] by process.executable\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 5}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json b/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json deleted file mode 100644 index 1f17d910578..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Inter-Process Communication via Outlook", "query": "sequence with maxspan=1m\n[process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n process.name : (\n \"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cmd.exe\", \"regsvr32.exe\", \"cscript.exe\", \"wscript.exe\"\n ) or\n (\n (process.code_signature.trusted == false or process.code_signature.exists == false) and \n (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)\n )\n )\n] by process.executable\n[process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"OUTLOOK.EXE\" and\n process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable\n", "references": ["https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "process.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 6}, "id": "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json deleted file mode 100644 index f31927c6b74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 108}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json deleted file mode 100644 index 04fef179ac9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 104}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json deleted file mode 100644 index 88e4e6dbfca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 105}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json deleted file mode 100644 index 9432012dbdf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 106}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json deleted file mode 100644 index 3fd441aa191..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 107}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_108.json b/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_108.json deleted file mode 100644 index c0cd7e46105..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1defdd62-cd8d-426e-a246-81a37751bb2b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious file that was written by a PDF reader application and subsequently executed. These processes are often launched via exploitation of PDF applications.", "from": "now-120m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of File Written or Modified by PDF Reader", "note": "## Triage and analysis\n\n### Investigating Execution of File Written or Modified by PDF Reader\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule searches for executable files written by PDF reader software and executed in sequence. This is most likely the result of exploitation for privilege escalation or initial access. This rule can also detect suspicious processes masquerading as PDF readers.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=2h\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension : \"exe\" and\n (process.name : \"AcroRd32.exe\" or\n process.name : \"rdrcef.exe\" or\n process.name : \"FoxitPhantomPDF.exe\" or\n process.name : \"FoxitReader.exe\") and\n not (file.name : \"FoxitPhantomPDF.exe\" or\n file.name : \"FoxitPhantomPDFUpdater.exe\" or\n file.name : \"FoxitReader.exe\" or\n file.name : \"FoxitReaderUpdater.exe\" or\n file.name : \"AcroRd32.exe\" or\n file.name : \"rdrcef.exe\")\n ] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "1defdd62-cd8d-426e-a246-81a37751bb2b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 108}, "id": "1defdd62-cd8d-426e-a246-81a37751bb2b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da.json deleted file mode 100644 index 8afaf3a51b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Hack Tool Launched", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\n // exploitation frameworks\n \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n // network scanners (nmap left out to reduce noise)\n \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n // web enumeration\n \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n // web vulnerability scanning\n \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\", \n // exploitation tools\n \"sqlmap\", \"commix\", \"yersinia\",\n // cracking and brute forcing\n \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n // host and network\n \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json deleted file mode 100644 index 1e74943459b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Hack Tool Launched", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name in (\n // exploitation frameworks\n \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n // network scanners (nmap left out to reduce noise)\n \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n // web enumeration\n \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n // web vulnerability scanning\n \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\", \n // exploitation tools\n \"sqlmap\", \"commix\", \"yersinia\",\n // cracking and brute forcing\n \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n // host and network\n \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json deleted file mode 100644 index f2a1d82f0d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Hack Tool Launched", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name in (\n // exploitation frameworks\n \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n // network scanners (nmap left out to reduce noise)\n \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n // web enumeration\n \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n // web vulnerability scanning\n \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\", \n // exploitation tools\n \"sqlmap\", \"commix\", \"yersinia\",\n // cracking and brute forcing\n \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n // host and network\n \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json b/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json deleted file mode 100644 index 4d33cca8c4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1df1152b-610a-4f48-9d7a-504f6ee5d9da_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of different processes that might be used by attackers for malicious intent. An alert from this rule should be investigated further, as hack tools are commonly used by blue teamers and system administrators as well.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Hack Tool Launched", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\n // exploitation frameworks\n \"crackmapexec\", \"msfconsole\", \"msfvenom\", \"sliver-client\", \"sliver-server\", \"havoc\",\n // network scanners (nmap left out to reduce noise)\n \"zenmap\", \"nuclei\", \"netdiscover\", \"legion\",\n // web enumeration\n \"gobuster\", \"dirbuster\", \"dirb\", \"wfuzz\", \"ffuf\", \"whatweb\", \"eyewitness\",\n // web vulnerability scanning\n \"wpscan\", \"joomscan\", \"droopescan\", \"nikto\", \n // exploitation tools\n \"sqlmap\", \"commix\", \"yersinia\",\n // cracking and brute forcing\n \"john\", \"hashcat\", \"hydra\", \"ncrack\", \"cewl\", \"fcrackzip\", \"rainbowcrack\",\n // host and network\n \"linenum.sh\", \"linpeas.sh\", \"pspy32\", \"pspy32s\", \"pspy64\", \"pspy64s\", \"binwalk\", \"evil-winrm\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1df1152b-610a-4f48-9d7a-504f6ee5d9da_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be.json deleted file mode 100644 index 08f01a5e279..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json deleted file mode 100644 index 60c8e9c12d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n (\"Get-ItemProperty\" or \"Get-Item\") and \"-Path\"\n ) or\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json deleted file mode 100644 index fcf9d93a45c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_107.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_107.json deleted file mode 100644 index ba70db7ae64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_108.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_108.json deleted file mode 100644 index 9b9d78ec603..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json deleted file mode 100644 index ea5b4b094dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n (\"Get-ItemProperty\" or \"Get-Item\") and \"-Path\"\n ) or\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\")\n and not file.path : (\n *WindowsPowerShell*Modules*.psd1 or\n *WindowsPowerShell*Modules*.psm1 or \n \"C:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1\"\n )\n and not (file.path : (\n *Windows*TEMP*SDIAG* or\n *WINDOWS*TEMP*SDIAG* or\n *windows*TEMP*SDIAG*) and file.name : \"CL_Utility.ps1\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json deleted file mode 100644 index 2057532cb78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n (\"Get-ItemProperty\" or \"Get-Item\") and \"-Path\"\n ) or\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json deleted file mode 100644 index ef96e0f29c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n (\"Get-ItemProperty\" or \"Get-Item\") and \"-Path\"\n ) or\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json deleted file mode 100644 index dd666a3f786..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json b/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json deleted file mode 100644 index adf23bde380..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Discovery Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADDomain\" or \"Get-ComputerInfo\" or\n \"Get-Disk\" or \"Get-DnsClientCache\" or\n \"Get-GPOReport\" or \"Get-HotFix\" or\n \"Get-LocalUser\" or \"Get-NetFirewallProfile\" or\n \"get-nettcpconnection\" or \"Get-NetAdapter\" or\n \"Get-PhysicalDisk\" or \"Get-Process\" or\n \"Get-PSDrive\" or \"Get-Service\" or\n \"Get-SmbShare\" or \"Get-WinEvent\"\n ) or\n (\n (\"Get-WmiObject\" or \"gwmi\" or \"Get-CimInstance\" or\n \"gcim\" or \"Management.ManagementObjectSearcher\" or\n \"System.Management.ManagementClass\" or\n \"[WmiClass]\" or \"[WMI]\") and\n (\n \"AntiVirusProduct\" or \"CIM_BIOSElement\" or \"CIM_ComputerSystem\" or \"CIM_Product\" or \"CIM_DiskDrive\" or\n \"CIM_LogicalDisk\" or \"CIM_NetworkAdapter\" or \"CIM_StorageVolume\" or \"CIM_OperatingSystem\" or\n \"CIM_Process\" or \"CIM_Service\" or \"MSFT_DNSClientCache\" or \"Win32_BIOS\" or \"Win32_ComputerSystem\" or\n \"Win32_ComputerSystemProduct\" or \"Win32_DiskDrive\" or \"win32_environment\" or \"Win32_Group\" or\n \"Win32_groupuser\" or \"Win32_IP4RouteTable\" or \"Win32_logicaldisk\" or \"Win32_MappedLogicalDisk\" or\n \"Win32_NetworkAdapterConfiguration\" or \"win32_ntdomain\" or \"Win32_OperatingSystem\" or\n \"Win32_PnPEntity\" or \"Win32_Process\" or \"Win32_Product\" or \"Win32_quickfixengineering\" or\n \"win32_service\" or \"Win32_Share\" or \"Win32_UserAccount\"\n )\n ) or\n (\n (\"ADSI\" and \"WinNT\") or\n (\"Get-ChildItem\" and \"sysmondrv.sys\") or\n (\"::GetIPGlobalProperties()\" and \"GetActiveTcpConnections()\") or\n (\"ServiceProcess.ServiceController\" and \"::GetServices\") or\n (\"Diagnostics.Process\" and \"::GetProcesses\") or\n (\"DirectoryServices.Protocols.GroupPolicy\" and \".GetGPOReport()\") or\n (\"DirectoryServices.AccountManagement\" and \"PrincipalSearcher\") or\n (\"NetFwTypeLib.NetFwMgr\" and \"CurrentProfile\") or\n (\"NetworkInformation.NetworkInterface\" and \"GetAllNetworkInterfaces\") or\n (\"Automation.PSDriveInfo\") or\n (\"Microsoft.Win32.RegistryHive\")\n ) or\n (\n \"Get-ItemProperty\" and\n (\n \"\\Control\\SecurityProviders\\WDigest\" or\n \"\\microsoft\\windows\\currentversion\\explorer\\runmru\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\" or\n \"\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" or\n \"\\Microsoft\\Windows\\WindowsUpdate\" or\n \"Policies\\Microsoft\\Windows\\Installer\" or\n \"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\" or\n (\"\\Services\\SharedAccess\\Parameters\\FirewallPolicy\" and \"EnableFirewall\") or\n (\"Microsoft\\Windows\\CurrentVersion\\Internet Settings\" and \"proxyEnable\")\n )\n ) or\n (\n (\"Directoryservices.Activedirectory\" or\n \"DirectoryServices.AccountManagement\") and \n (\n \"Domain Admins\" or \"DomainControllers\" or\n \"FindAllGlobalCatalogs\" or \"GetAllTrustRelationships\" or\n \"GetCurrentDomain\" or \"GetCurrentForest\"\n ) or\n \"DirectoryServices.DirectorySearcher\" and\n (\n \"samAccountType=805306368\" or\n \"samAccountType=805306369\" or\n \"objectCategory=group\" or\n \"objectCategory=groupPolicyContainer\" or\n \"objectCategory=site\" or\n \"objectCategory=subnet\" or\n \"objectClass=trustedDomain\"\n )\n ) or\n (\n \"Get-Process\" and\n (\n \"mcshield\" or \"windefend\" or \"savservice\" or\n \"TMCCSF\" or \"symantec antivirus\" or\n \"CSFalcon\" or \"TmPfw\" or \"kvoop\"\n )\n )\n ) and\n not powershell.file.script_block_text : (\n (\n \"__cmdletization_BindCommonParameters\" and\n \"Microsoft.PowerShell.Core\\Export-ModuleMember\" and\n \"Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter\"\n ) or\n \"CmdletsToExport=@(\\\"Add-Content\\\",\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\" or \"S-1-5-20\") and\n not file.path : (\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Azure?AD?Sync\\\\\\\\Extensions\\\\\\\\AADConnector.psm1* or\n *ServiceNow?MID?Server*agent\\\\\\\\scripts\\\\\\\\PowerShell\\\\\\\\*.psm1 or\n ?\\:\\\\\\\\*\\\\\\\\IMECache\\\\\\\\HealthScripts\\\\\\\\*\\\\\\\\detect.ps1\n ) and\n not (\n file.path : (\n ?\\:\\\\\\\\*\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\TEMP\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\SDIAG* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\*\\\\\\\\SDIAG*\n ) and file.name : \"CL_Utility.ps1\"\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}, {"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}, {"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}, {"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json deleted file mode 100644 index 17b5e5f73e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", "false_positives": ["It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Storage Account Key Regenerated", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "1e0b832e-957e-43ae-b319-db82d228c908", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json b/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json deleted file mode 100644 index 130666e70a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e0b832e-957e-43ae-b319-db82d228c908_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring credentials to access systems and resources.", "false_positives": ["It's recommended that you rotate your access keys periodically to help keep your storage account secure. Normal key rotation can be exempted from the rule. An abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Storage Account Key Regenerated", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "1e0b832e-957e-43ae-b319-db82d228c908", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "1e0b832e-957e-43ae-b319-db82d228c908_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc.json b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc.json deleted file mode 100644 index d7cfb900c52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a DNS-Named Record", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectClass == \"dnsNode\" and\n not winlog.event_data.SubjectUserName : \"*$\"\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json deleted file mode 100644 index eca1c548bdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a DNS-Named Record", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and winlog.event_data.ObjectClass == \"dnsNode\" and\n not winlog.event_data.SubjectUserName : \"*$\"\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2.json b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2.json deleted file mode 100644 index 4ed2c74f216..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a DNS-Named Record", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectClass == \"dnsNode\" and\n not winlog.event_data.SubjectUserName : \"*$\"\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3.json b/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3.json deleted file mode 100644 index 32661e8f253..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a DNS-Named Record", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectClass == \"dnsNode\" and\n not winlog.event_data.SubjectUserName : \"*$\"\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wpad-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectClass", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1e1b2e7e-b8f5-45e5-addc-66cc1224ffbc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb.json deleted file mode 100644 index 43e11a1f43c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : (\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-s..*\\\\*.settingcontent-ms\"\n )\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json deleted file mode 100644 index 08dafadd8d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\"\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json deleted file mode 100644 index 58e406e4ac1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\"\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_3.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_3.json deleted file mode 100644 index 43dc6e6acbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : (\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-s..*\\\\*.settingcontent-ms\"\n )\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_4.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_4.json deleted file mode 100644 index 93fbac432cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : (\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-s..*\\\\*.settingcontent-ms\"\n )\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_5.json b/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_5.json deleted file mode 100644 index 8dda3551355..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e6363a6-3af5-41d4-b7ea-d475389c0ceb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the suspicious creation of SettingContents-ms files, which have been used in attacks to achieve code execution while evading defenses.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of SettingContent-ms Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : \"settingcontent-ms\" and\n not file.path : (\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\windows.immersivecontrolpanel_*\\\\LocalState\\\\Indexed\\\\Settings\\\\*\",\n \"\\\\Device\\\\HarddiskVolume*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-s..*\\\\*.settingcontent-ms\"\n )\n", "references": ["https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "1e6363a6-3af5-41d4-b7ea-d475389c0ceb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283.json b/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283.json deleted file mode 100644 index 150a051148f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.repo"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "1e9b271c-8caa-4e20-aed8-e91e34de9283", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "1e9b271c-8caa-4e20-aed8-e91e34de9283", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_1.json b/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_1.json deleted file mode 100644 index 4e45b8ff063..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.repo"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.repo", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "1e9b271c-8caa-4e20-aed8-e91e34de9283", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "1e9b271c-8caa-4e20-aed8-e91e34de9283_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_103.json b/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_103.json new file mode 100644 index 00000000000..7f59b079043 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/1e9b271c-8caa-4e20-aed8-e91e34de9283_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new private repo interaction for a GitHub PAT not seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)", + "new_terms_fields": [ + "github.hashed_token", + "github.repo" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.repo:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.hashed_token", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repo", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repository_public", + "type": "boolean" + } + ], + "risk_score": 21, + "rule_id": "1e9b271c-8caa-4e20-aed8-e91e34de9283", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "1e9b271c-8caa-4e20-aed8-e91e34de9283_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json deleted file mode 100644 index 770ac44bf1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", "false_positives": ["Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_sudo_user"], "name": "Unusual Sudo Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "type": "machine_learning", "version": 104}, "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json deleted file mode 100644 index f358a768966..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", "false_positives": ["Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_sudo_user"], "name": "Unusual Sudo Activity", "risk_score": 21, "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "type": "machine_learning", "version": 101}, "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json deleted file mode 100644 index 28888117de6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", "false_positives": ["Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_sudo_user"], "name": "Unusual Sudo Activity", "risk_score": 21, "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "type": "machine_learning", "version": 102}, "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json b/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json deleted file mode 100644 index 9ff9a24e428..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for sudo activity from an unusual user context. An unusual sudo user could be due to troubleshooting activity or it could be a sign of credentialed access via compromised accounts.", "false_positives": ["Uncommon sudo activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_sudo_user"], "name": "Unusual Sudo Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "type": "machine_learning", "version": 103}, "id": "1e9fc667-9ff1-4b33-9f40-fefca8537eb0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json deleted file mode 100644 index d9723bf315e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json deleted file mode 100644 index 613477df577..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json deleted file mode 100644 index 5b563504d96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json deleted file mode 100644 index a5f59417b34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : (\n AmsiInitialize or \n AmsiX32 or \n AmsiX64 or \n AntimalwareProvider or \n Bypass.AMSI or \n FindAmsiFun or \n Invoke-AmsiBypass or \n System.Management.Automation.AmsiUtils or \n System.Management.Automation.ScriptBlock or \n amsi.dll or \n amsiContext or \n amsiInitFailed or \n amsiSession or \n unloadobfuscated or \n unloadsilent or \n VirtualProtect and \"[System.Runtime.InteropServices.Marshal]::Copy\" or \n \".SetValue(\" and \"[Ref].Assembly.GetType(('System.Management.Automation\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json deleted file mode 100644 index 376cda1bc68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or \n\t\t\t\t \"System.Management.Automation.ScriptBlock\" or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json deleted file mode 100644 index 57d08c76bdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (powershell.file.script_block_text :\n (\"System.Management.Automation.AmsiUtils\" or\n\t\t\t\t amsiInitFailed or \n\t\t\t\t \"Invoke-AmsiBypass\" or \n\t\t\t\t \"Bypass.AMSI\" or \n\t\t\t\t \"amsi.dll\" or \n\t\t\t\t AntimalwareProvider or \n\t\t\t\t amsiSession or \n\t\t\t\t amsiContext or\n\t\t\t\t AmsiInitialize or \n\t\t\t\t unloadobfuscated or \n\t\t\t\t unloadsilent or \n\t\t\t\t AmsiX64 or \n\t\t\t\t AmsiX32 or \n\t\t\t\t FindAmsiFun) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json deleted file mode 100644 index cd4444fa182..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json deleted file mode 100644 index 12205966858..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_9.json b/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_9.json deleted file mode 100644 index f0b1dc1d664..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f0a69c0-3392-4adf-b7d5-6012fd292da8_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell script with keywords related to different Antimalware Scan Interface (AMSI) bypasses. An adversary may attempt first to disable AMSI before executing further malicious powershell scripts to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Antimalware Scan Interface Bypass via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Antimalware Scan Interface Bypass via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nThis rule identifies scripts that contain methods and classes that can be abused to bypass AMSI.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate commands and scripts executed after this activity was observed.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"process\" and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"System.Management.Automation.AmsiUtils\" or\n\t\t\tamsiInitFailed or \n\t\t\t\"Invoke-AmsiBypass\" or \n\t\t\t\"Bypass.AMSI\" or \n\t\t\t\"amsi.dll\" or \n\t\t\tAntimalwareProvider or \n\t\t\tamsiSession or \n\t\t\tamsiContext or\n\t\t\tAmsiInitialize or \n\t\t\tunloadobfuscated or \n\t\t\tunloadsilent or \n\t\t\tAmsiX64 or \n\t\t\tAmsiX32 or \n\t\t\tFindAmsiFun\n ) or\n powershell.file.script_block_text:(\"[System.Runtime.InteropServices.Marshal]::Copy\" and \"VirtualProtect\") or\n powershell.file.script_block_text:(\"[Ref].Assembly.GetType(('System.Management.Automation\" and \".SetValue(\")\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "1f0a69c0-3392-4adf-b7d5-6012fd292da8_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f45720e-5ea8-11ef-90d2-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/1f45720e-5ea8-11ef-90d2-f661ea17fbce_1.json deleted file mode 100644 index a01520a5903..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f45720e-5ea8-11ef-90d2-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a federated user logs into the AWS Management Console without using multi-factor authentication (MFA). Federated users are typically given temporary credentials to access AWS services. If a federated user logs into the AWS Management Console without using MFA, it may indicate a security risk, as MFA adds an additional layer of security to the authentication process. This could also indicate the abuse of STS tokens to bypass MFA requirements.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS Signin Single Factor Console Login with Federated User", "query": "from logs-aws.cloudtrail-*\n| where\n event.provider == \"signin.amazonaws.com\"\n and event.action == \"GetSigninToken\"\n and aws.cloudtrail.event_type == \"AwsConsoleSignIn\"\n and aws.cloudtrail.user_identity.type == \"FederatedUser\"\n| dissect aws.cloudtrail.additional_eventdata \"{%{?mobile_version_key}=%{mobile_version}, %{?mfa_used_key}=%{mfa_used}}\"\n| where mfa_used == \"No\"\n", "references": ["https://hackingthe.cloud/aws/post_exploitation/create_a_console_session_from_iam_credentials/"], "risk_score": 47, "rule_id": "1f45720e-5ea8-11ef-90d2-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Amazon Web Services", "Data Source: AWS", "Data Source: AWS Sign-In", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "1f45720e-5ea8-11ef-90d2-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365.json b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365.json deleted file mode 100644 index 5d48e9bc498..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution on WBEM Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\wbem\\\\*\", \"?:\\\\Windows\\\\SysWow64\\\\wbem\\\\*\") and\n not process.name : (\n \"mofcomp.exe\",\n \"scrcons.exe\",\n \"unsecapp.exe\",\n \"wbemtest.exe\",\n \"winmgmt.exe\",\n \"wmiadap.exe\",\n \"wmiapsrv.exe\",\n \"wmic.exe\",\n \"wmiprvse.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1f460f12-a3cf-4105-9ebb-f788cc63f365", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1f460f12-a3cf-4105-9ebb-f788cc63f365", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json deleted file mode 100644 index df802cec2b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution on WBEM Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\wbem\\\\*\", \"?:\\\\Windows\\\\SysWow64\\\\wbem\\\\*\") and\n not process.name : (\n \"mofcomp.exe\",\n \"scrcons.exe\",\n \"unsecapp.exe\",\n \"wbemtest.exe\",\n \"winmgmt.exe\",\n \"wmiadap.exe\",\n \"wmiapsrv.exe\",\n \"wmic.exe\",\n \"wmiprvse.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1f460f12-a3cf-4105-9ebb-f788cc63f365", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "1f460f12-a3cf-4105-9ebb-f788cc63f365_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_2.json b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_2.json deleted file mode 100644 index 290b2e61b7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution on WBEM Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\wbem\\\\*\", \"?:\\\\Windows\\\\SysWow64\\\\wbem\\\\*\") and\n not process.name : (\n \"mofcomp.exe\",\n \"scrcons.exe\",\n \"unsecapp.exe\",\n \"wbemtest.exe\",\n \"winmgmt.exe\",\n \"wmiadap.exe\",\n \"wmiapsrv.exe\",\n \"wmic.exe\",\n \"wmiprvse.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1f460f12-a3cf-4105-9ebb-f788cc63f365", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "1f460f12-a3cf-4105-9ebb-f788cc63f365_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_3.json b/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_3.json deleted file mode 100644 index 2736993ba8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1f460f12-a3cf-4105-9ebb-f788cc63f365_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual processes running from the WBEM path, uncommon outside WMI-related Windows processes.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution on WBEM Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\wbem\\\\*\", \"?:\\\\Windows\\\\SysWow64\\\\wbem\\\\*\") and\n not process.name : (\n \"mofcomp.exe\",\n \"scrcons.exe\",\n \"unsecapp.exe\",\n \"wbemtest.exe\",\n \"winmgmt.exe\",\n \"wmiadap.exe\",\n \"wmiapsrv.exe\",\n \"wmic.exe\",\n \"wmiprvse.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "1f460f12-a3cf-4105-9ebb-f788cc63f365", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "1f460f12-a3cf-4105-9ebb-f788cc63f365_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json deleted file mode 100644 index 42e63264079..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_user"], "name": "Unusual Linux User Calling the Metadata Service", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "1faec04b-d902-4f89-8aff-92cd9043c16f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json deleted file mode 100644 index a1f5e5441bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_user"], "name": "Unusual Linux User Calling the Metadata Service", "risk_score": 21, "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 101}, "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json deleted file mode 100644 index b8ee513d059..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_user"], "name": "Unusual Linux User Calling the Metadata Service", "risk_score": 21, "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 102}, "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json b/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json deleted file mode 100644 index dc84df5d93b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1faec04b-d902-4f89-8aff-92cd9043c16f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_user"], "name": "Unusual Linux User Calling the Metadata Service", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "1faec04b-d902-4f89-8aff-92cd9043c16f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 103}, "id": "1faec04b-d902-4f89-8aff-92cd9043c16f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json deleted file mode 100644 index 4ba6a8c2240..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 112}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json deleted file mode 100644 index 8ebd1e005e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 104}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json deleted file mode 100644 index 91cfd6e606b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 105}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json deleted file mode 100644 index 98908b10299..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 106}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json deleted file mode 100644 index 906fd83f59a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 107}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json deleted file mode 100644 index 0127eb8fc4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n )\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 108}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json deleted file mode 100644 index 8d03f8a3443..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 109}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json deleted file mode 100644 index 48df9121d2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 110}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_111.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_111.json deleted file mode 100644 index aac395cf0e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 111}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_112.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_112.json deleted file mode 100644 index a86166d637e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 112}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_113.json b/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_113.json deleted file mode 100644 index cadd7ff9720..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/1fe3b299-fbb5-4657-a937-1d746f2c711a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Activity from a Windows System Binary", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity from a Windows System Binary\n\nAttackers can abuse certain trusted developer utilities to proxy the execution of malicious payloads. Since these utilities are usually signed, they can bypass the security controls that were put in place to prevent or detect direct execution.\n\nThis rule identifies network connections established by trusted developer utilities, which can indicate abuse to execute payloads or process masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- As trusted developer utilities have dual-use purposes, alerts derived from this rule are not essentially malicious. If these utilities are contacting internal or known trusted domains, review their security and consider creating exceptions if the domain is safe.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n\n /* known applocker bypasses */\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"MSBuild.exe\" or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n process.name : \"msiexec.exe\" or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\")]\n [network where\n (process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"control.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"installutil.exe\" or\n process.name : \"Microsoft.Workflow.Compiler.exe\" or\n (\n process.name : \"msbuild.exe\" and\n destination.ip != \"127.0.0.1\"\n ) or\n process.name : \"msdt.exe\" or\n process.name : \"mshta.exe\" or\n (\n process.name : \"msiexec.exe\" and not\n dns.question.name : (\n \"ocsp.digicert.com\", \"ocsp.verisign.com\", \"ocsp.comodoca.com\", \"ocsp.entrust.net\", \"ocsp.usertrust.com\",\n \"ocsp.godaddy.com\", \"ocsp.camerfirma.com\", \"ocsp.globalsign.com\", \"ocsp.sectigo.com\", \"*.local\"\n ) and\n /* Localhost, DigiCert and Comodo CA IP addresses */\n not cidrmatch(destination.ip, \"127.0.0.1\", \"192.229.211.108/32\", \"192.229.221.95/32\",\n \"152.195.38.76/32\", \"104.18.14.101/32\")\n ) or\n process.name : \"msxsl.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"regsvr32.exe\" or\n process.name : \"xwizard.exe\") and \n \n not dns.question.name : (\"localhost\", \"setup.officetimeline.com\", \"us.deployment.endpoint.ingress.rapid7.com\", \n \"ctldl.windowsupdate.com\", \"crl?.digicert.com\", \"ocsp.digicert.com\", \"addon-cms-asl.eu.goskope.com\", \"crls.ssl.com\", \n \"evcs-ocsp.ws.symantec.com\", \"s.symcd.com\", \"s?.symcb.com\", \"crl.verisign.com\", \"oneocsp.microsoft.com\", \"crl.verisign.com\", \n \"aka.ms\", \"crl.comodoca.com\", \"acroipm2.adobe.com\", \"sv.symcd.com\") and \n\n /* host query itself */\n not startswith~(dns.question.name, host.name)\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "1fe3b299-fbb5-4657-a937-1d746f2c711a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 113}, "id": "1fe3b299-fbb5-4657-a937-1d746f2c711a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json deleted file mode 100644 index 8b42fdaf2f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json deleted file mode 100644 index 9e4c0a31846..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", "severity": "high", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "query", "version": 100}, "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json deleted file mode 100644 index 47ddd447b42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "query", "version": 101}, "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_102.json b/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_102.json deleted file mode 100644 index 3be6510f361..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2003cdc8-8d83-4aa5-b132-1f9a8eb48514_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2003cdc8-8d83-4aa5-b132-1f9a8eb48514_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json deleted file mode 100644 index 6b8d1b5d190..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json deleted file mode 100644 index f6dea431ae8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious .NET code execution. connections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json deleted file mode 100644 index 0bd218f90ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious .NET code execution. connections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json deleted file mode 100644 index a302f1d9bf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious .NET code execution. connections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json deleted file mode 100644 index 568c6814eef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json deleted file mode 100644 index f1b43866140..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json deleted file mode 100644 index e3f90ca1c80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json deleted file mode 100644 index 88dd093cde6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_111.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_111.json deleted file mode 100644 index 3dff82d7d1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_311.json b/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_311.json deleted file mode 100644 index a8451017bc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/201200f1-a99b-43fb-88ed-f65a45c4972c_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executions of .NET compilers with suspicious parent processes, which can indicate an attacker's attempt to compile code after delivery in order to bypass security mechanisms.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious .NET Code Compilation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"csc.exe\", \"vbc.exe\") and\n process.parent.name : (\"wscript.exe\", \"mshta.exe\", \"cscript.exe\", \"wmic.exe\", \"svchost.exe\", \"rundll32.exe\", \"cmstp.exe\", \"regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "201200f1-a99b-43fb-88ed-f65a45c4972c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "201200f1-a99b-43fb-88ed-f65a45c4972c_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4.json b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4.json deleted file mode 100644 index 5db9329c9e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Masquerading as Kernel Process", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name : (\"kworker*\", \"kthread*\") and process.executable != null\n", "references": ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "202829f6-0271-4e88-b882-11a655c590d4", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "202829f6-0271-4e88-b882-11a655c590d4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json deleted file mode 100644 index f1656249976..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Masquerading as Kernel Process", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name : (\"kworker*\", \"kthread*\") and process.executable != null\n", "references": ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "202829f6-0271-4e88-b882-11a655c590d4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "202829f6-0271-4e88-b882-11a655c590d4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json b/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json deleted file mode 100644 index a2e76170666..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/202829f6-0271-4e88-b882-11a655c590d4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Masquerading as Kernel Process", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name : (\"kworker*\", \"kthread*\") and process.executable != null\n", "references": ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "202829f6-0271-4e88-b882-11a655c590d4", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "202829f6-0271-4e88-b882-11a655c590d4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json deleted file mode 100644 index f912f55104e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Blob\" and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MpDefenderCoreService.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\ProgramData\\\\Sophos\\\\AutoUpdate\\\\Cache\\\\sophos_autoupdate1.dir\\\\SophosUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json deleted file mode 100644 index a9ca0181b0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json deleted file mode 100644 index edd5f893cd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json deleted file mode 100644 index ed9c12751ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json deleted file mode 100644 index c911b41721d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\")\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json deleted file mode 100644 index 419a7459e7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json deleted file mode 100644 index d0c44f55365..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json deleted file mode 100644 index ec7b8daf53e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_111.json b/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_111.json deleted file mode 100644 index 9b5d2896c43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/203ab79b-239b-4aa5-8e54-fc50623ee8e4_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a local trusted root certificate in Windows. The install of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Root Certificate", "note": "## Triage and analysis\n\n### Investigating Creation or Modification of Root Certificate\n\nRoot certificates are the primary level of certifications that tell a browser that the communication is trusted and legitimate. This verification is based upon the identification of a certification authority. Windows adds several trusted root certificates so browsers can use them to communicate with websites.\n\n[Check out this post](https://www.thewindowsclub.com/what-are-root-certificates-windows) for more details on root certificates and the involved cryptography.\n\nThis rule identifies the creation or modification of a root certificate by monitoring registry modifications. The installation of a malicious root certificate would allow an attacker the ability to masquerade malicious files as valid signed components from any entity (for example, Microsoft). It could also allow an attacker to decrypt SSL traffic.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate abnormal behaviors observed by the subject process such as network connections, other registry or file modifications, and any spawned child processes.\n- If one of the processes is suspicious, retrieve it and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Blob\" and\n registry.path :\n (\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\Root\\\\Certificates\\\\*\\\\Blob\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\SystemCertificates\\\\AuthRoot\\\\Certificates\\\\*\\\\Blob\"\n ) and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Lenovo\\\\Vantage\\\\Addins\\\\LenovoHardwareScanAddin\\\\*\\\\LdeApi.Server.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\64\\\\certmgr.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MpDefenderCoreService.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\ProgramData\\\\Quest\\\\KACE\\\\modules\\\\clientidentifier\\\\clientidentifier.exe\",\n \"?:\\\\ProgramData\\\\Sophos\\\\AutoUpdate\\\\Cache\\\\sophos_autoupdate1.dir\\\\SophosUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\cache\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\Cluster\\\\clussvc.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\PluginHost86\\\\Lenovo.Modern.ImController.PluginHost.Device.exe\",\n \"?:\\\\Windows\\\\Lenovo\\\\ImController\\\\Service\\\\Lenovo.Modern.ImController.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\*.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*.exe\"\n )\n", "references": ["https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec", "https://www.ired.team/offensive-security/persistence/t1130-install-root-certificate"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "203ab79b-239b-4aa5-8e54-fc50623ee8e4_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json deleted file mode 100644 index 96337cc25b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", "false_positives": ["A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json deleted file mode 100644 index 59940025fc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", "false_positives": ["A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json deleted file mode 100644 index 35a831cb077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", "false_positives": ["A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json deleted file mode 100644 index 2a0e14f32d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", "false_positives": ["A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json b/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json deleted file mode 100644 index 57d3138fe14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2045567e-b0af-444a-8c0b-0b6e2dae9e13_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a request has been made to transfer a Route 53 domain to another AWS account.", "false_positives": ["A domain may be transferred to another AWS account by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Domain transfers from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route 53 Domain Transferred to Another Account", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:TransferDomainToAnotherAwsAccount and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "2045567e-b0af-444a-8c0b-0b6e2dae9e13_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json deleted file mode 100644 index 4d71e433b2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Web Browser Sensitive File Access", "query": "file where event.action == \"open\" and host.os.type == \"macos\" and process.executable != null and\n file.name : (\"cookies.sqlite\", \n \"key?.db\", \n \"logins.json\", \n \"Cookies\", \n \"Cookies.binarycookies\", \n \"Login Data\") and \n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \"osascript\") and \n not process.code_signature.signing_id : \"org.mozilla.firefox\" and\n not process.Ext.effective_parent.executable : \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\"\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.signing_id", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json deleted file mode 100644 index f0f9ac632dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json deleted file mode 100644 index ea7ce04d7b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json deleted file mode 100644 index 09a54c70da5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n )\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json deleted file mode 100644 index e1cf007b571..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n ) and \n not (process.name : \"wordexp-helper\" and process.parent.name : (\"elastic-agent\", \"elastic-endpoint\"))\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json deleted file mode 100644 index e495bab0824..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n ) and \n not (process.name : \"wordexp-helper\" and process.parent.name : (\"elastic-agent\", \"elastic-endpoint\"))\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json deleted file mode 100644 index f9ddae7c0b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access of Stored Browser Credentials", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Login Data\",\n \"/Users/*/Library/Application Support/Google/Chrome/Default/Cookies\",\n \"/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies\",\n \"/Users/*/Library/Cookies*\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db\",\n \"/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json\",\n \"Login Data\",\n \"Cookies.binarycookies\",\n \"key4.db\",\n \"key3.db\",\n \"logins.json\",\n \"cookies.sqlite\"\n ) and \n not (process.name : \"wordexp-helper\" and process.parent.name : (\"elastic-agent\", \"elastic-endpoint\"))\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_207.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_207.json deleted file mode 100644 index 5a4f2336046..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["logs-endpoint.events.file.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Web Browser Sensitive File Access", "query": "file where event.action == \"open\" and process.executable != null and \n file.name : (\"cookies.sqlite\", \n \"key?.db\", \n \"logins.json\", \n \"Cookies\", \n \"Cookies.binarycookies\", \n \"Login Data\") and \n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \"osascript\") and \n not process.code_signature.signing_id : \"org.mozilla.firefox\" and\n not process.Ext.effective_parent.executable : \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\"\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.signing_id", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_208.json b/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_208.json deleted file mode 100644 index 65d9c863d82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the access or file open of web browser sensitive files by an untrusted/unsigned process or osascript. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Web Browser Sensitive File Access", "query": "file where event.action == \"open\" and host.os.type == \"macos\" and process.executable != null and\n file.name : (\"cookies.sqlite\", \n \"key?.db\", \n \"logins.json\", \n \"Cookies\", \n \"Cookies.binarycookies\", \n \"Login Data\") and \n ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : \"osascript\") and \n not process.code_signature.signing_id : \"org.mozilla.firefox\" and\n not process.Ext.effective_parent.executable : \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\"\n", "references": ["https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.signing_id", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "20457e4f-d1de-4b92-ae69-142e27a4342a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "20457e4f-d1de-4b92-ae69-142e27a4342a_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a.json b/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a.json deleted file mode 100644 index 9e2e3249838..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \"-pr\" parameter.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Werfault ReflectDebugger Persistence", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\"\n )\n", "references": ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "205b52c4-9c28-4af4-8979-935f3278d61a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "205b52c4-9c28-4af4-8979-935f3278d61a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json b/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json deleted file mode 100644 index ebcbb975b4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \"-pr\" parameter.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Werfault ReflectDebugger Persistence", "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "205b52c4-9c28-4af4-8979-935f3278d61a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "205b52c4-9c28-4af4-8979-935f3278d61a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_2.json b/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_2.json deleted file mode 100644 index ca1d616d53b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/205b52c4-9c28-4af4-8979-935f3278d61a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the registration of a Werfault Debugger. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed with the \"-pr\" parameter.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Werfault ReflectDebugger Persistence", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\Hangs\\\\ReflectDebugger\"\n )\n", "references": ["https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "205b52c4-9c28-4af4-8979-935f3278d61a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "205b52c4-9c28-4af4-8979-935f3278d61a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json deleted file mode 100644 index 9d648514294..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json deleted file mode 100644 index af458916962..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json deleted file mode 100644 index ecf26abec32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json deleted file mode 100644 index c682ba2ac78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json deleted file mode 100644 index 1ad37f5a284..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s SACL has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json deleted file mode 100644 index fd531f65316..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json deleted file mode 100644 index 55364692b72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_111.json b/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_111.json deleted file mode 100644 index a68ffb7bdee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/208dbe77-01ed-4954-8d44-1e5751cb20de_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies handle requests for the Local Security Authority Subsystem Service (LSASS) object access with specific access masks that many tools with a capability to dump memory to disk use (0x1fffff, 0x1010, 0x120089). This rule is tool agnostic as it has been validated against a host of various LSASS dump tools such as SharpDump, Procdump, Mimikatz, Comsvcs etc. It detects this behavior at a low level and does not depend on a specific tool or dump file name.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Handle Access", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Handle Access\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nAdversaries may attempt to access credential material stored in LSASS process memory. After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn\u2019t prompted each time resource access is requested. These credential materials can be harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There should be very few or no false positives for this rule. If this activity is expected or noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If the process is related to antivirus or endpoint detection and response solutions, validate that it is installed on the correct path and signed with the company's valid digital signature.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Scope compromised credentials and disable the accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action == \"File System\" and event.code == \"4656\" and\n\n winlog.event_data.ObjectName : (\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume?\\\\Windows\\\\System32\\\\lsass.exe\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\System32\\\\lsass.exe\") and\n\n /* The right to perform an operation controlled by an extended access right. */\n\n (winlog.event_data.AccessMask : (\"0x1fffff\" , \"0x1010\", \"0x120089\", \"0x1F3FFF\") or\n winlog.event_data.AccessMaskDescription : (\"READ_CONTROL\", \"Read from process memory\"))\n\n /* Common Noisy False Positives */\n\n and not winlog.event_data.ProcessName : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\system32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\poqexec.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656", "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", "http://findingbad.blogspot.com/2017/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ObjectName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}], "risk_score": 73, "rule_id": "208dbe77-01ed-4954-8d44-1e5751cb20de", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nAlso, this event generates only if the object\u2019s [SACL](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists) has the required access control entry (ACE) to handle the use of specific access rights.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "208dbe77-01ed-4954-8d44-1e5751cb20de_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e.json b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e.json deleted file mode 100644 index 24170d10282..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Mofcomp Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mofcomp.exe\" and process.args : \"*.mof\" and\n not user.id : \"S-1-5-18\" and\n not\n (\n process.parent.name : \"ScenarioEngine.exe\" and\n process.args : (\n \"*\\\\MSSQL\\\\Binn\\\\*.mof\",\n \"*\\\\Microsoft SQL Server\\\\???\\\\Shared\\\\*.mof\",\n \"*\\\\OLAP\\\\bin\\\\*.mof\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "210d4430-b371-470e-b879-80b7182aa75e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "210d4430-b371-470e-b879-80b7182aa75e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json deleted file mode 100644 index c38b108a433..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Mofcomp Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mofcomp.exe\" and process.args : \"*.mof\" and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "210d4430-b371-470e-b879-80b7182aa75e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "210d4430-b371-470e-b879-80b7182aa75e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_2.json b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_2.json deleted file mode 100644 index 4aca4a24bb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Mofcomp Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mofcomp.exe\" and process.args : \"*.mof\" and\n not user.id : \"S-1-5-18\" and\n not\n (\n process.parent.name : \"ScenarioEngine.exe\" and\n process.args : (\n \"*\\\\MSSQL\\\\Binn\\\\*.mof\",\n \"*\\\\Microsoft SQL Server\\\\???\\\\Shared\\\\*.mof\",\n \"*\\\\OLAP\\\\bin\\\\*.mof\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "210d4430-b371-470e-b879-80b7182aa75e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "210d4430-b371-470e-b879-80b7182aa75e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_3.json b/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_3.json deleted file mode 100644 index ad765168e68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/210d4430-b371-470e-b879-80b7182aa75e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Mofcomp Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mofcomp.exe\" and process.args : \"*.mof\" and\n not user.id : \"S-1-5-18\" and\n not\n (\n process.parent.name : \"ScenarioEngine.exe\" and\n process.args : (\n \"*\\\\MSSQL\\\\Binn\\\\*.mof\",\n \"*\\\\Microsoft SQL Server\\\\???\\\\Shared\\\\*.mof\",\n \"*\\\\OLAP\\\\bin\\\\*.mof\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "210d4430-b371-470e-b879-80b7182aa75e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "210d4430-b371-470e-b879-80b7182aa75e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777.json b/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777.json deleted file mode 100644 index eef928a4f3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Child", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [network where event.type == \"start\" and host.os.type == \"linux\" and\n event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n [process where event.type == \"start\" and host.os.type == \"linux\" and event.action == \"exec\" and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_1.json b/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_1.json deleted file mode 100644 index 3243ad8dc2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Child", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n [process where event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json b/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json deleted file mode 100644 index 9795a67a64f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2138bb70-5a5e-42fd-be5e-b38edf6a6777_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a network event that is followed by the creation of a shell process with suspicious command line arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Child", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n [process where event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "2138bb70-5a5e-42fd-be5e-b38edf6a6777_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json deleted file mode 100644 index 64d0bd30a12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", "false_positives": ["Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks."], "from": "now-130m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "new_terms_fields": ["google_workspace.token.client.id"], "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.scope.data", "type": "flattened"}], "risk_score": 47, "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json deleted file mode 100644 index 24659c16c24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", "false_positives": ["Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks."], "from": "now-130m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "new_terms_fields": ["google_workspace.token.client.id"], "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.scope.data.scope_name", "type": "unknown"}], "risk_score": 47, "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Defense Evasion", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json deleted file mode 100644 index 1052d2bb819..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", "false_positives": ["Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks."], "from": "now-130m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "new_terms_fields": ["google_workspace.token.client.id"], "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.scope.data.scope_name", "type": "unknown"}], "risk_score": 47, "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json deleted file mode 100644 index 8622eaf9bdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", "false_positives": ["Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks."], "from": "now-130m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "new_terms_fields": ["google_workspace.token.client.id"], "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data.scope_name: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.scope.data.scope_name", "type": "unknown"}], "risk_score": 47, "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_4.json deleted file mode 100644 index 77dff3e757c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/21bafdf0-cf17-11ed-bd57-f661ea17fbcc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first time a third-party application logs in and authenticated with OAuth. OAuth is used to grant permissions to specific resources and services in Google Workspace. Compromised credentials or service accounts could allow an adversary to authenticate to Google Workspace as a valid user and inherit their privileges.", "false_positives": ["Developers may leverage third-party applications for legitimate purposes in Google Workspace such as for administrative tasks."], "from": "now-130m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Google Workspace OAuth Login from Third-Party Application", "new_terms_fields": ["google_workspace.token.client.id"], "note": "## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset: \"google_workspace.token\" and event.action: \"authorize\" and\ngoogle_workspace.token.scope.data: *Login and google_workspace.token.client.id: *apps.googleusercontent.com\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://developers.google.com/identity/protocols/oauth2"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": false, "name": "google_workspace.token.scope.data", "type": "flattened"}], "risk_score": 47, "rule_id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "21bafdf0-cf17-11ed-bd57-f661ea17fbcc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json deleted file mode 100644 index c3991d51a08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\"\n ) and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json deleted file mode 100644 index 1d34ab2e5bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json deleted file mode 100644 index 25690c41c00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json deleted file mode 100644 index 707ce3a9940..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\" and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json deleted file mode 100644 index e665b0555e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\"\n ) and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json b/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json deleted file mode 100644 index dc97fde6e8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/220be143-5c67-4fdb-b6ce-dd6826d024fd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the enable of the full user-mode dumps feature system-wide. This feature allows Windows Error Reporting (WER) to collect data after an application crashes. This setting is a requirement for the LSASS Shtinkering attack, which fakes the communication of a crash on LSASS, generating a dump of the process memory, which gives the attacker access to the credentials present on the system without having to bring malware to the system. This setting is not enabled by default, and applications must create their registry subkeys to hold settings that enable them to collect dumps.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Full User-Mode Dumps Enabled System-Wide", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\Windows Error Reporting\\\\LocalDumps\\\\DumpType\"\n ) and\n registry.data.strings : (\"2\", \"0x00000002\") and\n not (process.executable : \"?:\\\\Windows\\\\system32\\\\svchost.exe\" and user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"))\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", "https://github.com/deepinstinct/Lsass-Shtinkering", "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "220be143-5c67-4fdb-b6ce-dd6826d024fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "220be143-5c67-4fdb-b6ce-dd6826d024fd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json deleted file mode 100644 index 261f5961dd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "new_terms_fields": ["host.id", "process.executable"], "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent or \n /opt/puppetlabs/puppet/bin/puppet or\n /usr/bin/chef-client\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json deleted file mode 100644 index 79f81709588..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Lateral Movement", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json deleted file mode 100644 index 72526fb7c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json deleted file mode 100644 index 155ee8edf0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json deleted file mode 100644 index 5c86dcb1702..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 204}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json b/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json deleted file mode 100644 index c7dfd6baac5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s).", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modification", "new_terms_fields": ["host.id", "process.executable"], "query": "event.category:file and event.type:(change or creation) and\n file.name:(\"authorized_keys\" or \"authorized_keys2\" or \"/etc/ssh/sshd_config\" or \"/root/.ssh\") and\n not process.executable:\n (/Library/Developer/CommandLineTools/usr/bin/git or\n /usr/local/Cellar/maven/*/libexec/bin/mvn or\n /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or\n /usr/bin/vim or\n /usr/local/Cellar/coreutils/*/bin/gcat or\n /usr/bin/bsdtar or\n /usr/bin/nautilus or\n /usr/bin/scp or\n /usr/bin/touch or\n /var/lib/docker/* or\n /usr/bin/google_guest_agent or \n /opt/jc/bin/jumpcloud-agent or \n /opt/puppetlabs/puppet/bin/puppet or\n /usr/bin/chef-client\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 205}, "id": "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json deleted file mode 100644 index e1cb79fd837..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "http.request.body.content", "type": "wildcard"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "22599847-5d13-48cb-8872-5796fee8692b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json deleted file mode 100644 index 3ba8e5c681b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "http.request.body.content", "type": "wildcard"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "22599847-5d13-48cb-8872-5796fee8692b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json deleted file mode 100644 index c4165d57922..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "http.request.body.content", "type": "wildcard"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "22599847-5d13-48cb-8872-5796fee8692b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json deleted file mode 100644 index 9f09a233634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "http.request.body.content", "type": "wildcard"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "22599847-5d13-48cb-8872-5796fee8692b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json b/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json deleted file mode 100644 index 7f2dd0c4ec5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/22599847-5d13-48cb-8872-5796fee8692b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUNBURST Command and Control Activity", "note": "## Triage and analysis\n\n### Investigating SUNBURST Command and Control Activity\n\nSUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.\n\nMore details on SUNBURST can be found on the [Mandiant Report](https://www.mandiant.com/resources/sunburst-additional-technical-details).\n\nThis rule identifies suspicious network connections that attempt to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executable involved using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the environment at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Upgrade SolarWinds systems to the latest version to eradicate the chance of reinfection by abusing the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"protocol\" and network.protocol == \"http\" and\n process.name : (\"ConfigurationWizard.exe\",\n \"NetFlowService.exe\",\n \"NetflowDatabaseMaintenance.exe\",\n \"SolarWinds.Administration.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Collector.Service.exe\",\n \"SolarwindsDiagnostics.exe\") and\n (\n (\n (http.request.body.content : \"*/swip/Upload.ashx*\" and http.request.body.content : (\"POST*\", \"PUT*\")) or\n (http.request.body.content : (\"*/swip/SystemDescription*\", \"*/swip/Events*\") and http.request.body.content : (\"GET*\", \"HEAD*\"))\n ) and\n not http.request.body.content : \"*solarwinds.com*\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "http.request.body.content", "type": "wildcard"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "22599847-5d13-48cb-8872-5796fee8692b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "22599847-5d13-48cb-8872-5796fee8692b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json deleted file mode 100644 index 49111b38fe3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", "false_positives": ["Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "227dc608-e558-43d9-b521-150772250bae", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json deleted file mode 100644 index e88eeaff840..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", "false_positives": ["Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "227dc608-e558-43d9-b521-150772250bae_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json deleted file mode 100644 index e7be3d84679..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", "false_positives": ["Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "227dc608-e558-43d9-b521-150772250bae_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json deleted file mode 100644 index 56f9e2ed2d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", "false_positives": ["Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "227dc608-e558-43d9-b521-150772250bae_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json b/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json deleted file mode 100644 index 1270adb0887..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/227dc608-e558-43d9-b521-150772250bae_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components.", "false_positives": ["Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Configuration Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:s3.amazonaws.com and\n event.action:(DeleteBucketPolicy or DeleteBucketReplication or DeleteBucketCors or\n DeleteBucketEncryption or DeleteBucketLifecycle)\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketCors.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketEncryption.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketLifecycle.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "227dc608-e558-43d9-b521-150772250bae", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "227dc608-e558-43d9-b521-150772250bae_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json deleted file mode 100644 index c2ab7f8f1dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", "false_positives": ["Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Permissions Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", "references": ["https://cloud.google.com/storage/docs/access-control/iam-permissions"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json b/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json deleted file mode 100644 index ca69b1bff98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2326d1b2-9acf-4dee-bd21-867ea7378b4d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the Identity and Access Management (IAM) permissions are modified for a Google Cloud Platform (GCP) storage bucket. An adversary may modify the permissions on a storage bucket to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", "false_positives": ["Storage bucket permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Permissions Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.setIamPermissions\" and event.outcome:success\n", "references": ["https://cloud.google.com/storage/docs/access-control/iam-permissions"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2326d1b2-9acf-4dee-bd21-867ea7378b4d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json deleted file mode 100644 index 16e1f9c6b62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Load via insmod", "note": "## Triage and analysis\n\n### Investigating Kernel module load via insmod\n\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded via insmod.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json deleted file mode 100644 index e0054cc2e2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel module load via insmod", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json deleted file mode 100644 index 007e28086b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel module load via insmod", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.executable : \"/usr/sbin/insmod\" and process.args : \"*.ko\"\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json deleted file mode 100644 index 1b6281d26de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel module load via insmod", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json deleted file mode 100644 index 3c0267b9697..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Load via insmod", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\nand not process.parent.name in (\"cisco-amp-helper\", \"ksplice-apply\")\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json deleted file mode 100644 index 2cec820d8f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Load via insmod", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\nand not process.parent.name in (\"cisco-amp-helper\", \"ksplice-apply\")\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_108.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_108.json deleted file mode 100644 index 36600f1578d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Load via insmod", "note": "## Triage and analysis\n\n### Investigating Kernel module load via insmod\n\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded via insmod.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\nand not process.parent.name in (\"cisco-amp-helper\", \"ksplice-apply\")\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json b/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json deleted file mode 100644 index a3959264b52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2339f03c-f53f-40fa-834b-40c5983fc41f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Load via insmod", "note": "## Triage and analysis\n\n### Investigating Kernel module load via insmod\n\nThe insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. \n\nThreat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.\n\nThe detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the kernel object file that was loaded via insmod.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n- Investigate the kernel ring buffer for any warnings or messages, such as tainted or out-of-tree kernel module loads through `dmesg`.\n- Investigate syslog for any unusual segfaults or other messages. Rootkits may be installed on targets with different architecture as expected, and could potentially cause segmentation faults. \n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - $osquery_6\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Kernel Driver Load - 3e12a439-d002-4944-bc42-171c0dcb9b96\n- Tainted Out-Of-Tree Kernel Module Load - 51a09737-80f7-4551-a3be-dac8ef5d181a\n- Tainted Kernel Module Load - 05cad2fb-200c-407f-b472-02ea8c9e5e4a\n- Attempt to Clear Kernel Ring Buffer - 2724808c-ba5d-48b2-86d2-0002103df753\n- Enumeration of Kernel Modules via Proc - 80084fa9-8677-4453-8680-b891d3c0c778\n- Suspicious Modprobe File Event - 40ddbcc8-6561-44d9-afc8-eefdbfe0cccd\n- Kernel Module Removal - cd66a5af-e34b-4bb0-8931-57d0a043f2ef\n- Enumeration of Kernel Modules - 2d8043ed-5bda-4caf-801c-c1feb7410504\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"insmod\" and process.args : \"*.ko\"\n", "references": ["https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2339f03c-f53f-40fa-834b-40c5983fc41f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2339f03c-f53f-40fa-834b-40c5983fc41f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0.json b/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0.json deleted file mode 100644 index bf01c7fc20d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Unknown Execution of Binary with RWX Memory Region", "new_terms_fields": ["process.executable"], "query": "event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\n process.executable:(\n \"/usr/share/kibana/node/bin/node\" or \"/usr/share/elasticsearch/jdk/bin/java\" or \"/usr/sbin/apache2\"\n ) or\n process.name:httpd\n)\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json b/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json deleted file mode 100644 index faa474e02db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Unknown Execution of Binary with RWX Memory Region", "new_terms_fields": ["host.id", "process.executable"], "query": "event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_2.json b/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_2.json deleted file mode 100644 index 32600b1d821..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23bcd283-2bc0-4db2-81d4-273fc051e5c0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a previously unknown unix binary with read, write and execute memory region permissions. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should be analyzed thoroughly.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Unknown Execution of Binary with RWX Memory Region", "new_terms_fields": ["process.executable"], "query": "event.category:process and host.os.type:linux and auditd.data.syscall:mprotect and auditd.data.a2:7 and not (\n process.executable:(\n \"/usr/share/kibana/node/bin/node\" or \"/usr/share/elasticsearch/jdk/bin/java\" or \"/usr/sbin/apache2\"\n ) or\n process.name:httpd\n)\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "23bcd283-2bc0-4db2-81d4-273fc051e5c0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce.json deleted file mode 100644 index 11443cd7dc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "High Number of Okta Device Token Cookies Generated for Authentication", "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.request_uri == \"/api/v1/authn\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count >= 30\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "23f18264-2d6d-11ef-9413-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json deleted file mode 100644 index ea0817c832e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "High Number of Okta Device Token Cookies Generated for Authentication", "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.request_uri == \"/api/v1/authn\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count >= 30\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "23f18264-2d6d-11ef-9413-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_103.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_103.json new file mode 100644 index 00000000000..3ca0885f21f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_103.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "High Number of Okta Device Token Cookies Generated for Authentication", + "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.request_uri == \"/api/v1/authn\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.client.ip, okta.actor.alternate_id, okta.debug_context.debug_data.request_uri, okta.outcome.reason\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count >= 30\n| SORT\n source_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "risk_score": 21, + "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 103 + }, + "id": "23f18264-2d6d-11ef-9413-f661ea17fbce_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_2.json deleted file mode 100644 index 77f275b279e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/23f18264-2d6d-11ef-9413-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "High Number of Okta Device Token Cookies Generated for Authentication", "note": "## Triage and analysis\n\n### Investigating High Number of Okta Device Token Cookies Generated for Authentication\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.request_uri == \"/api/v1/authn\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count >= 30\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "risk_score": 21, "rule_id": "23f18264-2d6d-11ef-9413-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "23f18264-2d6d-11ef-9413-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9.json deleted file mode 100644 index ed93f6baead..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub Owner Added", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "24401eca-ad0b-4ff9-9431-487a8e183af9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json deleted file mode 100644 index f3b36398ef2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub Owner Added", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "unknown"}], "risk_score": 47, "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "24401eca-ad0b-4ff9-9431-487a8e183af9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_105.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_105.json new file mode 100644 index 00000000000..faccd98336b --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_105.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New GitHub Owner Added", + "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.permission", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/", + "subtechnique": [ + { + "id": "T1136.003", + "name": "Cloud Account", + "reference": "https://attack.mitre.org/techniques/T1136/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "24401eca-ad0b-4ff9-9431-487a8e183af9_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json deleted file mode 100644 index eba0145456a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub Owner Added", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "24401eca-ad0b-4ff9-9431-487a8e183af9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_3.json b/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_3.json deleted file mode 100644 index c73f605e534..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/24401eca-ad0b-4ff9-9431-487a8e183af9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a new member is added to a GitHub organization as an owner. This role provides admin level privileges. Any new owner roles should be investigated to determine it's validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New GitHub Owner Added", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.add_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "24401eca-ad0b-4ff9-9431-487a8e183af9", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "24401eca-ad0b-4ff9-9431-487a8e183af9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json deleted file mode 100644 index 788078a5805..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json deleted file mode 100644 index a2b2ccb2f95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "note": "", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json deleted file mode 100644 index d4da3b9f8ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "note": "", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json deleted file mode 100644 index fdd198576fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "note": "", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json deleted file mode 100644 index c90d290a6e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "note": "", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json deleted file mode 100644 index 02ead7f92d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json deleted file mode 100644 index 1fa999c0a16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json deleted file mode 100644 index 3c08bd38b18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_109.json b/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_109.json deleted file mode 100644 index 0ad1f1398f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25224a80-5a4a-4b8a-991e-6ab390465c4f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Lateral Movement via Startup Folder", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n\n /* via RDP TSClient mounted share or SMB */\n (process.name : \"mstsc.exe\" or process.pid == 4) and\n\n file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\")\n", "references": ["https://www.mdsec.co.uk/2017/06/rdpinception/", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "25224a80-5a4a-4b8a-991e-6ab390465c4f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "25224a80-5a4a-4b8a-991e-6ab390465c4f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0.json b/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0.json deleted file mode 100644 index f3ec6b2854d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Author", "query": "host.os.type:windows and event.category:process and\n powershell.file.script_block_text : (\n \"mattifestation\" or \"JosephBialek\" or\n \"harmj0y\" or \"ukstufus\" or\n \"SecureThisShit\" or \"Matthew Graeber\" or\n \"secabstraction\" or \"mgeeky\" or\n \"oddvarmoe\" or \"am0nsec\" or\n \"obscuresec\" or \"sixdub\" or\n \"darkoperator\" or \"funoverip\" or\n \"rvrsh3ll\" or \"kevin_robertson\" or\n \"dafthack\" or \"r4wd3r\" or\n \"danielhbohannon\" or \"OneLogicalMyth\" or\n \"cobbr_io\" or \"xorrior\" or\n \"PetrMedonos\" or \"citronneur\" or\n \"eladshamir\" or \"RastaMouse\" or\n \"enigma0x3\" or \"FuzzySec\" or\n \"424f424f\" or \"jaredhaight\" or\n \"fullmetalcache\" or \"Hubbl3\" or\n \"curi0usJack\" or \"Cx01N\" or\n \"itm4n\" or \"nurfed1\" or\n \"cfalta\" or \"Scott Sutherland\" or\n \"_nullbind\" or \"_tmenochet\" or\n \"jaredcatkinson\" or \"ChrisTruncer\" or\n \"monoxgas\" or \"TheRealWover\" or\n \"splinter_code\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_1.json b/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_1.json deleted file mode 100644 index a315b49e10d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Author", "query": "host.os.type:windows and event.category:process and\n powershell.file.script_block_text : (\n \"mattifestation\" or \"JosephBialek\" or\n \"harmj0y\" or \"ukstufus\" or\n \"SecureThisShit\" or \"Matthew Graeber\" or\n \"secabstraction\" or \"mgeeky\" or\n \"oddvarmoe\" or \"am0nsec\" or\n \"obscuresec\" or \"sixdub\" or\n \"darkoperator\" or \"funoverip\" or\n \"rvrsh3ll\" or \"kevin_robertson\" or\n \"dafthack\" or \"r4wd3r\" or\n \"danielhbohannon\" or \"OneLogicalMyth\" or\n \"cobbr_io\" or \"xorrior\" or\n \"PetrMedonos\" or \"citronneur\" or\n \"eladshamir\" or \"RastaMouse\" or\n \"enigma0x3\" or \"FuzzySec\" or\n \"424f424f\" or \"jaredhaight\" or\n \"fullmetalcache\" or \"Hubbl3\" or\n \"curi0usJack\" or \"Cx01N\" or\n \"itm4n\" or \"nurfed1\" or\n \"cfalta\" or \"Scott Sutherland\" or\n \"_nullbind\" or \"_tmenochet\" or\n \"Boe Prox\" or \"jaredcatkinson\" or\n \"ChrisTruncer\" or \"monoxgas\" or\n \"TheRealWover\" or \"splinter_code\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_2.json b/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_2.json deleted file mode 100644 index 99f8f082e54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Author", "query": "host.os.type:windows and event.category:process and\n powershell.file.script_block_text : (\n \"mattifestation\" or \"JosephBialek\" or\n \"harmj0y\" or \"ukstufus\" or\n \"SecureThisShit\" or \"Matthew Graeber\" or\n \"secabstraction\" or \"mgeeky\" or\n \"oddvarmoe\" or \"am0nsec\" or\n \"obscuresec\" or \"sixdub\" or\n \"darkoperator\" or \"funoverip\" or\n \"rvrsh3ll\" or \"kevin_robertson\" or\n \"dafthack\" or \"r4wd3r\" or\n \"danielhbohannon\" or \"OneLogicalMyth\" or\n \"cobbr_io\" or \"xorrior\" or\n \"PetrMedonos\" or \"citronneur\" or\n \"eladshamir\" or \"RastaMouse\" or\n \"enigma0x3\" or \"FuzzySec\" or\n \"424f424f\" or \"jaredhaight\" or\n \"fullmetalcache\" or \"Hubbl3\" or\n \"curi0usJack\" or \"Cx01N\" or\n \"itm4n\" or \"nurfed1\" or\n \"cfalta\" or \"Scott Sutherland\" or\n \"_nullbind\" or \"_tmenochet\" or\n \"jaredcatkinson\" or \"ChrisTruncer\" or\n \"monoxgas\" or \"TheRealWover\" or\n \"splinter_code\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_3.json b/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_3.json deleted file mode 100644 index 6034f425ca1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2553a9af-52a4-4a05-bb03-85b2a479a0a0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling author's name in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code, which may still contain the author artifacts. This rule identifies common author handles found in popular PowerShell scripts used for red team exercises.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Author", "query": "host.os.type:windows and event.category:process and\n powershell.file.script_block_text : (\n \"mattifestation\" or \"JosephBialek\" or\n \"harmj0y\" or \"ukstufus\" or\n \"SecureThisShit\" or \"Matthew Graeber\" or\n \"secabstraction\" or \"mgeeky\" or\n \"oddvarmoe\" or \"am0nsec\" or\n \"obscuresec\" or \"sixdub\" or\n \"darkoperator\" or \"funoverip\" or\n \"rvrsh3ll\" or \"kevin_robertson\" or\n \"dafthack\" or \"r4wd3r\" or\n \"danielhbohannon\" or \"OneLogicalMyth\" or\n \"cobbr_io\" or \"xorrior\" or\n \"PetrMedonos\" or \"citronneur\" or\n \"eladshamir\" or \"RastaMouse\" or\n \"enigma0x3\" or \"FuzzySec\" or\n \"424f424f\" or \"jaredhaight\" or\n \"fullmetalcache\" or \"Hubbl3\" or\n \"curi0usJack\" or \"Cx01N\" or\n \"itm4n\" or \"nurfed1\" or\n \"cfalta\" or \"Scott Sutherland\" or\n \"_nullbind\" or \"_tmenochet\" or\n \"jaredcatkinson\" or \"ChrisTruncer\" or\n \"monoxgas\" or \"TheRealWover\" or\n \"splinter_code\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "2553a9af-52a4-4a05-bb03-85b2a479a0a0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39.json deleted file mode 100644 index ef8d103e32e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json deleted file mode 100644 index 21263c871ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json deleted file mode 100644 index 88c6b1b60d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json b/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json deleted file mode 100644 index 333154e6316..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Background Process", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"setsid\", \"nohup\") and process.args : \"*/dev/tcp/*0>&1*\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "259be2d8-3b1a-4c2c-a0eb-0c8e77f35e39_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95.json deleted file mode 100644 index 6b379874186..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["process.name", "destination.ip", "destination.port"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n) and not destination.port:2049\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json deleted file mode 100644 index 9e451ae22b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-60m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["destination.ip", "process.name", "host.id"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker*\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_2.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_2.json deleted file mode 100644 index 1d326cbf663..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-60m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["host.id", "process.name", "destination.ip"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json deleted file mode 100644 index 45c5f1ca413..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-60m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["host.id", "process.name", "destination.ip"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json deleted file mode 100644 index 41647d1e2fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["process.name", "destination.ip", "destination.port"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n) and not destination.port:2049\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_5.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_5.json deleted file mode 100644 index f1faf2971d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Activity Detected via Kworker", "new_terms_fields": ["process.name", "destination.ip", "destination.port"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n) and not destination.port:2049\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "25d917c4-aa3c-4111-974c-286c0312ff95_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/25e7fee6-fc25-11ee-ba0f-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/25e7fee6-fc25-11ee-ba0f-f661ea17fbce.json deleted file mode 100644 index 1a217b9ac23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/25e7fee6-fc25-11ee-ba0f-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a specified inbound (ingress) rule is added or adjusted for a VPC security group in AWS EC2. This rule detects when a security group rule is added that allows traffic from any IP address or from a specific IP address to common remote access ports, such as 22 (SSH) or 3389 (RDP). Adversaries may add these rules to allow remote access to VPC instances from any location, increasing the attack surface and potentially exposing the instances to unauthorized access.", "false_positives": ["Administrators may legitimately add security group rules to allow traffic from any IP address or from specific IP addresses to common remote access ports."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "note": "## Triage and Analysis\n\n### Investigating Insecure AWS EC2 VPC Security Group Ingress Rule Added\n\nThis rule detects the addition of ingress rules to a VPC security group that allow traffic from any IP address (`0.0.0.0/0` or `::/0`) to sensitive ports commonly used for remote access, such as SSH (port 22) and RDP (port 3389). This configuration change can significantly increase the exposure of EC2 instances to potential threats, making it crucial to understand the context and legitimacy of such changes.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Investigate whether this actor has the necessary permissions and typically performs these actions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand exactly what changes were made to the security group. Check for any unusual parameters that could suggest a misconfiguration or malicious intent.\n- **Analyze the Source of the Request**: Look at the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unusual location could indicate compromised credentials.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications outside of typical business hours might warrant additional scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Verify if the ingress rule change aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management tickets or systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. Consistency with past legitimate actions might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended as per policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, revert the security group rules to their previous state to close any unintended access.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar security group changes, especially those that open access to well-known ports from any IP address.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning security group management.\n- **Audit Security Groups and Policies**: Conduct a comprehensive audit of all security groups and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing security group rules and securing AWS environments, refer to the [Amazon VPC Security Groups documentation](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html) and AWS best practices for security.\n\n", "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: ec2.amazonaws.com\n and event.action: AuthorizeSecurityGroupIngress\n and event.outcome: success\n and aws.cloudtrail.flattened.request_parameters.cidrIp: (\"0.0.0.0/0\" or \"::/0\")\n and aws.cloudtrail.flattened.request_parameters.fromPort: (\n 21 or 22 or 23 or 445 or 3389 or 5985 or 5986)\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupEgress.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html", "https://www.linkedin.com/pulse/my-backdoors-your-aws-infrastructure-part-3-network-micha%C5%82-brygidyn/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.flattened.request_parameters.cidrIp", "type": "unknown"}, {"ecs": false, "name": "aws.cloudtrail.flattened.request_parameters.fromPort", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "25e7fee6-fc25-11ee-ba0f-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "25e7fee6-fc25-11ee-ba0f-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd.json deleted file mode 100644 index e1419bc7432..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Authentication Behavior Detected", "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\n", "references": ["https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.risk_behaviors", "type": "keyword"}], "risk_score": 47, "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json deleted file mode 100644 index b387e266575..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Authentication Behavior Detected", "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*", "references": ["https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.risk_behaviors", "type": "keyword"}], "risk_score": 47, "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "260486ee-7d98-11ee-9599-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_105.json new file mode 100644 index 00000000000..758715c072a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_105.json @@ -0,0 +1,70 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "New Okta Authentication Behavior Detected", + "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", + "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\n", + "references": [ + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.risk_behaviors", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 105 + }, + "id": "260486ee-7d98-11ee-9599-f661ea17fbcd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_2.json deleted file mode 100644 index 12a94fbc7ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Authentication Behavior Detected", "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\n", "references": ["https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.risk_behaviors", "type": "keyword"}], "risk_score": 47, "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "260486ee-7d98-11ee-9599-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_3.json deleted file mode 100644 index 22ecf163054..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Authentication Behavior Detected", "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\n", "references": ["https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.risk_behaviors", "type": "keyword"}], "risk_score": 47, "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "260486ee-7d98-11ee-9599-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_5.json deleted file mode 100644 index 2f27cc679bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/260486ee-7d98-11ee-9599-f661ea17fbcd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events where Okta behavior detection has identified a new authentication behavior.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Authentication Behavior Detected", "note": "## Triage and analysis\n\n### Investigating New Okta Authentication Behavior Detected\n\nThis rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may be using a new device or location to sign in.\n- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- If this is a false positive, consider adjusting the Okta behavior detection settings.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.", "query": "event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*\n", "references": ["https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.risk_behaviors", "type": "keyword"}], "risk_score": 47, "rule_id": "260486ee-7d98-11ee-9599-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "260486ee-7d98-11ee-9599-f661ea17fbcd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91.json deleted file mode 100644 index 345fd387f4a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json deleted file mode 100644 index 42eb38a9dcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json deleted file mode 100644 index 10ef988c998..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json deleted file mode 100644 index 531d4fceef0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json deleted file mode 100644 index b5173773517..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json b/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json deleted file mode 100644 index 81c7185a94d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2605aa59-29ac-4662-afad-8d86257c7c91_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the built-in Linux DebugFS utility to access a disk device without root permissions. Linux users that are part of the \"disk\" group have sufficient privileges to access all data inside of the machine through DebugFS. Attackers may leverage DebugFS in conjunction with \"disk\" permissions to read sensitive files owned by root, such as the shadow file, root ssh private keys or other sensitive files that may allow them to further escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious DebugFS Root Device Access", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"debugfs\" and process.args : \"/dev/sd*\" and not process.args == \"-R\" and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#disk-group"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "2605aa59-29ac-4662-afad-8d86257c7c91", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "2605aa59-29ac-4662-afad-8d86257c7c91_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810.json b/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810.json deleted file mode 100644 index 997f502a076..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.", "from": "now-9m", "index": ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Relay Attack against a Domain Controller", "query": "authentication where host.os.type == \"windows\" and event.code in (\"4624\", \"4625\") and endswith~(user.name, \"$\") and\n winlog.event_data.AuthenticationPackageName : \"NTLM\" and winlog.logon.type : \"network\" and\n\n /* Filter for a machine account that matches the hostname */\n startswith~(host.name, substring(user.name, 0, -1)) and\n \n /* Verify if the Source IP belongs to the host */\n not endswith(string(source.ip), string(host.ip)) and\n source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 21, "rule_id": "263481c8-1e9b-492e-912d-d1760707f810", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}, {"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/", "subtechnique": [{"id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "reference": "https://attack.mitre.org/techniques/T1557/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "263481c8-1e9b-492e-912d-d1760707f810", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_1.json b/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_1.json deleted file mode 100644 index 363a6677f72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.", "from": "now-9m", "index": ["logs-system.security-*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Relay Attack against a Domain Controller", "query": "authentication where host.os.type == \"windows\" and event.code in (\"4624\", \"4625\") and endswith~(user.name, \"$\") and\n winlog.event_data.AuthenticationPackageName : \"NTLM\" and winlog.logon.type : \"network\" and\n\n /* Filter for a machine account that matches the hostname */\n startswith~(host.name, substring(user.name, 0, -1)) and\n \n /* Verify if the Source IP belongs to the host */\n not endswith(string(source.ip), string(host.ip)) and\n source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 21, "rule_id": "263481c8-1e9b-492e-912d-d1760707f810", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}, {"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/", "subtechnique": [{"id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "reference": "https://attack.mitre.org/techniques/T1557/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "263481c8-1e9b-492e-912d-d1760707f810_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_2.json b/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_2.json deleted file mode 100644 index ba23033f89a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/263481c8-1e9b-492e-912d-d1760707f810_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential relay attacks against a domain controller (DC) by identifying authentication events using the domain controller computer account coming from other hosts to the DC that owns the account. Attackers may relay the DC hash after capturing it using forced authentication.", "from": "now-9m", "index": ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Relay Attack against a Domain Controller", "query": "authentication where host.os.type == \"windows\" and event.code in (\"4624\", \"4625\") and endswith~(user.name, \"$\") and\n winlog.event_data.AuthenticationPackageName : \"NTLM\" and winlog.logon.type : \"network\" and\n\n /* Filter for a machine account that matches the hostname */\n startswith~(host.name, substring(user.name, 0, -1)) and\n \n /* Verify if the Source IP belongs to the host */\n not endswith(string(source.ip), string(host.ip)) and\n source.ip != null and source.ip != \"::1\" and source.ip != \"127.0.0.1\"\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 21, "rule_id": "263481c8-1e9b-492e-912d-d1760707f810", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}, {"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/", "subtechnique": [{"id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "reference": "https://attack.mitre.org/techniques/T1557/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "263481c8-1e9b-492e-912d-d1760707f810_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json deleted file mode 100644 index 7e3a9208355..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", "false_positives": ["Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Container Access Level Modification", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1526", "name": "Cloud Service Discovery", "reference": "https://attack.mitre.org/techniques/T1526/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json b/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json deleted file mode 100644 index 381be1106cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2636aa6c-88b5-4337-9c31-8d0192a8ef45_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.", "false_positives": ["Access level modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Access level modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Container Access Level Modification", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1526", "name": "Cloud Service Discovery", "reference": "https://attack.mitre.org/techniques/T1526/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "2636aa6c-88b5-4337-9c31-8d0192a8ef45_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json deleted file mode 100644 index fffdf08f3bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json deleted file mode 100644 index 08b94467705..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json deleted file mode 100644 index e5be9e3beec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json deleted file mode 100644 index f7bbba4f527..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json deleted file mode 100644 index 052616994b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json deleted file mode 100644 index 54cd09b5717..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json deleted file mode 100644 index e58aa1b3153..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json deleted file mode 100644 index e1bf77d17fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json deleted file mode 100644 index 48956a21259..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_311.json b/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_311.json deleted file mode 100644 index a7556d564ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/265db8f5-fc73-4d0d-b434-6483b56372e2_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Update Orchestrator Service Hijack", "note": "## Triage and analysis\n\n### Investigating Persistence via Update Orchestrator Service Hijack\n\nWindows Update Orchestrator Service is a DCOM service used by other components to install Windows updates that are already downloaded. Windows Update Orchestrator Service was vulnerable to elevation of privileges (any user to local system) due to an improper authorization of the callers. The vulnerability affected the Windows 10 and Windows Server Core products. Fixed by Microsoft on Patch Tuesday June 2020.\n\nThis rule will detect uncommon processes spawned by `svchost.exe` with `UsoSvc` as the command line parameters. Attackers can leverage this technique to elevate privileges or maintain persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\svchost.exe\" and\n process.parent.args : \"UsoSvc\" and\n not process.executable :\n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\Packages\\\\*\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotification.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotificationUx.exe\",\n \"?:\\\\Windows\\\\System32\\\\MusNotifyIcon.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerMgr.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\MoUsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\UsoCoreWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\UsoCoreWorker.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\ClickToRun\\\\OfficeC2RClient.exe\") and\n not process.name : (\"MoUsoCoreWorker.exe\", \"OfficeC2RClient.exe\")\n", "references": ["https://github.com/irsl/CVE-2020-1313"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "265db8f5-fc73-4d0d-b434-6483b56372e2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "265db8f5-fc73-4d0d-b434-6483b56372e2_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json deleted file mode 100644 index 17cbded6f12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\") and\n not (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Netwrix Corporation\" and\n process.name : \"adcrcpy.exe\" and process.parent.executable : (\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\",\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.Analyzer.exe\",\n \"?:\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\"\n )\n )\n", "references": ["https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json deleted file mode 100644 index 8f623abad2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", "references": ["https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json deleted file mode 100644 index e1a590bcc71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true)\n", "references": ["https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json deleted file mode 100644 index de2816022ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\")\n", "references": ["https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_6.json b/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_6.json deleted file mode 100644 index 038fd0caa43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26b01043-4f04-4d2f-882a-5a1d2e95751b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileges Elevation via Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nprocess where host.os.type == \"windows\" and event.action == \"start\" and\n\n /* process creation via seclogon */\n process.parent.Ext.real.pid > 0 and\n\n /* PrivEsc to SYSTEM */\n user.id : \"S-1-5-18\" and\n\n /* Common FPs - evasion via hollowing is possible, should be covered by code injection */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\securityhealthsetup.exe\") and\n /* Logon Utilities */\n not (process.parent.executable : \"?:\\\\Windows\\\\System32\\\\Utilman.exe\" and\n process.executable : (\"?:\\\\Windows\\\\System32\\\\osk.exe\",\n \"?:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"?:\\\\Windows\\\\System32\\\\Magnify.exe\")) and\n\n not process.parent.executable : \"?:\\\\Windows\\\\System32\\\\AtBroker.exe\" and\n\n not (process.code_signature.subject_name in\n (\"philandro Software GmbH\", \"Freedom Scientific Inc.\", \"TeamViewer Germany GmbH\", \"Projector.is, Inc.\",\n \"TeamViewer GmbH\", \"Cisco WebEx LLC\", \"Dell Inc\") and process.code_signature.trusted == true) and \n\n /* AM_Delta_Patch Windows Update */\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\Packages\\\\Preview\\\\*\\\\wuaucltcore.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuauclt.exe\", \n \"?:\\\\Windows\\\\UUS\\\\amd64\\\\wuaucltcore.exe\", \n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\UUS\\\\*\\\\wuaucltcore.exe\")) and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\MpSigStub.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\MpSigStub.exe\") and process.parent.executable == null) and\n\n /* Other third party SW */\n not process.parent.executable :\n (\"?:\\\\Program Files (x86)\\\\HEAT Software\\\\HEAT Remote\\\\HEATRemoteServer.exe\",\n \"?:\\\\Program Files (x86)\\\\VisualCron\\\\VisualCronService.exe\",\n \"?:\\\\Program Files\\\\BinaryDefense\\\\Vision\\\\Agent\\\\bds-vision-agent-app.exe\",\n \"?:\\\\Program Files\\\\Tablet\\\\Wacom\\\\WacomHost.exe\",\n \"?:\\\\Program Files (x86)\\\\LogMeIn\\\\x64\\\\LogMeIn.exe\",\n \"?:\\\\Program Files (x86)\\\\EMC Captiva\\\\Captiva Cloud Runtime\\\\Emc.Captiva.WebCaptureRunner.exe\",\n \"?:\\\\Program Files\\\\Freedom Scientific\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome Remote Desktop\\\\*\\\\remoting_host.exe\",\n \"?:\\\\Program Files (x86)\\\\GoToAssist Remote Support Customer\\\\*\\\\g2ax_comm_customer.exe\") and\n not (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Netwrix Corporation\" and\n process.name : \"adcrcpy.exe\" and process.parent.executable : (\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\",\n \"?:\\\\Program Files (x86)\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.Analyzer.exe\",\n \"?:\\\\Netwrix Auditor\\\\Active Directory Auditing\\\\Netwrix.ADA.EventCollector.exe\"\n )\n )\n", "references": ["https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6", "https://blog.didierstevens.com/2017/03/20/", "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "26b01043-4f04-4d2f-882a-5a1d2e95751b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "26b01043-4f04-4d2f-882a-5a1d2e95751b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json deleted file mode 100644 index 2abe3cb6798..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk User Sign-in Heuristic", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` or `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.risk_state", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "26edba02-6979-4bce-920a-70b080a7be81", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json b/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json deleted file mode 100644 index 7db2b502c83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26edba02-6979-4bce-920a-70b080a7be81_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk User Sign-in Heuristic", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk User Sign-in Heuristic\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` or `atRisk`.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.risk_state:(\"confirmedCompromised\" or \"atRisk\") and event.outcome:(success or Success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#investigation-framework"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.risk_state", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "26edba02-6979-4bce-920a-70b080a7be81", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "26edba02-6979-4bce-920a-70b080a7be81_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json deleted file mode 100644 index 03c1ae3ad1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "from logs-o365.audit-*\n| MV_EXPAND event.category\n| WHERE event.dataset == \"o365.audit\"\n AND event.category == \"authentication\"\n\n // filter only on Entra ID or Exchange audit logs in O365 integration\n AND event.provider in (\"AzureActiveDirectory\", \"Exchange\")\n\n // filter only for UserLoginFailed or partial failures\n AND event.action in (\"UserLoginFailed\", \"PasswordLogonInitialAuthUsingPassword\")\n\n // ignore specific logon errors\n AND not o365.audit.LogonError in (\n \"EntitlementGrantsNotFound\",\n \"UserStrongAuthEnrollmentRequired\",\n \"UserStrongAuthClientAuthNRequired\",\n \"InvalidReplyTo\",\n \"SsoArtifactExpiredDueToConditionalAccess\",\n \"PasswordResetRegistrationRequiredInterrupt\",\n \"SsoUserAccountNotFoundInResourceTenant\",\n \"UserStrongAuthExpired\",\n \"CmsiInterrupt\"\n)\n // filters out non user or application logins based on target\n AND o365.audit.Target.Type in (\"0\", \"2\", \"3\", \"5\", \"6\", \"10\")\n\n // filters only for logins from user or application, ignoring oauth:token\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \"(.*)login(.*)\"\n\n| STATS\n // count the number of failed login attempts target per user\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\n\n| WHERE login_attempt_counts > 10\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem", "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties"], "risk_score": 47, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 209}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json deleted file mode 100644 index 3b524c50494..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "type": "threshold", "version": 101}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json deleted file mode 100644 index 29c47f76257..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "type": "threshold", "version": 102}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_103.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_103.json deleted file mode 100644 index 7e68be4ba24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 103}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json deleted file mode 100644 index c986bcea2b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 104}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json deleted file mode 100644 index e79e8fb4886..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 106}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json deleted file mode 100644 index 1755ac28c34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json deleted file mode 100644 index befad1bb5cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and\n event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and\n not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or\n UserStrongAuthClientAuthNRequired or InvalidReplyTo or SsoArtifactExpiredDueToConditionalAccess or\n PasswordResetRegistrationRequiredInterrupt or SsoUserAccountNotFoundInResourceTenant or\n UserStrongAuthExpired)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_209.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_209.json deleted file mode 100644 index 58a42f2e696..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "note": "", "query": "from logs-o365.audit-*\n| MV_EXPAND event.category\n| WHERE event.dataset == \"o365.audit\"\n AND event.category == \"authentication\"\n\n // filter only on Entra ID or Exchange audit logs in O365 integration\n AND event.provider in (\"AzureActiveDirectory\", \"Exchange\")\n\n // filter only for UserLoginFailed or partial failures\n AND event.action in (\"UserLoginFailed\", \"PasswordLogonInitialAuthUsingPassword\")\n\n // ignore specific logon errors\n AND not o365.audit.LogonError in (\n \"EntitlementGrantsNotFound\",\n \"UserStrongAuthEnrollmentRequired\",\n \"UserStrongAuthClientAuthNRequired\",\n \"InvalidReplyTo\",\n \"SsoArtifactExpiredDueToConditionalAccess\",\n \"PasswordResetRegistrationRequiredInterrupt\",\n \"SsoUserAccountNotFoundInResourceTenant\",\n \"UserStrongAuthExpired\",\n \"CmsiInterrupt\"\n)\n // filters out non user or application logins based on target\n AND o365.audit.Target.Type in (\"0\", \"2\", \"3\", \"5\", \"6\", \"10\")\n\n // filters only for logins from user or application, ignoring oauth:token\n AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike \"(.*)login(.*)\"\n\n| STATS\n // count the number of failed login attempts target per user\n login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError\n\n| WHERE login_attempt_counts > 10\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem", "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties"], "risk_score": 47, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 209}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_309.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_309.json deleted file mode 100644 index e65dd932229..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "query": "from logs-o365.audit-*\n// truncate the timestamp to a 30-minute window\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\n| mv_expand event.category\n| where event.dataset == \"o365.audit\"\n and event.category == \"authentication\"\n\n // filter only on Entra ID or Exchange audit logs in O365 integration\n and event.provider in (\"AzureActiveDirectory\", \"Exchange\")\n\n // filter only for UserLoginFailed or partial failures\n and event.action in (\"UserLoginFailed\", \"PasswordLogonInitialAuthUsingPassword\")\n\n // ignore specific logon errors\n and not o365.audit.LogonError in (\n \"EntitlementGrantsNotFound\",\n \"UserStrongAuthEnrollmentRequired\",\n \"UserStrongAuthClientAuthNRequired\",\n \"InvalidReplyTo\",\n \"SsoArtifactExpiredDueToConditionalAccess\",\n \"PasswordResetRegistrationRequiredInterrupt\",\n \"SsoUserAccountNotFoundInResourceTenant\",\n \"UserStrongAuthExpired\",\n \"CmsiInterrupt\"\n)\n // filters out non user or application logins based on target\n and o365.audit.Target.Type in (\"0\", \"2\", \"3\", \"5\", \"6\", \"10\")\n\n // filters only for logins from user or application, ignoring oauth:token\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \"(.*)login(.*)\"\n\n// count the number of login sources and failed login attempts\n| stats\n login_source_count = count(source.ip),\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\n\n// filter for users with more than 20 login sources or failed login attempts\n| where (login_source_count >= 20 or failed_login_count >= 20)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem", "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties"], "risk_score": 47, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 309}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_310.json b/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_310.json deleted file mode 100644 index 6fce25cda49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/26f68dba-ce29-497b-8e13-b4fde1db5a2d_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese", "Austin Songer"], "description": "Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Attempts to Brute Force a Microsoft 365 User Account", "query": "from logs-o365.audit-*\n// truncate the timestamp to a 30-minute window\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\n| mv_expand event.category\n| where event.dataset == \"o365.audit\"\n and event.category == \"authentication\"\n\n // filter only on Entra ID or Exchange audit logs in O365 integration\n and event.provider in (\"AzureActiveDirectory\", \"Exchange\")\n\n // filter only for UserLoginFailed or partial failures\n and event.action in (\"UserLoginFailed\", \"PasswordLogonInitialAuthUsingPassword\")\n\n // ignore specific logon errors\n and not o365.audit.LogonError in (\n \"EntitlementGrantsNotFound\",\n \"UserStrongAuthEnrollmentRequired\",\n \"UserStrongAuthClientAuthNRequired\",\n \"InvalidReplyTo\",\n \"SsoArtifactExpiredDueToConditionalAccess\",\n \"PasswordResetRegistrationRequiredInterrupt\",\n \"SsoUserAccountNotFoundInResourceTenant\",\n \"UserStrongAuthExpired\",\n \"CmsiInterrupt\"\n)\n\n // ignore unavailable\n and o365.audit.UserId != \"Not Available\"\n\n // filters out non user or application logins based on target\n and o365.audit.Target.Type in (\"0\", \"2\", \"3\", \"5\", \"6\", \"10\")\n\n // filters only for logins from user or application, ignoring oauth:token\n and to_lower(o365.audit.ExtendedProperties.RequestType) rlike \"(.*)login(.*)\"\n\n// count the number of login sources and failed login attempts\n| stats\n login_source_count = count(source.ip),\n failed_login_count = count(*) by target_time_window, o365.audit.UserId\n\n// filter for users with more than 20 login sources or failed login attempts\n| where (login_source_count >= 20 or failed_login_count >= 20)\n", "references": ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem", "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties"], "risk_score": 47, "rule_id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 310}, "id": "26f68dba-ce29-497b-8e13-b4fde1db5a2d_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293.json deleted file mode 100644 index 0fb8e11cb9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and\nnot powershell.file.script_block_text : (\n \"Compress-Archive -Path 'C:\\ProgramData\\Lenovo\\Udc\\diagnostics\\latest\" or\n (\"Copyright: (c) 2017, Ansible Project\" and \"Ansible.ModuleUtils.Backup\")\n) and\nnot file.directory : \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\lib\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json deleted file mode 100644 index d59b0555243..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n)\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json deleted file mode 100644 index e5407f077b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Dependency Agent\\\\plugins\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n)\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_106.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_106.json deleted file mode 100644 index c65ed9e83b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and\nnot powershell.file.script_block_text : (\n \"Compress-Archive -Path 'C:\\ProgramData\\Lenovo\\Udc\\diagnostics\\latest\" or\n (\"Copyright: (c) 2017, Ansible Project\" and \"Ansible.ModuleUtils.Backup\")\n) and\nnot file.directory : \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\lib\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_107.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_107.json deleted file mode 100644 index f882a8e72b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Expand-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\*\\\\optional\\\\Compress-Archive.ps1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Azure\\\\StorageSyncAgent\\\\AFSDiag.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and\nnot powershell.file.script_block_text : (\n \"Compress-Archive -Path 'C:\\ProgramData\\Lenovo\\Udc\\diagnostics\\latest\" or\n (\"Copyright: (c) 2017, Ansible Project\" and \"Ansible.ModuleUtils.Backup\")\n) and\nnot file.directory : \"C:\\Program Files\\Microsoft Dependency Agent\\plugins\\lib\"\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json deleted file mode 100644 index 407ee33d569..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and not file.path : *ProgramData*Microsoft*Windows*Defender*Advanced*Threat*Protection*DataCollection*\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json deleted file mode 100644 index 665e116d60f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and \n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* or\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Dependency?Agent\\\\\\\\plugins\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json deleted file mode 100644 index 480da2cd1e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and \n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* or\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Dependency?Agent\\\\\\\\plugins\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json b/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json deleted file mode 100644 index cccfa2cd2b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27071ea3-e806-4697-8abc-e22c92aa4293_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to archive compression activities. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Archive Compression Capabilities", "query": "event.category:process and host.os.type:windows and\n(\n powershell.file.script_block_text : (\n \"IO.Compression.ZipFile\" or\n \"IO.Compression.ZipArchive\" or\n \"ZipFile.CreateFromDirectory\" or\n \"IO.Compression.BrotliStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GZipStream\" or\n \"IO.Compression.ZLibStream\"\n ) and \n powershell.file.script_block_text : (\n \"CompressionLevel\" or\n \"CompressionMode\" or\n \"ZipArchiveMode\"\n ) or\n powershell.file.script_block_text : \"Compress-Archive\"\n) and \n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* or\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Dependency?Agent\\\\\\\\plugins\\\\\\\\* or\n ?\\:\\\\\\\\Program?Files\\\\\\\\Azure\\\\\\\\StorageSyncAgent\\\\\\\\AFSDiag.ps1\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "27071ea3-e806-4697-8abc-e22c92aa4293", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "27071ea3-e806-4697-8abc-e22c92aa4293_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753.json deleted file mode 100644 index 01dc0530fe7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Clear Kernel Ring Buffer", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"dmesg\" and process.args == \"-c\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "2724808c-ba5d-48b2-86d2-0002103df753", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json deleted file mode 100644 index f9cbfe5e42c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Clear Kernel Ring Buffer", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name == \"dmesg\" and process.args : \"-c\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2724808c-ba5d-48b2-86d2-0002103df753_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json deleted file mode 100644 index 0f910145f9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Clear Kernel Ring Buffer", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and\nevent.type == \"start\" and process.name == \"dmesg\" and process.args : \"-c\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2724808c-ba5d-48b2-86d2-0002103df753_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json deleted file mode 100644 index 8887ec17926..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Clear Kernel Ring Buffer", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"dmesg\" and process.args == \"-c\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2724808c-ba5d-48b2-86d2-0002103df753_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json b/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json deleted file mode 100644 index a5e7e84949c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2724808c-ba5d-48b2-86d2-0002103df753_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the deletion of the kernel ring buffer events through dmesg. Attackers may clear kernel ring buffer events to evade detection after installing a Linux kernel module (LKM).", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Clear Kernel Ring Buffer", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"dmesg\" and process.args == \"-c\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2724808c-ba5d-48b2-86d2-0002103df753", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2724808c-ba5d-48b2-86d2-0002103df753_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json deleted file mode 100644 index 315767c83d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", "false_positives": ["A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "272a6484-2663-46db-a532-ef734bf9a796", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json deleted file mode 100644 index b73640d2212..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", "false_positives": ["A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "272a6484-2663-46db-a532-ef734bf9a796_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json deleted file mode 100644 index 289bfa56c9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", "false_positives": ["A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "272a6484-2663-46db-a532-ef734bf9a796_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json deleted file mode 100644 index 9bb6db44738..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", "false_positives": ["A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "272a6484-2663-46db-a532-ef734bf9a796_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json b/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json deleted file mode 100644 index 2c4d9897a27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/272a6484-2663-46db-a532-ef734bf9a796_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a transport rule has been disabled or deleted in Microsoft 365. Mail flow rules (also known as transport rules) are used to identify and take action on messages that flow through your organization. An adversary or insider threat may modify a transport rule to exfiltrate data or evade defenses.", "false_positives": ["A transport rule may be modified by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-TransportRule\" or \"Disable-TransportRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "272a6484-2663-46db-a532-ef734bf9a796", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "272a6484-2663-46db-a532-ef734bf9a796_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json deleted file mode 100644 index 64e3eb9ea56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 109}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json deleted file mode 100644 index ee2a6a16536..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 103}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json deleted file mode 100644 index 2392582821a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.name : \"conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 104}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json deleted file mode 100644 index 422b30bd138..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 105}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json deleted file mode 100644 index 8269004fa34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}], "type": "eql", "version": 106}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json deleted file mode 100644 index 242b844394e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 107}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json deleted file mode 100644 index c8dcea5b140..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 108}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_109.json b/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_109.json deleted file mode 100644 index 729ead1ffa5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2772264c-6fb9-4d9d-9014-b416eed21254_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution via Windows PowerShell remoting. Windows PowerShell remoting allows a user to run any Windows PowerShell command on one or more remote computers. This could be an indication of lateral movement.", "false_positives": ["PowerShell remoting is a dual-use protocol that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming Execution via PowerShell Remoting", "query": "sequence by host.id with maxspan = 30s\n [network where host.os.type == \"windows\" and network.direction : (\"incoming\", \"ingress\") and destination.port in (5985, 5986) and\n network.protocol == \"http\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"wsmprovhost.exe\" and not process.executable : \"?:\\\\Windows\\\\System32\\\\conhost.exe\"]\n", "references": ["https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "2772264c-6fb9-4d9d-9014-b416eed21254", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 109}, "id": "2772264c-6fb9-4d9d-9014-b416eed21254_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json deleted file mode 100644 index a605e8b10fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": ["Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json b/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json deleted file mode 100644 index 1ffadce35f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2783d84f-5091-4d7d-9319-9fceda8fa71b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is modified in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be modified to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may modify an existing firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": ["Firewall rules may be modified by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.patch or google.appengine.*.Firewall.Update*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "2783d84f-5091-4d7d-9319-9fceda8fa71b", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2783d84f-5091-4d7d-9319-9fceda8fa71b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json deleted file mode 100644 index 9c06faf1de6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", "false_positives": ["Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowFederatedUsers", "type": "unknown"}], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json deleted file mode 100644 index 6429f9812ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", "false_positives": ["Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowFederatedUsers", "type": "unknown"}], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json deleted file mode 100644 index e17aa3fedaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", "false_positives": ["Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowFederatedUsers", "type": "unknown"}], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json deleted file mode 100644 index 9f0708bf3d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", "false_positives": ["Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowFederatedUsers", "type": "unknown"}], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json b/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json deleted file mode 100644 index 3b577a9ab2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when external access is enabled in Microsoft Teams. External access lets Teams and Skype for Business users communicate with other users that are outside their organization. An adversary may enable external access or add an allowed domain to exfiltrate data or maintain persistence in an environment.", "false_positives": ["Teams external access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams External Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTenantFederationConfiguration\" and\no365.audit.Parameters.AllowFederatedUsers:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowFederatedUsers", "type": "unknown"}], "risk_score": 47, "rule_id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json deleted file mode 100644 index 25fd6099db0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "## Performance\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\n", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 116}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json deleted file mode 100644 index 88fadc24601..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where host.os.type == \"windows\" and event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "type": "eql", "version": 104}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json deleted file mode 100644 index 708717ea705..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "type": "eql", "version": 105}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json deleted file mode 100644 index 0e2d0ff280a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "type": "eql", "version": 106}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json deleted file mode 100644 index 0062227f104..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 107}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_108.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_108.json deleted file mode 100644 index cb398742eeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 108}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json deleted file mode 100644 index 295f92e1fde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 109}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json deleted file mode 100644 index 45525add305..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 111}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json deleted file mode 100644 index abe7281fb80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "This rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 113}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_114.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_114.json deleted file mode 100644 index 325fd18f802..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "\n## Performance\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\n", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 114}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_115.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_115.json deleted file mode 100644 index 177702a7162..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_115.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "## Performance\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\n", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 115}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_115", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_116.json b/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_116.json deleted file mode 100644 index 051a8b3031a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2820c9c2-bcd7-4d6e-9eba-faf3891ba450_116.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials.", "false_positives": ["Legitimate remote account administration."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Account Password Reset Remotely", "note": "## Performance\nThis rule may cause medium to high performance impact due to logic scoping all remote Windows logon activity.\n", "query": "sequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and event.outcome == \"success\" and source.ip != null and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not winlog.event_data.TargetUserName : (\"svc*\", \"PIM_*\", \"_*_\", \"*-*-*\", \"*$\")] by winlog.event_data.TargetLogonId\n /* event 4724 need to be logged */\n [iam where event.action == \"reset-password\" and\n (\n /*\n This rule is very noisy if not scoped to privileged accounts, duplicate the\n rule and add your own naming convention and accounts of interest here.\n */\n winlog.event_data.TargetUserName: (\"*Admin*\", \"*super*\", \"*SVC*\", \"*DC0*\", \"*service*\", \"*DMZ*\", \"*ADM*\") or\n winlog.event_data.TargetSid : (\"S-1-5-21-*-500\", \"S-1-12-1-*-500\")\n )\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Impact", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "type": "eql", "version": 116}, "id": "2820c9c2-bcd7-4d6e-9eba-faf3891ba450_116", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278.json b/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278.json deleted file mode 100644 index 58c4dbb3990..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Potential Widespread Malware Infection Across Multiple Hosts", "query": "from logs-endpoint.alerts-*\n| where event.code in (\"malicious_file\", \"memory_signature\", \"shellcode_thread\") and rule.name is not null\n| stats hosts = count_distinct(host.id) by rule.name, event.code\n| where hosts >= 3\n", "references": ["https://github.com/elastic/protections-artifacts/tree/main/yara/rules"], "risk_score": 73, "rule_id": "28371aa1-14ed-46cf-ab5b-2fc7d1942278", "severity": "high", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "28371aa1-14ed-46cf-ab5b-2fc7d1942278", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278_1.json b/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278_1.json deleted file mode 100644 index 255889b4576..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28371aa1-14ed-46cf-ab5b-2fc7d1942278_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to prioritize triage and response, as this can potentially indicate a widespread malware infection.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Potential Widespread Malware Infection Across Multiple Hosts", "query": "from logs-endpoint.alerts-*\n| where event.code in (\"malicious_file\", \"memory_signature\", \"shellcode_thread\") and rule.name is not null\n| stats hosts = count_distinct(host.id) by rule.name, event.code\n| where hosts >= 3\n", "references": ["https://github.com/elastic/protections-artifacts/tree/main/yara/rules"], "risk_score": 73, "rule_id": "28371aa1-14ed-46cf-ab5b-2fc7d1942278", "severity": "high", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "28371aa1-14ed-46cf-ab5b-2fc7d1942278_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json deleted file mode 100644 index 503762c63fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json deleted file mode 100644 index 3aa89512bad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json deleted file mode 100644 index 2717046a94b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json deleted file mode 100644 index 3fcbe8059b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json deleted file mode 100644 index aa77bfdee1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json deleted file mode 100644 index 9e0bfdea8b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.name : \"whoami.exe\" or\n (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_109.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_109.json deleted file mode 100644 index 5b27db6f435..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json deleted file mode 100644 index cab3e6841ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json b/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json deleted file mode 100644 index 39d270c52d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2856446a-34e6-435b-9fb5-f8f040bfa7ed_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Account Discovery Command via SYSTEM Account", "note": "## Triage and analysis\n\n### Investigating Account Discovery Command via SYSTEM Account\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of account discovery utilities using the SYSTEM account, which is commonly observed after attackers successfully perform privilege escalation or exploit web applications.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the process tree includes a web-application server process such as w3wp, httpd.exe, nginx.exe and alike, investigate any suspicious file creation or modification in the last 48 hours to assess the presence of any potential webshell backdoor.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine how the SYSTEM account is being used. For example, users with administrator privileges can spawn a system shell using Windows services, scheduled tasks or other third party utilities.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Use the data collected through the analysis to investigate other machines affected in the environment.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n process.name : \"whoami.exe\" or\n (\n process.name : \"net1.exe\" and not process.parent.name : \"net.exe\" and not process.args : (\"start\", \"stop\", \"/active:*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2856446a-34e6-435b-9fb5-f8f040bfa7ed_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json deleted file mode 100644 index 1ea9f2f175b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json deleted file mode 100644 index 96aedf2e660..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "query", "version": 100}, "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json deleted file mode 100644 index 78a1832bbae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "query", "version": 101}, "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_102.json b/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_102.json deleted file mode 100644 index 62570c54db4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2863ffeb-bf77-44dd-b7a5-93ef94b72036_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented an Exploit. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Exploit - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2863ffeb-bf77-44dd-b7a5-93ef94b72036_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json deleted file mode 100644 index 9898693b991..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. This rule identifies a sequence of 50 file extension rename events by the same process in a timespan of 1 second.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by host.id, process.entity_id, file.extension with maxspan=1s \n[ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50 | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 1}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json deleted file mode 100644 index 687bd8cfd67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. This rule identifies a sequence of 50 file extension rename events by the same process in a timespan of 1 second.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by host.id, process.entity_id, file.extension with maxspan=1s \n[ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50 | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 2}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json deleted file mode 100644 index 2ce02d2af9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100 | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 3}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json deleted file mode 100644 index a86b676b79f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\", \n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\"\n ) ] with runs=100 | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 4}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json deleted file mode 100644 index d33e2981e86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and ((process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"ash\", \"openssl\")) or\n (process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\"))) and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\") and not ((\n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\")) or file.path : \"/etc/selinux/*\" or (file.extension in (\"qmlc\", \"txt\")\n ))] with runs=25\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 5}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json deleted file mode 100644 index 3ee7f18060c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s\n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\")] with runs=25\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 6}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json deleted file mode 100644 index 03a9403cd56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s\n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\")] with runs=25\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 7}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json b/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json deleted file mode 100644 index 749ae99ebb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28738f9f-7427-4d23-bc69-756708b5f624_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of 100 file extension rename events within a set of common file paths by the same process in a timespan of 1 second. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Changes Activity Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s\n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\"\n ) and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\"\n )\n ] with runs=25\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28738f9f-7427-4d23-bc69-756708b5f624", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 8}, "id": "28738f9f-7427-4d23-bc69-756708b5f624_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05.json b/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05.json deleted file mode 100644 index d0e2b84894b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Root Network Connection via GDB CAP_SYS_PTRACE", "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=30s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and\n user.id != \"0\"]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and\n process.name != null and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "28bc620d-b2f7-4132-b372-f77953881d05", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "28bc620d-b2f7-4132-b372-f77953881d05", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_1.json b/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_1.json deleted file mode 100644 index 5db4fc63225..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28bc620d-b2f7-4132-b372-f77953881d05_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which an outbound network connection is initiated by UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to execute shell code and gain a reverse shell with root privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Root Network Connection via GDB CAP_SYS_PTRACE", "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=30s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and\n user.id != \"0\"]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and\n process.name != null and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "28bc620d-b2f7-4132-b372-f77953881d05", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "28bc620d-b2f7-4132-b372-f77953881d05_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663.json deleted file mode 100644 index d4f29cb675b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\" and not process.args == \"dpkg\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "28d39238-0c01-420a-b77a-24e5a7378663", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json deleted file mode 100644 index 49fa3a42f31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and \nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "28d39238-0c01-420a-b77a-24e5a7378663_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json deleted file mode 100644 index e8986ad646d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "28d39238-0c01-420a-b77a-24e5a7378663_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json deleted file mode 100644 index 0107057bec5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "28d39238-0c01-420a-b77a-24e5a7378663_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json deleted file mode 100644 index a2e143d3e13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "28d39238-0c01-420a-b77a-24e5a7378663_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json b/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json deleted file mode 100644 index 8070382ea65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28d39238-0c01-420a-b77a-24e5a7378663_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the sudo -l command, which is used to list the allowed and forbidden commands for the invoking user. Attackers may execute this command to enumerate commands allowed to be executed with sudo permissions, potentially allowing to escalate privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sudo Command Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"sudo\" and process.args == \"-l\" and process.args_count == 2 and\nprocess.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \nnot group.Ext.real.id : \"0\" and not user.Ext.real.id : \"0\" and not process.args == \"dpkg\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "28d39238-0c01-420a-b77a-24e5a7378663", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "28d39238-0c01-420a-b77a-24e5a7378663_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c.json b/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c.json deleted file mode 100644 index 292864e83b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via SUID/SGID", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.user.id == \"0\" and process.real_user.id != \"0\") or \n (process.group.id == \"0\" and process.real_group.id != \"0\")\n) and (\n process.name in (\n \"aa-exec\", \"ab\", \"agetty\", \"alpine\", \"ar\", \"arj\", \"arp\", \"as\", \"ascii-xfr\", \"ash\", \"aspell\",\n \"atobm\", \"awk\", \"base32\", \"base64\", \"basenc\", \"basez\", \"bash\", \"bc\", \"bridge\", \"busctl\",\n \"busybox\", \"bzip2\", \"cabal\", \"capsh\", \"cat\", \"choom\", \"chown\", \"chroot\", \"clamscan\", \"cmp\",\n \"column\", \"comm\", \"cp\", \"cpio\", \"cpulimit\", \"csh\", \"csplit\", \"csvtool\", \"cupsfilter\", \"curl\",\n \"cut\", \"dash\", \"date\", \"dd\", \"debugfs\", \"dialog\", \"diff\", \"dig\", \"distcc\", \"dmsetup\", \"docker\",\n \"dosbox\", \"ed\", \"efax\", \"elvish\", \"emacs\", \"env\", \"eqn\", \"espeak\", \"expand\", \"expect\", \"file\",\n \"find\", \"fish\", \"flock\", \"fmt\", \"fold\", \"gawk\", \"gcore\", \"gdb\", \"genie\", \"genisoimage\", \"gimp\",\n \"grep\", \"gtester\", \"gzip\", \"hd\", \"head\", \"hexdump\", \"highlight\", \"hping3\", \"iconv\", \"install\",\n \"ionice\", \"ispell\", \"jjs\", \"join\", \"jq\", \"jrunscript\", \"julia\", \"ksh\", \"ksshell\", \"kubectl\",\n \"ld.so\", \"less\", \"links\", \"logsave\", \"look\", \"lua\", \"make\", \"mawk\", \"minicom\", \"more\",\n \"mosquitto\", \"msgattrib\", \"msgcat\", \"msgconv\", \"msgfilter\", \"msgmerge\", \"msguniq\", \"multitime\",\n \"mv\", \"nasm\", \"nawk\", \"ncftp\", \"nft\", \"nice\", \"nl\", \"nm\", \"nmap\", \"node\", \"nohup\", \"ntpdate\",\n \"od\", \"openssl\", \"openvpn\", \"pandoc\", \"paste\", \"perf\", \"perl\", \"pexec\", \"pg\", \"php\", \"pidstat\",\n \"pr\", \"ptx\", \"python\", \"rc\", \"readelf\", \"restic\", \"rev\", \"rlwrap\", \"rsync\", \"rtorrent\",\n \"run-parts\", \"rview\", \"rvim\", \"sash\", \"scanmem\", \"sed\", \"setarch\", \"setfacl\", \"setlock\", \"shuf\",\n \"soelim\", \"softlimit\", \"sort\", \"sqlite3\", \"ss\", \"ssh-agent\", \"ssh-keygen\", \"ssh-keyscan\",\n \"sshpass\", \"start-stop-daemon\", \"stdbuf\", \"strace\", \"strings\", \"sysctl\", \"systemctl\", \"tac\",\n \"tail\", \"taskset\", \"tbl\", \"tclsh\", \"tee\", \"terraform\", \"tftp\", \"tic\", \"time\", \"timeout\", \"troff\",\n \"ul\", \"unexpand\", \"uniq\", \"unshare\", \"unsquashfs\", \"unzip\", \"update-alternatives\", \"uudecode\",\n \"uuencode\", \"vagrant\", \"varnishncsa\", \"view\", \"vigr\", \"vim\", \"vimdiff\", \"vipw\", \"w3m\", \"watch\",\n \"wc\", \"wget\", \"whiptail\", \"xargs\", \"xdotool\", \"xmodmap\", \"xmore\", \"xxd\", \"xz\", \"yash\", \"zsh\",\n \"zsoelim\"\n ) or \n process.name == \"ip\" and (\n (process.args == \"-force\" and process.args in (\"-batch\", \"-b\")) or (process.args == \"exec\")\n )\n)\n", "references": ["https://gtfobins.github.io/#+suid"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.real_group.id", "type": "keyword"}, {"ecs": true, "name": "process.real_user.id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_1.json b/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_1.json deleted file mode 100644 index aec0e7a046d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via SUID/SGID", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.user.id == \"0\" and process.real_user.id != \"0\") or \n (process.group.id == \"0\" and process.real_group.id != \"0\")\n) and (\n process.name in (\n \"aa-exec\", \"ab\", \"agetty\", \"alpine\", \"ar\", \"arj\", \"arp\", \"as\", \"ascii-xfr\", \"ash\", \"aspell\",\n \"atobm\", \"awk\", \"base32\", \"base64\", \"basenc\", \"basez\", \"bash\", \"bc\", \"bridge\", \"busctl\",\n \"busybox\", \"bzip2\", \"cabal\", \"capsh\", \"cat\", \"choom\", \"chown\", \"chroot\", \"clamscan\", \"cmp\",\n \"column\", \"comm\", \"cp\", \"cpio\", \"cpulimit\", \"csh\", \"csplit\", \"csvtool\", \"cupsfilter\", \"curl\",\n \"cut\", \"dash\", \"date\", \"dd\", \"debugfs\", \"dialog\", \"diff\", \"dig\", \"distcc\", \"dmsetup\", \"docker\",\n \"dosbox\", \"ed\", \"efax\", \"elvish\", \"emacs\", \"env\", \"eqn\", \"espeak\", \"expand\", \"expect\", \"file\",\n \"find\", \"fish\", \"flock\", \"fmt\", \"fold\", \"gawk\", \"gcore\", \"gdb\", \"genie\", \"genisoimage\", \"gimp\",\n \"grep\", \"gtester\", \"gzip\", \"hd\", \"head\", \"hexdump\", \"highlight\", \"hping3\", \"iconv\", \"install\",\n \"ionice\", \"ispell\", \"jjs\", \"join\", \"jq\", \"jrunscript\", \"julia\", \"ksh\", \"ksshell\", \"kubectl\",\n \"ld.so\", \"less\", \"links\", \"logsave\", \"look\", \"lua\", \"make\", \"mawk\", \"minicom\", \"more\",\n \"mosquitto\", \"msgattrib\", \"msgcat\", \"msgconv\", \"msgfilter\", \"msgmerge\", \"msguniq\", \"multitime\",\n \"mv\", \"nasm\", \"nawk\", \"ncftp\", \"nft\", \"nice\", \"nl\", \"nm\", \"nmap\", \"node\", \"nohup\", \"ntpdate\",\n \"od\", \"openssl\", \"openvpn\", \"pandoc\", \"paste\", \"perf\", \"perl\", \"pexec\", \"pg\", \"php\", \"pidstat\",\n \"pr\", \"ptx\", \"python\", \"rc\", \"readelf\", \"restic\", \"rev\", \"rlwrap\", \"rsync\", \"rtorrent\",\n \"run-parts\", \"rview\", \"rvim\", \"sash\", \"scanmem\", \"sed\", \"setarch\", \"setfacl\", \"setlock\", \"shuf\",\n \"soelim\", \"softlimit\", \"sort\", \"sqlite3\", \"ss\", \"ssh-agent\", \"ssh-keygen\", \"ssh-keyscan\",\n \"sshpass\", \"start-stop-daemon\", \"stdbuf\", \"strace\", \"strings\", \"sysctl\", \"systemctl\", \"tac\",\n \"tail\", \"taskset\", \"tbl\", \"tclsh\", \"tee\", \"terraform\", \"tftp\", \"tic\", \"time\", \"timeout\", \"troff\",\n \"ul\", \"unexpand\", \"uniq\", \"unshare\", \"unsquashfs\", \"unzip\", \"update-alternatives\", \"uudecode\",\n \"uuencode\", \"vagrant\", \"varnishncsa\", \"view\", \"vigr\", \"vim\", \"vimdiff\", \"vipw\", \"w3m\", \"watch\",\n \"wc\", \"wget\", \"whiptail\", \"xargs\", \"xdotool\", \"xmodmap\", \"xmore\", \"xxd\", \"xz\", \"yash\", \"zsh\",\n \"zsoelim\"\n ) or \n process.name == \"ip\" and (\n (process.args == \"-force\" and process.args in (\"-batch\", \"-b\")) or (process.args == \"exec\")\n )\n)\n", "references": ["https://gtfobins.github.io/#+suid"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.real_group.id", "type": "keyword"}, {"ecs": true, "name": "process.real_user.id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_2.json b/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_2.json deleted file mode 100644 index 2294e94de7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28eb3afe-131d-48b0-a8fc-9784f3d54f3c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process is executed with user/group ID 0 (root), and a real user/group ID that is not 0. This is indicative of a process that has been granted SUID/SGID permissions, allowing it to run with elevated privileges. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root, or establish a backdoor for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via SUID/SGID", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.user.id == \"0\" and process.real_user.id != \"0\") or \n (process.group.id == \"0\" and process.real_group.id != \"0\")\n) and (\n process.name in (\n \"aa-exec\", \"ab\", \"agetty\", \"alpine\", \"ar\", \"arj\", \"arp\", \"as\", \"ascii-xfr\", \"ash\", \"aspell\",\n \"atobm\", \"awk\", \"base32\", \"base64\", \"basenc\", \"basez\", \"bash\", \"bc\", \"bridge\", \"busctl\",\n \"busybox\", \"bzip2\", \"cabal\", \"capsh\", \"cat\", \"choom\", \"chown\", \"chroot\", \"clamscan\", \"cmp\",\n \"column\", \"comm\", \"cp\", \"cpio\", \"cpulimit\", \"csh\", \"csplit\", \"csvtool\", \"cupsfilter\", \"curl\",\n \"cut\", \"dash\", \"date\", \"dd\", \"debugfs\", \"dialog\", \"diff\", \"dig\", \"distcc\", \"dmsetup\", \"docker\",\n \"dosbox\", \"ed\", \"efax\", \"elvish\", \"emacs\", \"env\", \"eqn\", \"espeak\", \"expand\", \"expect\", \"file\",\n \"find\", \"fish\", \"flock\", \"fmt\", \"fold\", \"gawk\", \"gcore\", \"gdb\", \"genie\", \"genisoimage\", \"gimp\",\n \"grep\", \"gtester\", \"gzip\", \"hd\", \"head\", \"hexdump\", \"highlight\", \"hping3\", \"iconv\", \"install\",\n \"ionice\", \"ispell\", \"jjs\", \"join\", \"jq\", \"jrunscript\", \"julia\", \"ksh\", \"ksshell\", \"kubectl\",\n \"ld.so\", \"less\", \"links\", \"logsave\", \"look\", \"lua\", \"make\", \"mawk\", \"minicom\", \"more\",\n \"mosquitto\", \"msgattrib\", \"msgcat\", \"msgconv\", \"msgfilter\", \"msgmerge\", \"msguniq\", \"multitime\",\n \"mv\", \"nasm\", \"nawk\", \"ncftp\", \"nft\", \"nice\", \"nl\", \"nm\", \"nmap\", \"node\", \"nohup\", \"ntpdate\",\n \"od\", \"openssl\", \"openvpn\", \"pandoc\", \"paste\", \"perf\", \"perl\", \"pexec\", \"pg\", \"php\", \"pidstat\",\n \"pr\", \"ptx\", \"python\", \"rc\", \"readelf\", \"restic\", \"rev\", \"rlwrap\", \"rsync\", \"rtorrent\",\n \"run-parts\", \"rview\", \"rvim\", \"sash\", \"scanmem\", \"sed\", \"setarch\", \"setfacl\", \"setlock\", \"shuf\",\n \"soelim\", \"softlimit\", \"sort\", \"sqlite3\", \"ss\", \"ssh-agent\", \"ssh-keygen\", \"ssh-keyscan\",\n \"sshpass\", \"start-stop-daemon\", \"stdbuf\", \"strace\", \"strings\", \"sysctl\", \"systemctl\", \"tac\",\n \"tail\", \"taskset\", \"tbl\", \"tclsh\", \"tee\", \"terraform\", \"tftp\", \"tic\", \"time\", \"timeout\", \"troff\",\n \"ul\", \"unexpand\", \"uniq\", \"unshare\", \"unsquashfs\", \"unzip\", \"update-alternatives\", \"uudecode\",\n \"uuencode\", \"vagrant\", \"varnishncsa\", \"view\", \"vigr\", \"vim\", \"vimdiff\", \"vipw\", \"w3m\", \"watch\",\n \"wc\", \"wget\", \"whiptail\", \"xargs\", \"xdotool\", \"xmodmap\", \"xmore\", \"xxd\", \"xz\", \"yash\", \"zsh\",\n \"zsoelim\"\n ) or \n process.name == \"ip\" and (\n (process.args == \"-force\" and process.args in (\"-batch\", \"-b\")) or (process.args == \"exec\")\n )\n)\n", "references": ["https://gtfobins.github.io/#+suid", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.real_group.id", "type": "keyword"}, {"ecs": true, "name": "process.real_user.id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "28eb3afe-131d-48b0-a8fc-9784f3d54f3c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8.json deleted file mode 100644 index 80c56f1e2d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", "false_positives": ["Legitimate user shell modification activity."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Configuration Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n // system-wide configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/bash.bash_logout\", \"/etc/zsh/*\",\n \"/etc/csh.cshrc\", \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n // root and user configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\", \"/home/*/.bash_profile\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\", \"/root/.bash_profile\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/sbin/adduser\", \"/usr/sbin/useradd\", \"/usr/local/bin/dockerd\",\n \"/usr/sbin/gdm\", \"/usr/bin/unzip\", \"/usr/bin/gnome-shell\", \"/sbin/mkhomedir_helper\", \"/usr/sbin/sshd\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/bin/xfce4-session\", \"/usr/libexec/oddjob/mkhomedir\", \"/sbin/useradd\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/crond\", \"/usr/bin/pamac-daemon\", \"/usr/sbin/mkhomedir_helper\",\n \"/opt/pbis/sbin/lwsmd\", \"/usr/sbin/oddjobd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\",\n \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json deleted file mode 100644 index e6d1dcc2266..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", "false_positives": ["Legitimate user shell modification activity."], "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shell Configuration Modification", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:file and host.os.type:linux and\nevent.action:(creation or file_create_event or rename or file_rename_event) and file.path:(\n \"/etc/profile\" or \"/etc/profile.local\" or \"/etc/bashrc\" or \"/etc/bash.bashrc\" or \"/etc/bash.bashrc.local\" or\n \"/etc/zshenv\" or \"/etc/zprofile\" or \"/etc/zlogin\" or \"/etc/zlogout\" or \"/root/.profile\" or \"/root/.bash_logout\" or\n \"/root/.bashrc\" or \"/root/.bash_login\" or /etc/profile.d/* or /home/*/.profile or /home/*/.bash_logout or\n /home/*/.bashrc or /home/*/.bash_login\n) and not (\n (process.executable: (\n \"/bin/dpkg\" or \"/usr/bin/dpkg\" or \"/bin/useradd\" or \"/usr/sbin/useradd\" or \"/bin/adduser\" or \"/usr/sbin/adduser\" or\n \"/bin/dockerd\" or \"/usr/bin/dockerd\" or \"/bin/microdnf\" or \"/usr/bin/microdnf\" or \"/bin/rpm\" or \"/usr/bin/rpm\" or\n \"/bin/snapd\" or \"/usr/bin/snapd\" or \"/bin/yum\" or \"/usr/bin/yum\" or \"/bin/dnf\" or \"/usr/bin/dnf\" or \"/bin/podman\" or\n \"/usr/bin/podman\" or \"/bin/dnf-automatic\" or \"/usr/bin/dnf-automatic\" or \"/bin/pacman\" or \"/usr/bin/pacman\"\n )\n) or\n (file.extension:(\"swp\" or \"swpx\")) or\n (process.executable:(\"/bin/sed\" or \"/usr/bin/sed\") and file.name:sed*) or\n (process.executable:(\"/bin/perl\" or \"/usr/bin/perl\") and file.name:e2scrub_all.tmp*)\n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json deleted file mode 100644 index 457a930b9e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", "false_positives": ["Legitimate user shell modification activity."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Configuration Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n // system-wide configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/zsh/*\",\n \"/etc/csh.cshrc\", \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n // root and user configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/sbin/adduser\", \"/usr/sbin/useradd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_3.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_3.json deleted file mode 100644 index 403c14f4240..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", "false_positives": ["Legitimate user shell modification activity."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Configuration Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n // system-wide configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/bash.bash_logout\", \"/etc/zsh/*\",\n \"/etc/csh.cshrc\", \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n // root and user configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\", \"/home/*/.bash_profile\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\", \"/root/.bash_profile\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/sbin/adduser\", \"/usr/sbin/useradd\", \"/usr/local/bin/dockerd\",\n \"/usr/sbin/gdm\", \"/usr/bin/unzip\", \"/usr/bin/gnome-shell\", \"/sbin/mkhomedir_helper\", \"/usr/sbin/sshd\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/bin/xfce4-session\", \"/usr/libexec/oddjob/mkhomedir\", \"/sbin/useradd\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/crond\", \"/usr/bin/pamac-daemon\", \"/usr/sbin/mkhomedir_helper\",\n \"/opt/pbis/sbin/lwsmd\", \"/usr/sbin/oddjobd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\",\n \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_4.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_4.json deleted file mode 100644 index db72ccdd12b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation/alteration of a shell configuration file. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", "false_positives": ["Legitimate user shell modification activity."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Configuration Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n // system-wide configurations\n \"/etc/profile\", \"/etc/profile.d/*\", \"/etc/bash.bashrc\", \"/etc/bash.bash_logout\", \"/etc/zsh/*\",\n \"/etc/csh.cshrc\", \"/etc/csh.login\", \"/etc/fish/config.fish\", \"/etc/ksh.kshrc\",\n // root and user configurations\n \"/home/*/.profile\", \"/home/*/.bashrc\", \"/home/*/.bash_login\", \"/home/*/.bash_logout\", \"/home/*/.bash_profile\",\n \"/root/.profile\", \"/root/.bashrc\", \"/root/.bash_login\", \"/root/.bash_logout\", \"/root/.bash_profile\",\n \"/home/*/.zprofile\", \"/home/*/.zshrc\", \"/root/.zprofile\", \"/root/.zshrc\",\n \"/home/*/.cshrc\", \"/home/*/.login\", \"/home/*/.logout\", \"/root/.cshrc\", \"/root/.login\", \"/root/.logout\",\n \"/home/*/.config/fish/config.fish\", \"/root/.config/fish/config.fish\",\n \"/home/*/.kshrc\", \"/root/.kshrc\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/sbin/adduser\", \"/usr/sbin/useradd\", \"/usr/local/bin/dockerd\",\n \"/usr/sbin/gdm\", \"/usr/bin/unzip\", \"/usr/bin/gnome-shell\", \"/sbin/mkhomedir_helper\", \"/usr/sbin/sshd\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/bin/xfce4-session\", \"/usr/libexec/oddjob/mkhomedir\", \"/sbin/useradd\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/crond\", \"/usr/bin/pamac-daemon\", \"/usr/sbin/mkhomedir_helper\",\n \"/opt/pbis/sbin/lwsmd\", \"/usr/sbin/oddjobd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\",\n \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json deleted file mode 100644 index d066562e3e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json deleted file mode 100644 index 8e8405bd3a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json deleted file mode 100644 index 9381f3e3be9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json deleted file mode 100644 index d31f8b0c950..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json deleted file mode 100644 index d32342be8c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_206.json b/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_206.json deleted file mode 100644 index 374eef5b1d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29052c19-ff3e-42fd-8363-7be14d7c5469_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment.", "false_positives": ["A security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Group Configuration Change Detection", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or\nCreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or\nRevokeSecurityGroupIngress) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "29052c19-ff3e-42fd-8363-7be14d7c5469", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "29052c19-ff3e-42fd-8363-7be14d7c5469_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json deleted file mode 100644 index f2d97a88fba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json deleted file mode 100644 index 61c2f46777e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json deleted file mode 100644 index 771d3702da4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json deleted file mode 100644 index f877b2d293b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json deleted file mode 100644 index 18c06d32d6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json deleted file mode 100644 index ff2e4630ee3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json deleted file mode 100644 index 26d206ca557..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_110.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_110.json deleted file mode 100644 index fa2cd3083e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json deleted file mode 100644 index 7c5ca984f7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json deleted file mode 100644 index 60d199a88da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_113.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_113.json deleted file mode 100644 index 99b72195e90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_114.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_114.json deleted file mode 100644 index 9f77e580a50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_314.json b/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_314.json deleted file mode 100644 index c7492ce1aea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/290aca65-e94d-403b-ba0f-62f320e63f51_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Windows Directory Masquerading", "note": "## Triage and analysis\n\n### Investigating UAC Bypass Attempt via Windows Directory Masquerading\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nThis rule identifies an attempt to bypass User Account Control (UAC) by masquerading as a Microsoft trusted Windows directory. Attackers may bypass UAC to stealthily execute code with elevated permissions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze any suspicious spawned processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"C:\\\\Windows \\\\system32\\\\*.exe\", \"C:\\\\Windows \\\\SysWOW64\\\\*.exe\")\n", "references": ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "290aca65-e94d-403b-ba0f-62f320e63f51", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "290aca65-e94d-403b-ba0f-62f320e63f51_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json deleted file mode 100644 index 4e18f79294d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "2917d495-59bd-4250-b395-c29409b76086", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json deleted file mode 100644 index f1f0c58ea3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2917d495-59bd-4250-b395-c29409b76086_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json deleted file mode 100644 index ddf7b93c59f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2917d495-59bd-4250-b395-c29409b76086_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json deleted file mode 100644 index aadd190f620..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2917d495-59bd-4250-b395-c29409b76086_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json deleted file mode 100644 index ee3070ca6c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2917d495-59bd-4250-b395-c29409b76086_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json deleted file mode 100644 index 6cd2bd48aa9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2917d495-59bd-4250-b395-c29409b76086_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_109.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_109.json deleted file mode 100644 index 98bf520debe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not \n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2917d495-59bd-4250-b395-c29409b76086_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json deleted file mode 100644 index 0a5db4ac9b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not \n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2917d495-59bd-4250-b395-c29409b76086_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json deleted file mode 100644 index c3e07bcc60c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not \n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2917d495-59bd-4250-b395-c29409b76086_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_212.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_212.json deleted file mode 100644 index 3ba1abf098d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "2917d495-59bd-4250-b395-c29409b76086_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json deleted file mode 100644 index 2323cb96efe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "2917d495-59bd-4250-b395-c29409b76086_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_314.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_314.json deleted file mode 100644 index 358571d6062..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "2917d495-59bd-4250-b395-c29409b76086_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_415.json b/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_415.json deleted file mode 100644 index d586e363f1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2917d495-59bd-4250-b395-c29409b76086_415.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Security audits, maintenance, and network administrative scripts may trigger this alert when run under web processes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Web Shell Detection: Script Process Child of Common Web Processes", "note": "## Triage and analysis\n\n### Investigating Web Shell Detection: Script Process Child of Common Web Processes\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a web script that is placed on an openly accessible web server to allow an adversary to use the web server as a gateway into a network. A web shell may provide a set of functions to execute or a command-line interface on the system that hosts the web server.\n\nThis rule detects a web server process spawning script and command-line interface programs, potentially indicating attackers executing commands using the web shell.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any other spawned child processes.\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"w3wp.exe\", \"httpd.exe\", \"nginx.exe\", \"php.exe\", \"php-cgi.exe\", \"tomcat.exe\") and\n process.name : (\"cmd.exe\", \"cscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"wmic.exe\", \"wscript.exe\") and\n not\n (\n process.parent.name : (\"php.exe\", \"httpd.exe\") and process.name : \"cmd.exe\" and\n process.command_line : (\n \"cmd.exe /c mode CON\",\n \"cmd.exe /s /c \\\"mode CON\\\"\",\n \"cmd.exe /c \\\"mode\\\"\",\n \"cmd.exe /s /c \\\"tput colors 2>&1\\\"\"\n )\n )\n", "references": ["https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2917d495-59bd-4250-b395-c29409b76086", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 415}, "id": "2917d495-59bd-4250-b395-c29409b76086_415", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json deleted file mode 100644 index 2bc36f6fc99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files (x86)\\\\*.exe"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\*.exe"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 312}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json deleted file mode 100644 index 9278bc5478c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json deleted file mode 100644 index e80b57d85c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where host.os.type == \"windows\" and event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json deleted file mode 100644 index e14ca7847a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json deleted file mode 100644 index d0144245129..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "iam where event.action == \"user-member-enumerated\" and\n\n /* excluding machine account */\n not winlog.event_data.SubjectUserName: (\"*$\", \"LOCAL SERVICE\", \"NETWORK SERVICE\") and\n\n /* noisy and usual legit processes excluded */\n not winlog.event_data.CallerProcessName:\n (\"-\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchIndexer.exe\",\n \"?:\\\\Windows\\\\System32\\\\CompatTelRunner.exe\",\n \"?:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe\",\n \"?:\\\\Windows\\\\System32\\\\net1.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Netplwiz.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\System32\\\\SrTasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\diskshadow.exe\",\n \"?:\\\\Windows\\\\System32\\\\dfsrs.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\WindowsAzure\\\\*\\\\WaAppAgent.exe\",\n \"?:\\\\Windows\\\\System32\\\\vssadmin.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\SettingSyncHost.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\",\n \"?:\\\\Windows\\\\Temp\\\\rubrik_vmware???\\\\snaptool.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wsmprovhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\x3jobt3?.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\esentutl.exe\",\n \"?:\\\\Windows\\\\System32\\\\RecoveryDrive.exe\",\n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\") and\n\n /* privileged local groups */\n (group.name:(\"*admin*\",\"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\",\"S-1-5-32-555\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json deleted file mode 100644 index 3656419f5e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (winlog.event_data.SubjectUserName: (*$ or \"LOCAL SERVICE\" or \"NETWORK SERVICE\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "The 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the event used in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json deleted file mode 100644 index f2aec16778c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (winlog.event_data.SubjectUserName: (*$ or \"LOCAL SERVICE\" or \"NETWORK SERVICE\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_210.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_210.json deleted file mode 100644 index 30139ccd450..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json deleted file mode 100644 index d5ec8aec634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\VSSVC.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SearchIndexer.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CompatTelRunner.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\oobe\\\\\\\\msoobe.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\net1.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\svchost.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Netplwiz.exe or \n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\CloudExperienceHostBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RuntimeBroker.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wbem\\\\\\\\WmiPrvSE.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SrTasks.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\diskshadow.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dfsrs.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\vssadmin.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\dllhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mmc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SettingSyncHost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\inetsrv\\\\\\\\w3wp.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\wsmprovhost.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\spool\\\\\\\\drivers\\\\\\\\x64\\\\\\\\3\\\\\\\\x3jobt3?.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\mstsc.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\esentutl.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\RecoveryDrive.exe or\n *\\:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\SystemPropertiesComputerName.exe or\n *\\:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\msiexec.exe or\n *\\:\\\\\\\\Windows\\\\\\\\ImmersiveControlPanel\\\\\\\\SystemSettings.exe or\n *\\:\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\rubrik_vmware???\\\\\\\\snaptool.exe or\n *\\:\\\\\\\\Windows\\\\\\\\VeeamVssSupport\\\\\\\\VeeamGuestHelper.exe or\n ?\\:\\\\\\\\WindowsAzure\\\\\\\\*WaAppAgent.exe or\n ?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or\n ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe or\n ?\\:\\\\\\\\$WINDOWS.~BT\\\\\\\\Sources\\\\\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 211}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json deleted file mode 100644 index fb09c0e1b3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files (x86)\\\\*.exe"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\*.exe"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 311}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_312.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_312.json deleted file mode 100644 index 34324c991e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files (x86)\\\\*.exe"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\*.exe"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 312}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_313.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_313.json deleted file mode 100644 index eb3425a1e04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files (x86)\\\\*.exe"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\*.exe"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\taskhostw.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 313}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_314.json b/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_314.json deleted file mode 100644 index 12adf45f13e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/291a0de9-937a-4189-94c0-3e847c8b13e4_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of an unusual process enumerating built-in Windows privileged local groups membership like Administrators or Remote Desktop users.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files (x86)\\\\*.exe"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"winlog.event_data.CallerProcessName": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\*.exe"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Privileged Local Groups Membership", "new_terms_fields": ["host.id", "winlog.event_data.SubjectUserName", "winlog.event_data.CallerProcessName"], "note": "## Triage and analysis\n\n### Investigating Enumeration of Privileged Local Groups Membership\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the enumeration of privileged local groups' membership by suspicious processes, and excludes known legitimate utilities and programs installed. Attackers can use this information to decide the next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process, host and user involved on the event.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:iam and event.action:user-member-enumerated and \n (\n group.name:(*Admin* or \"RemoteDesktopUsers\") or\n winlog.event_data.TargetSid:(\"S-1-5-32-544\" or \"S-1-5-32-555\")\n ) and \n not (\n winlog.event_data.SubjectUserName: *$ or\n winlog.event_data.SubjectUserSid: (\"S-1-5-19\" or \"S-1-5-20\") or \n winlog.event_data.CallerProcessName:(\"-\" or \n C\\:\\\\Windows\\\\System32\\\\VSSVC.exe or \n C\\:\\\\Windows\\\\System32\\\\SearchIndexer.exe or \n C\\:\\\\Windows\\\\System32\\\\CompatTelRunner.exe or \n C\\:\\\\Windows\\\\System32\\\\oobe\\\\msoobe.exe or\n C\\:\\\\Windows\\\\System32\\\\net1.exe or \n C\\:\\\\Windows\\\\System32\\\\svchost.exe or \n C\\:\\\\Windows\\\\System32\\\\Netplwiz.exe or \n C\\:\\\\Windows\\\\System32\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\CloudExperienceHostBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\RuntimeBroker.exe or\n C\\:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe or\n C\\:\\\\Windows\\\\System32\\\\SrTasks.exe or\n C\\:\\\\Windows\\\\System32\\\\diskshadow.exe or\n C\\:\\\\Windows\\\\System32\\\\dfsrs.exe or\n C\\:\\\\Windows\\\\System32\\\\vssadmin.exe or\n C\\:\\\\Windows\\\\System32\\\\dllhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mmc.exe or\n C\\:\\\\Windows\\\\System32\\\\SettingSyncHost.exe or\n C\\:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe or\n C\\:\\\\Windows\\\\System32\\\\wsmprovhost.exe or\n C\\:\\\\Windows\\\\System32\\\\mstsc.exe or\n C\\:\\\\Windows\\\\System32\\\\esentutl.exe or\n C\\:\\\\Windows\\\\System32\\\\RecoveryDrive.exe or\n C\\:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe or\n C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe or\n C\\:\\\\Windows\\\\System32\\\\taskhostw.exe or\n C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\SystemSettings.exe or\n C\\:\\\\Windows\\\\Temp\\\\rubrik_vmware*\\\\snaptool.exe or\n C\\:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe or\n C\\:\\\\WindowsAzure\\\\*WaAppAgent.exe or\n C\\:\\\\$WINDOWS.~BT\\\\Sources\\\\*.exe\n )\n )\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallerProcessName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetSid", "type": "unknown"}], "risk_score": 47, "rule_id": "291a0de9-937a-4189-94c0-3e847c8b13e4", "setup": "## Setup\n\nThe 'Audit Security Group Management' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit Security Group Management (Success)\n```\n\nMicrosoft introduced the [event used](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4799) in this detection rule on Windows 10 and Windows Server 2016 or later operating systems.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 314}, "id": "291a0de9-937a-4189-94c0-3e847c8b13e4_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd.json deleted file mode 100644 index ee2deff0e16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Identity Provider (IdP) Added by Admin", "note": "## Triage and analysis\n\n### Investigating New Okta Identity Provider (IdP) Added by Admin\n\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\n\n#### Possible investigation steps:\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset: \"okta.system\" and event.action: \"system.idp.lifecycle.create\" and okta.outcome.result: \"SUCCESS\"\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.007", "name": "Hybrid Identity", "reference": "https://attack.mitre.org/techniques/T1556/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json deleted file mode 100644 index d6fe5350e51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Identity Provider (IdP) Added by Admin", "note": "## Triage and analysis\n\n### Investigating New Okta Identity Provider (IdP) Added by Admin\n\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\n\n#### Possible investigation steps:\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset: \"okta.system\" and event.action: \"system.idp.lifecycle.create\" and okta.outcome.result: \"SUCCESS\"\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.007", "name": "Hybrid Identity", "reference": "https://attack.mitre.org/techniques/T1556/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_104.json new file mode 100644 index 00000000000..173bd52af06 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_104.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "New Okta Identity Provider (IdP) Added by Admin", + "note": "## Triage and analysis\n\n### Investigating New Okta Identity Provider (IdP) Added by Admin\n\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\n\n#### Possible investigation steps:\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", + "query": "event.dataset: \"okta.system\" and event.action: \"system.idp.lifecycle.create\" and okta.outcome.result: \"SUCCESS\"\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://unit42.paloaltonetworks.com/muddled-libra/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.007", + "name": "Hybrid Identity", + "reference": "https://attack.mitre.org/techniques/T1556/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 104 + }, + "id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_2.json deleted file mode 100644 index e9892439720..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Identity Provider (IdP) Added by Admin", "note": "## Triage and analysis\n\n### Investigating New Okta Identity Provider (IdP) Added by Admin\n\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\n\n#### Possible investigation steps:\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset: \"okta.system\" and event.action: \"system.idp.lifecycle.create\" and okta.outcome.result: \"SUCCESS\"\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.007", "name": "Hybrid Identity", "reference": "https://attack.mitre.org/techniques/T1556/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_4.json deleted file mode 100644 index 3eb1b906333..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29b53942-7cd4-11ee-b70e-f661ea17fbcd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "New Okta Identity Provider (IdP) Added by Admin", "note": "## Triage and analysis\n\n### Investigating New Okta Identity Provider (IdP) Added by Admin\n\nThis rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.\n\n#### Possible investigation steps:\n- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or performed by an authorized person.\n- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.\n\n### Response and remediation:\n- If the IdP is unauthorized, deactivate it immediately via the Okta console.\n- If the IdP is authorized, ensure that the actor who created it is authorized to do so.\n- If the actor is unauthorized, deactivate their account via the Okta console.\n- If the actor is authorized, ensure that the actor's account is not compromised.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.", "query": "event.dataset: \"okta.system\" and event.action: \"system.idp.lifecycle.create\" and okta.outcome.result: \"SUCCESS\"\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.007", "name": "Hybrid Identity", "reference": "https://attack.mitre.org/techniques/T1556/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "29b53942-7cd4-11ee-b70e-f661ea17fbcd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698.json b/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698.json deleted file mode 100644 index 88f52ccbd89..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29ef5686-9b93-433e-91b5-683911094698.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.command_line entries.", "from": "now-9m", "history_window_start": "now-14d", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Unusual Discovery Signal Alert with Unusual Process Command Line", "new_terms_fields": ["host.id", "user.id", "process.command_line"], "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\n \"d68e95ad-1c82-4074-a12a-125fe10ac8ba\" or \"7b8bfc26-81d2-435e-965c-d722ee397ef1\" or\n \"0635c542-1b96-4335-9b47-126582d2c19a\" or \"6ea55c81-e2ba-42f2-a134-bccf857ba922\" or\n \"e0881d20-54ac-457f-8733-fe0bc5d44c55\" or \"06568a02-af29-4f20-929c-f3af281e41aa\" or\n \"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\" or \"51176ed2-2d90-49f2-9f3d-17196428b169\"\n)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "29ef5686-9b93-433e-91b5-683911094698", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "29ef5686-9b93-433e-91b5-683911094698", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa.json deleted file mode 100644 index edbc387fd98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH X11 Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux SSH X11 Forwarding\n\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\n\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json deleted file mode 100644 index 9bc625291f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH X11 Forwarding", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "29f0cf93-d17c-4b12-b4f3-a433800539fa_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_2.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_2.json deleted file mode 100644 index 3ee87e5377c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH X11 Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux SSH X11 Forwarding\n\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\n\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "29f0cf93-d17c-4b12-b4f3-a433800539fa_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json b/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json deleted file mode 100644 index cffd72295b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/29f0cf93-d17c-4b12-b4f3-a433800539fa_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for X11 forwarding via SSH. X11 forwarding is a feature that allows users to run graphical applications on a remote server and display the application's graphical user interface on their local machine. Attackers can abuse X11 forwarding for tunneling their GUI-based tools, pivot through compromised systems, and create covert communication channels, enabling lateral movement and facilitating remote control of systems within a network.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Linux SSH X11 Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux SSH X11 Forwarding\n\nAttackers can leverage SSH X11 forwarding to capture a user's graphical desktop session and potentially execute unauthorized GUI applications remotely.\n\nThis rule looks for the execution of SSH in conjunction with command line arguments that are capable of setting up X11 forwarding. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network forwarding activity. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"ssh\", \"sshd\") and process.args in (\"-X\", \"-Y\") and process.args_count >= 3 and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "29f0cf93-d17c-4b12-b4f3-a433800539fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "29f0cf93-d17c-4b12-b4f3-a433800539fa_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json deleted file mode 100644 index cea8dcec395..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nuser.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json deleted file mode 100644 index e5d5a9660cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (process.parent.args : \"*sh\" or process.args : \"*sh\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 1}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json deleted file mode 100644 index f3649d78a1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 2}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json deleted file mode 100644 index c266cf4e245..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 3}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json deleted file mode 100644 index 16007c23949..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json deleted file mode 100644 index 6c82f71c474..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nevent.type == \"start\" and user.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json b/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json deleted file mode 100644 index fe3fff83af6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2a692072-d78d-42f3-a48a-775677d79c4e_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for suspicious activities that may indicate an attacker attempting to execute arbitrary code within a PostgreSQL environment. Attackers can execute code via PostgreSQL as a result of gaining unauthorized access to a public facing PostgreSQL database or exploiting vulnerabilities, such as remote command execution and SQL injection attacks, which can result in unauthorized access and malicious actions, and facilitate post-exploitation activities for unauthorized access and malicious actions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Code Execution via Postgresql", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"fork\", \"fork_event\") and \nuser.name == \"postgres\" and (\n (process.parent.args : \"*sh\" and process.parent.args : \"echo*\") or \n (process.args : \"*sh\" and process.args : \"echo*\")\n) and not process.parent.name : \"puppet\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2a692072-d78d-42f3-a48a-775677d79c4e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2a692072-d78d-42f3-a48a-775677d79c4e_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json deleted file mode 100644 index 23e23a6bcc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", "false_positives": ["An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod created with a Sensitive hostPath Volume", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json deleted file mode 100644 index 07ba94e3c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", "false_positives": ["An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod created with a Sensitive hostPath Volume", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json deleted file mode 100644 index 1bd5c781816..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", "false_positives": ["An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod created with a Sensitive hostPath Volume", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json b/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json deleted file mode 100644 index aa6b2556752..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2abda169-416b-4bb3-9a6b-f8d239fd78ba_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a pod is created with a sensitive volume of type hostPath. A hostPath volume type mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node. There are many ways a container with unrestricted access to the host filesystem can escalate privileges, including reading data from other containers, and accessing tokens of more privileged pods.", "false_positives": ["An administrator may need to attach a hostPath volume for a legitimate reason. This alert should be investigated for legitimacy by determining if the kuberenetes.audit.requestObject.spec.volumes.hostPath.path triggered is one needed by its target container/pod. For example, when the fleet managed elastic agent is deployed as a daemonset it creates several hostPath volume mounts, some of which are sensitive host directories like /proc, /etc/kubernetes, and /var/log. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod created with a Sensitive hostPath Volume", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.volumes.hostPath.path:\n (\"/\" or\n \"/proc\" or\n \"/root\" or\n \"/var\" or\n \"/var/run\" or\n \"/var/run/docker.sock\" or\n \"/var/run/crio/crio.sock\" or\n \"/var/run/cri-dockerd.sock\" or\n \"/var/lib/kubelet\" or\n \"/var/lib/kubelet/pki\" or\n \"/var/lib/docker/overlay2\" or\n \"/etc\" or\n \"/etc/kubernetes\" or\n \"/etc/kubernetes/manifests\" or\n \"/etc/kubernetes/pki\" or\n \"/home/admin\")\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://blog.appsecco.com/kubernetes-namespace-breakout-using-insecure-host-path-volume-part-1-b382f2a6e216", "https://kubernetes.io/docs/concepts/storage/volumes/#hostpath"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.volumes.hostPath.path", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "2abda169-416b-4bb3-9a6b-f8d239fd78ba_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json deleted file mode 100644 index 894c23b519d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"grep\", \"egrep\", \"pgrep\") and process.args in (\n \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\"\n)\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json deleted file mode 100644 index e9f68211b69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args : (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json deleted file mode 100644 index 99546eee67f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args : (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json deleted file mode 100644 index 4e981eb1295..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args in (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json deleted file mode 100644 index df6eab472ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args in (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json deleted file mode 100644 index 4879cdbbfbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"grep\", \"egrep\", \"pgrep\") and\nprocess.args in (\"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json b/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json deleted file mode 100644 index 71f214998c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments related to virtual machine (VM) files, such as \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", or \"vmem\". These file extensions are associated with VM-related file formats, and their presence in grep command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Grep", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"grep\", \"egrep\", \"pgrep\") and process.args in (\n \"vmdk\", \"vmx\", \"vmxf\", \"vmsd\", \"vmsn\", \"vswp\", \"vmss\", \"nvram\", \"vmem\"\n)\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json deleted file mode 100644 index 99685bd3e38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json deleted file mode 100644 index fe61650d722..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json deleted file mode 100644 index a302a67421c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json deleted file mode 100644 index b024d4f3064..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json deleted file mode 100644 index 8bf5faf8209..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json deleted file mode 100644 index e4c91be6613..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json deleted file mode 100644 index a2140f83dcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json deleted file mode 100644 index e362e49cee5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json deleted file mode 100644 index df3fc4c0efb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_212.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_212.json deleted file mode 100644 index 0fe1d491f6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json deleted file mode 100644 index 42ee3368d09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_314.json b/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_314.json deleted file mode 100644 index b8b76dc9a49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2bf78aa2-9c56-48de-b139-f169bf99cf86_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects writing executable files that will be automatically launched by Adobe on launch.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Adobe Hijack Persistence", "note": "## Triage and analysis\n\n### Investigating Adobe Hijack Persistence\n\nAttackers can replace the `RdrCEF.exe` executable with their own to maintain their access, which will be launched whenever Adobe Acrobat Reader is executed.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : (\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat Reader DC\\\\Reader\\\\AcroCEF\\\\RdrCEF.exe\") and\n not process.name : \"msiexec.exe\"\n", "references": ["https://twitter.com/pabraeken/status/997997818362155008"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2bf78aa2-9c56-48de-b139-f169bf99cf86", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.010", "name": "Services File Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/010/"}]}, {"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "2bf78aa2-9c56-48de-b139-f169bf99cf86_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json deleted file mode 100644 index a1590839d19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json deleted file mode 100644 index 4c14813921e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json deleted file mode 100644 index 0fd5393abf4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json deleted file mode 100644 index 7f8eebe8af4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json deleted file mode 100644 index 7223ebb0e6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_108.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_108.json deleted file mode 100644 index 9533800f5f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json deleted file mode 100644 index f10795d7b21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json deleted file mode 100644 index 5679cc13c8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_111.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_111.json deleted file mode 100644 index c15a80d0054..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_112.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_112.json deleted file mode 100644 index 26495434aef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_312.json b/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_312.json deleted file mode 100644 index d95cacc21b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c17e5d7-08b9-43b2-b58a-0270d65ac85b_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender configuration settings using PowerShell to add exclusions at the folder directory or process level.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Exclusions Added via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Defender Exclusions Added via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows. Since this software product is used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the exclusion in order to determine the intent behind it.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- If the exclusion specifies a suspicious file or path, retrieve the file(s) and determine if malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives due to how often network administrators legitimately configure exclusions. In order to validate the activity further, review the specific exclusion and its intent. There are many legitimate reasons for exclusions, so it's important to gain context.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Exclusion lists for antimalware capabilities should always be routinely monitored for review.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : (\"*Add-MpPreference*\", \"*Set-MpPreference*\") and\n process.args : (\"*-Exclusion*\")\n", "references": ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "2c17e5d7-08b9-43b2-b58a-0270d65ac85b_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json deleted file mode 100644 index c3554b546e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json deleted file mode 100644 index a129f25b206..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json deleted file mode 100644 index b15193766a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json deleted file mode 100644 index 79dd546c212..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json deleted file mode 100644 index 85e1f3d1b81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json deleted file mode 100644 index e1f4c58914f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json b/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json deleted file mode 100644 index 105b62aa025..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Microsoft Diagnostics Wizard Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"msdt.exe\" or process.name : \"msdt.exe\") and\n (\n process.args : (\"IT_RebrowseForFile=*\", \"ms-msdt:/id\", \"ms-msdt:-id\", \"*FromBase64*\") or\n\n (process.args : \"-af\" and process.args : \"/skip\" and\n process.parent.name : (\"explorer.exe\", \"cmd.exe\", \"powershell.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"rundll32.exe\", \"regsvr32.exe\") and\n process.args : (\"?:\\\\WINDOWS\\\\diagnostics\\\\index\\\\PCWDiagnostic.xml\", \"PCWDiagnostic.xml\", \"?:\\\\Users\\\\Public\\\\*\", \"?:\\\\Windows\\\\Temp\\\\*\")) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.name : \"msdt.exe\" and process.name != null) or\n\n (process.pe.original_file_name == \"msdt.exe\" and not process.executable : (\"?:\\\\Windows\\\\system32\\\\msdt.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msdt.exe\"))\n )\n", "references": ["https://twitter.com/nao_sec/status/1530196847679401984", "https://lolbas-project.github.io/lolbas/Binaries/Msdt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_101.json b/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_101.json deleted file mode 100644 index 701def1c235..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Foxmail Exploitation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : \"Foxmail.exe\" and process.args : (\"?:\\\\Users\\\\*\\\\AppData\\\\*\", \"\\\\\\\\*\")\n\n", "references": ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c6a6acf-0dcb-404d-89fb-6b0327294cfa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "2c6a6acf-0dcb-404d-89fb-6b0327294cfa_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_201.json b/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_201.json deleted file mode 100644 index cc6725e6450..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2c6a6acf-0dcb-404d-89fb-6b0327294cfa_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Foxmail client spawning a child process with argument pointing to the Foxmail temp directory. This may indicate the successful exploitation of a Foxmail vulnerability for initial access and execution via a malicious email.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Foxmail Exploitation", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : \"Foxmail.exe\" and process.args : (\"?:\\\\Users\\\\*\\\\AppData\\\\*\", \"\\\\\\\\*\")\n\n", "references": ["https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2c6a6acf-0dcb-404d-89fb-6b0327294cfa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System", "Data Source: Elastic Endgame", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 201}, "id": "2c6a6acf-0dcb-404d-89fb-6b0327294cfa_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json b/packages/security_detection_engine/kibana/security_rule/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json deleted file mode 100644 index 8efa66530b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d62889e-e758-4c5e-b57e-c735914ee32a_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious PowerShell execution spawning from Windows Script Host processes (cscript or wscript.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Execution via Windows Scripts", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\") and\n process.parent.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\") and\n (\n process.args_count == 1 or\n process.command_line :\n (\"*^*^*^*^*^*^*^*^*^*\",\n \"*''*''*''*\",\n \"*`*`*`*`*\",\n \"*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*{*\",\n \"*+*+*+*+*+*\",\n \"*$*$*$*$*\",\n \"*[char[]](*)*-join\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Text.Encoding*\",\n \"*.Compression.*\",\n \"*.replace(*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -en* *\",\n \"* -ec *\",\n \"* -e *\",\n \"* -ep *\",\n \"* /e *\",\n \"* /en* *\",\n \"* /ec *\",\n \"* /ep *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"*BitsTransfer*\",\n \"*Invoke-Exp*\",\n \"*invoke-web*\",\n \"*iex*\",\n \"*iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*.Sockets.*\",\n \"*Add-MpPreference*ExclusionPath*\",\n \"*raw.githubusercontent*\")\n ) and\n\n /* many legit powershell commands uses those non shortened execution flags excluding Sync-AppvPublishingServer lolbas */\n not (process.args : (\"-EncodedCommand\", \"Import-Module*\", \"-NonInteractive\") and\n process.args : \"-ExecutionPolicy\" and not process.args : \"Sync-AppvPublishingServer\") and\n\n /* third party installation related FPs */\n not ?process.parent.args : \"?:\\\\Windows\\\\system32\\\\gatherNetworkInfo.vbs\" and\n not (?process.parent.args : \"Microsoft.SystemCenter.ICMPProbe.WithConsecutiveSamples.vbs\" and process.args : \"Get-SCOMAgent\") and\n not (process.command_line : \"*WEBLOGIC_ARGS_CURRENT_1.DATA*\" and ?process.parent.command_line : \"*Impact360*\") and\n not process.args : \"$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers;*\" and\n not process.command_line : (\"*.Access.IdentityReference*win32_SID.SID*\", \"*AGIAbQB4AC0AYQBwAC4AcwAzAC4AdQBzAC0AZQBhAHMAd*\") and\n not (?process.parent.args : \"?:\\\\Users\\\\Prestige\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\\\\KMS_VL_ALL_AIO.cmd -elevated\" and process.command_line : \"*KMS_VL_ALL_AIO.cmd*\") and\n not process.args : \"iwr https://*.s3.us-east-1.amazonaws.com/scripts/Start-SpeedTest.ps1 -UserAgent * -UseBasicParsing | invoke-expression\" and\n not (process.parent.name : \"wscript.exe\" and\n ?process.parent.args : \"C:\\\\Program Files (x86)\\\\Telivy\\\\Telivy Agent\\\\telivy.js\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "2d62889e-e758-4c5e-b57e-c735914ee32a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "2d62889e-e758-4c5e-b57e-c735914ee32a_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json deleted file mode 100644 index e981683740c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["process.parent.command_line", "process.command_line", "host.id"], "query": "event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \nweak-modules or zfs)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json deleted file mode 100644 index 61d49eb2981..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json deleted file mode 100644 index 5656a368cc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and \n((process.name == \"kmod\" and process.args == \"list\") or (process.name == \"modinfo\" and process.parent.user.id != \"0\") or \n(process.name == \"depmod\" and process.args in (\"--all\", \"-a\") and process.parent.user.id != \"0\") \nor process.name == \"lsmod\") and not process.parent.name : (\"vboxmanage\", \"virtualbox\", \"prime-offload\", \"vboxdrv.sh\") and not \nprocess.group_leader.name : \"qualys-cloud-agent\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.group_leader.name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json deleted file mode 100644 index 7e292280630..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["process.parent.name", "host.id"], "query": "event.category:process and host.os.type:linux and event.type:start and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and not process.parent.user.id:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 204}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json deleted file mode 100644 index cda22f4902b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["process.parent.name", "host.id"], "query": "event.category:process and host.os.type:linux and event.type:start and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and process.parent.name:(sudo or bash or dash or ash or sh or tcsh or csh or zsh or ksh or fish) and \nnot process.parent.user.id:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 205}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json deleted file mode 100644 index 1616fe0df59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["host.id", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json deleted file mode 100644 index a917928b28b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["host.id", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_208.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_208.json deleted file mode 100644 index 67e00c4d9ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["process.parent.command_line", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\nor readykernel or lvm2 or vz-start or iscsi or mdadm)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json b/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json deleted file mode 100644 index 04a59940dda..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2d8043ed-5bda-4caf-801c-c1feb7410504_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules", "new_terms_fields": ["process.parent.command_line", "process.command_line", "host.id"], "query": "event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (\n (process.name:(lsmod or modinfo)) or \n (process.name:kmod and process.args:list) or \n (process.name:depmod and process.args:(--all or -a))\n) and not process.parent.name:(mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools\nor readykernel or lvm2 or vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or \nweak-modules or zfs)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2d8043ed-5bda-4caf-801c-c1feb7410504", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "2d8043ed-5bda-4caf-801c-c1feb7410504_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json deleted file mode 100644 index 9eb79b82957..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "2dd480be-1263-4d9c-8672-172928f6789a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json deleted file mode 100644 index a5f4bab70a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json deleted file mode 100644 index a43959d9756..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json deleted file mode 100644 index c766e4fe652..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json deleted file mode 100644 index 5d45284681b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json deleted file mode 100644 index af487a3d16c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json deleted file mode 100644 index c242ba8f58a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json deleted file mode 100644 index 51725fea81d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 210}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json b/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json deleted file mode 100644 index 62f27a12700..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2dd480be-1263-4d9c-8672-172928f6789a_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Access via Direct System Call", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Access via Direct System Call\n\nEndpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly.\n\nMore context and technical details can be found in this [research blog](https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/).\n\nThis rule identifies suspicious process access events from an unknown memory region. Attackers can use direct system calls to bypass security solutions that rely on hooks.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This detection may be triggered by certain applications that install root certificates for the purpose of inspecting SSL traffic. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove the malicious certificate from the root certificate store.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n length(winlog.event_data.CallTrace) > 0 and\n\n /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */\n not winlog.event_data.CallTrace :\n (\"?:\\\\WINDOWS\\\\SYSTEM32\\\\ntdll.dll*\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\ntdll.dll*\",\n \"?:\\\\Windows\\\\System32\\\\wow64cpu.dll*\",\n \"?:\\\\WINDOWS\\\\System32\\\\wow64win.dll*\",\n \"?:\\\\Windows\\\\System32\\\\win32u.dll*\") and\n\n not winlog.event_data.TargetImage :\n (\"?:\\\\Program Files (x86)\\\\Malwarebytes Anti-Exploit\\\\mbae-svc.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\*\\\\AcroCEF.exe\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Program Files (x86)\\\\World of Warcraft\\\\_classic_\\\\WowClassic.exe\") and\n not winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\")\n", "references": ["https://twitter.com/SBousseaden/status/1278013896440324096", "https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "2dd480be-1263-4d9c-8672-172928f6789a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "2dd480be-1263-4d9c-8672-172928f6789a_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea.json deleted file mode 100644 index 67cc872d0b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH-IT SSH Worm Downloaded", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"curl\", \"wget\") and process.args : (\n \"https://thc.org/ssh-it/x\", \"http://nossl.segfault.net/ssh-it-deploy.sh\", \"https://gsocket.io/x\",\n \"https://thc.org/ssh-it/bs\", \"http://nossl.segfault.net/bs\"\n)\n", "references": ["https://www.thc.org/ssh-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json deleted file mode 100644 index 03519fc59df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH-IT SSH Worm Downloaded", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"curl\", \"wget\") and process.args : (\n \"https://thc.org/ssh-it/x\", \"http://nossl.segfault.net/ssh-it-deploy.sh\", \"https://gsocket.io/x\",\n \"https://thc.org/ssh-it/bs\", \"http://nossl.segfault.net/bs\"\n)\n", "references": ["https://www.thc.org/ssh-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json b/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json deleted file mode 100644 index f0f9b80cb96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH-IT SSH Worm Downloaded", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name in (\"curl\", \"wget\") and process.args : (\n \"https://thc.org/ssh-it/x\", \"http://nossl.segfault.net/ssh-it-deploy.sh\", \"https://gsocket.io/x\",\n \"https://thc.org/ssh-it/bs\", \"http://nossl.segfault.net/bs\"\n)\n", "references": ["https://www.thc.org/ssh-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json deleted file mode 100644 index ad13c826e35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json deleted file mode 100644 index d6fb5792cce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "type": "threshold", "version": 101}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json deleted file mode 100644 index d186d04317d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "type": "threshold", "version": 102}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_103.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_103.json deleted file mode 100644 index 915e6d197c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 103}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json deleted file mode 100644 index 1058ba611bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 104}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json b/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json deleted file mode 100644 index 75efb166672..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de10e77-c144-4e69-afb7-344e7127abd0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Excessive Single Sign-On Logon Errors", "note": "", "query": "event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:\"SsoArtifactInvalidOrExpired\"\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.LogonError", "type": "keyword"}], "risk_score": 73, "rule_id": "2de10e77-c144-4e69-afb7-344e7127abd0", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["user.id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 106}, "id": "2de10e77-c144-4e69-afb7-344e7127abd0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json deleted file mode 100644 index 04d2fffb961..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_209.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_209.json deleted file mode 100644 index e3a91127117..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json deleted file mode 100644 index 2cb3367e161..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Discovery", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json deleted file mode 100644 index 3e13f264a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Discovery", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json deleted file mode 100644 index df100899e12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json deleted file mode 100644 index 004a1b8ab8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_7.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_7.json deleted file mode 100644 index 6d8e3356054..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json deleted file mode 100644 index 2082be7bea1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_9.json b/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_9.json deleted file mode 100644 index 31519f97c8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2de87d72-ee0c-43e2-b975-5f0b029ac600_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Wireless Credential Dumping using Netsh Command", "note": "## Triage and analysis\n\n### Investigating Wireless Credential Dumping using Netsh Command\n\nNetsh is a Windows command line tool used for network configuration and troubleshooting. It enables the management of network settings and adapters, wireless network profiles, and other network-related tasks.\n\nThis rule looks for patterns used to dump credentials from wireless network profiles using Netsh, which can enable attackers to bring their own devices to the network.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"netsh.exe\" or ?process.pe.original_file_name == \"netsh.exe\") and\n process.args : \"wlan\" and process.args : \"key*clear\"\n", "references": ["https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts", "https://www.geeksforgeeks.org/how-to-find-the-wi-fi-password-using-cmd-in-windows/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "2de87d72-ee0c-43e2-b975-5f0b029ac600", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "2de87d72-ee0c-43e2-b975-5f0b029ac600_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json deleted file mode 100644 index e1259a7362b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json deleted file mode 100644 index 463ac095d9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json deleted file mode 100644 index ddda648d2ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json deleted file mode 100644 index 85376141a8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json deleted file mode 100644 index 3c4502d470c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json deleted file mode 100644 index 3463bc61c50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json deleted file mode 100644 index b98b443017e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json b/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json deleted file mode 100644 index 07ee83706d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious AutoIt process execution. Malware written as an AutoIt script tends to rename the AutoIt executable to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Renamed AutoIt Scripts Interpreter", "note": "## Triage and analysis\n\n### Investigating Renamed AutoIt Scripts Interpreter\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nAutoIt is a scripting language and tool for automating tasks on Microsoft Windows operating systems. Due to its capabilities, malicious threat actors can abuse it to create malicious scripts and distribute malware.\n\nThis rule checks for renamed instances of AutoIt, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"AutoIt*.exe\" and not process.name : \"AutoIt*.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2e1e835d-01e5-48ca-b9fc-7a61f7f11902_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json deleted file mode 100644 index 8c604a4c2ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n file.directory: (\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json deleted file mode 100644 index 1a6bf092603..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json deleted file mode 100644 index 6a4db30b9c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json deleted file mode 100644 index a74161aa9fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json deleted file mode 100644 index 880645f1c67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json deleted file mode 100644 index 51c2b662df2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json deleted file mode 100644 index 81a821d9d44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\SenseCM\")\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json deleted file mode 100644 index 550f51800ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n file.directory: (\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_112.json b/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_112.json deleted file mode 100644 index c10a9821c2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e29e96a-b67c-455a-afe4-de6183431d0d_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Process Injection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Potential Process Injection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPowerShell also has solid capabilities to make the interaction with the Win32 API in an uncomplicated and reliable way, like the execution of inline C# code, PSReflect, Get-ProcAddress, etc.\n\nRed Team tooling and malware developers take advantage of these capabilities to develop stagers and loaders that inject payloads directly into the memory without touching the disk to circumvent file-based security protections.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n- Check if the injected code can be retrieved (hardcoded in the script or on command line logs).\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or\n LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and\n (WriteProcessMemory or CreateRemoteThread or NtCreateThreadEx or CreateThread or QueueUserAPC or\n SuspendThread or ResumeThread or GetDelegateForFunctionPointer)\n ) and not \n file.directory: (\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\SenseCM\" or\n \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "2e29e96a-b67c-455a-afe4-de6183431d0d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "2e29e96a-b67c-455a-afe4-de6183431d0d_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c.json deleted file mode 100644 index 890ac629619..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Accessing Outlook Data Files", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.ost\", \"*.pst\") and\n not process.name : \"outlook.exe\" and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"*davclnt.dll,DavSetCookie*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2e311539-cd88-4a85-a301-04f38795007c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2e311539-cd88-4a85-a301-04f38795007c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json deleted file mode 100644 index c2cfd18d067..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Accessing Outlook Data Files", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.ost\", \"*.pst\") and\n not process.name : \"outlook.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2e311539-cd88-4a85-a301-04f38795007c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2e311539-cd88-4a85-a301-04f38795007c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_2.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_2.json deleted file mode 100644 index e5ace60e662..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Accessing Outlook Data Files", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.ost\", \"*.pst\") and\n not process.name : \"outlook.exe\" and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"*davclnt.dll,DavSetCookie*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2e311539-cd88-4a85-a301-04f38795007c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2e311539-cd88-4a85-a301-04f38795007c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_3.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_3.json deleted file mode 100644 index 3f9d8f652ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Accessing Outlook Data Files", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.ost\", \"*.pst\") and\n not process.name : \"outlook.exe\" and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"*davclnt.dll,DavSetCookie*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2e311539-cd88-4a85-a301-04f38795007c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "2e311539-cd88-4a85-a301-04f38795007c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_4.json b/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_4.json deleted file mode 100644 index ab9364452fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e311539-cd88-4a85-a301-04f38795007c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Accessing Outlook Data Files", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.ost\", \"*.pst\") and\n not process.name : \"outlook.exe\" and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"*davclnt.dll,DavSetCookie*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2e311539-cd88-4a85-a301-04f38795007c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "2e311539-cd88-4a85-a301-04f38795007c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd.json deleted file mode 100644 index 8efa897d74b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.", "from": "now-30m", "interval": "15m", "language": "esql", "license": "Elastic License v2", "name": "Okta User Sessions Started from Different Geolocations", "note": "\n## Triage and analysis\n\n### Investigating Okta User Sessions Started from Different Geolocations\n\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.security_context.is_proxy != true and okta.actor.id != \"unknown\"\n AND event.outcome == \"success\"\n| STATS\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\n BY okta.actor.id, okta.actor.alternate_id\n| WHERE\n geo_auth_counts >= 2\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "risk_score": 47, "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 101}, "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json deleted file mode 100644 index 53d33b7a206..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Sessions Started from Different Geolocations", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true\n and okta.actor.id:* and client.geo.country_name:*\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "client.geo.country_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "threshold": {"cardinality": [{"field": "client.geo.country_name", "value": 2}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json deleted file mode 100644 index a60e01b147b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.", "from": "now-30m", "interval": "15m", "language": "esql", "license": "Elastic License v2", "name": "Okta User Sessions Started from Different Geolocations", "note": "\n## Triage and analysis\n\n### Investigating Okta User Sessions Started from Different Geolocations\n\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.security_context.is_proxy != true and okta.actor.id != \"unknown\"\n AND event.outcome == \"success\"\n| STATS\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\n BY okta.actor.id, okta.actor.alternate_id\n| WHERE\n geo_auth_counts >= 2\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "risk_score": 47, "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 101}, "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_102.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_102.json deleted file mode 100644 index cd5e600067b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.", "from": "now-30m", "interval": "15m", "language": "esql", "license": "Elastic License v2", "name": "Okta User Sessions Started from Different Geolocations", "note": "\n## Triage and analysis\n\n### Investigating Okta User Sessions Started from Different Geolocations\n\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.security_context.is_proxy != true and okta.actor.id != \"unknown\"\n AND event.outcome == \"success\"\n| STATS\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\n BY okta.actor.id, okta.actor.alternate_id\n| WHERE\n geo_auth_counts >= 2\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "risk_score": 47, "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 102}, "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_203.json b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_203.json new file mode 100644 index 00000000000..cd387f0335a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/2e56e1bc-867a-11ee-b13e-f661ea17fbcd_203.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.", + "from": "now-30m", + "interval": "15m", + "language": "esql", + "license": "Elastic License v2", + "name": "Okta User Sessions Started from Different Geolocations", + "note": "\n## Triage and analysis\n\n### Investigating Okta User Sessions Started from Different Geolocations\n\nThis rule detects when a specific Okta actor has multiple sessions started from different geolocations. Adversaries may attempt to launch an attack by using a list of known usernames and passwords to gain unauthorized access to user accounts from different locations.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple sessions started from different geo-located countries in a short time frame.\n\n### Response and remediation:\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.security_context.is_proxy != true and okta.actor.id != \"unknown\"\n AND event.outcome == \"success\"\n| KEEP event.action, okta.security_context.is_proxy, okta.actor.id, event.outcome, client.geo.country_name, okta.actor.alternate_id\n| STATS\n geo_auth_counts = COUNT_DISTINCT(client.geo.country_name)\n BY okta.actor.id, okta.actor.alternate_id\n| WHERE\n geo_auth_counts >= 2\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "risk_score": 47, + "rule_id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 203 + }, + "id": "2e56e1bc-867a-11ee-b13e-f661ea17fbcd_203", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json deleted file mode 100644 index 107ad444c50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", "false_positives": ["This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Halfbaked Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "(event.dataset: (network_traffic.tls OR network_traffic.http) OR\n (event.category: (network OR network_traffic) AND network.protocol: http)) AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/"], "related_integrations": [], "risk_score": 73, "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2e580225-2a58-48ef-938b-572933be06fe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json deleted file mode 100644 index 45f1aa67743..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", "false_positives": ["This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "name": "Halfbaked Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network OR network_traffic) AND network.protocol:http AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/"], "related_integrations": [], "risk_score": 73, "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", "severity": "high", "tags": ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "2e580225-2a58-48ef-938b-572933be06fe_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json deleted file mode 100644 index e7beaa6d2d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", "false_positives": ["This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Halfbaked Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\n network.transport:tcp AND url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ AND\n destination.port:(53 OR 80 OR 8080 OR 443)\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/"], "related_integrations": [], "risk_score": 73, "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "2e580225-2a58-48ef-938b-572933be06fe_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json b/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json deleted file mode 100644 index dc25fec742d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2e580225-2a58-48ef-938b-572933be06fe_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Halfbaked is a malware family used to establish persistence in a contested network. This rule detects a network activity algorithm leveraged by Halfbaked implant beacons for command and control.", "false_positives": ["This rule should be tailored to exclude systems, either as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Halfbaked Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "(event.dataset: (network_traffic.tls or network_traffic.http) or\n (event.category: (network or network_traffic) and network.protocol: http)) and\n network.transport:tcp and url.full:/http:\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}\\/cd/ and\n destination.port:(53 or 80 or 8080 or 443)\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/"], "related_integrations": [], "risk_score": 73, "rule_id": "2e580225-2a58-48ef-938b-572933be06fe", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2e580225-2a58-48ef-938b-572933be06fe_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json deleted file mode 100644 index a167ef3a98d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json deleted file mode 100644 index aeeb42df9cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json deleted file mode 100644 index e4bfef08797..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json deleted file mode 100644 index 1f9064dcfe2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json deleted file mode 100644 index c96d4dc02d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json deleted file mode 100644 index f195b1c530f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json deleted file mode 100644 index 73ae85ae09f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json deleted file mode 100644 index 6ecc4b1b410..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_111.json b/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_111.json deleted file mode 100644 index 9fd9216a9d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2edc8076-291e-41e9-81e4-e3fcbc97ae5e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of a Hidden Local User Account", "note": "## Triage and analysis\n\n### Investigating Creation of a Hidden Local User Account\n\nAttackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters.\n\nThis rule uses registry events to identify the creation of local hidden accounts.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Delete the hidden account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SAM\\\\SAM\\\\Domains\\\\Account\\\\Users\\\\Names\\\\*$\\\\\"\n)\n", "references": ["http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html", "https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2edc8076-291e-41e9-81e4-e3fcbc97ae5e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json deleted file mode 100644 index eb2cde601ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json deleted file mode 100644 index fd3b1ec0523..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json deleted file mode 100644 index 20757039c6e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or (waveInGetNumDevs and mciSendStringA)\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json deleted file mode 100644 index f15f4fe7707..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json deleted file mode 100644 index c5bbef9af35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json deleted file mode 100644 index 620cbf16966..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json deleted file mode 100644 index 2679c526b08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_111.json b/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_111.json deleted file mode 100644 index 109aa9fb3a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f2f4939-0b34-40c2-a0a3-844eb7889f43_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Audio Capture Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Audio Capture Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Windows API with the intent of capturing audio from input devices connected to the victim's computer.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate if the script stores the recorded data locally and determine if anything was recorded.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users should not need scripts to capture audio, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Get-MicrophoneAudio\" or\n \"WindowsAudioDevice-Powershell-Cmdlet\" or\n (waveInGetNumDevs and mciSendStringA)\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-MicrophoneAudio.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1123", "name": "Audio Capture", "reference": "https://attack.mitre.org/techniques/T1123/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "2f2f4939-0b34-40c2-a0a3-844eb7889f43_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json deleted file mode 100644 index 26a5b0f0e9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json deleted file mode 100644 index e315b35d19d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n ((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill)))\n and process.args:(syslog or rsyslog or \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json deleted file mode 100644 index 99f6ee105f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n ((process.name:service and process.args:stop) or\n (process.name:chkconfig and process.args:off) or\n (process.name:systemctl and process.args:(disable or stop or kill)))\n and process.args:(syslog or rsyslog or \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json deleted file mode 100644 index 1bf61ec3d8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json deleted file mode 100644 index a982ce3a7ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json deleted file mode 100644 index f904f85776d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json deleted file mode 100644 index d727c566a8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json b/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json deleted file mode 100644 index 486795d1dde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f8a1226-5720-437d-9c20-e0029deb6194_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable Syslog Service", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n ( (process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))\n ) and process.args in (\"syslog\", \"rsyslog\", \"syslog-ng\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "2f8a1226-5720-437d-9c20-e0029deb6194", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2f8a1226-5720-437d-9c20-e0029deb6194_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9.json b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9.json deleted file mode 100644 index 50c34b24d61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious /proc/maps Discovery", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"cat\", \"grep\") and process.args : \"/proc/*/maps\" and process.entry_leader.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2f95540c-923e-4f57-9dae-de30169c68b9", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "2f95540c-923e-4f57-9dae-de30169c68b9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json b/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json deleted file mode 100644 index 2ee3bc5d95b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2f95540c-923e-4f57-9dae-de30169c68b9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for /proc/*/maps file reads. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious /proc/maps Discovery", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name in (\"cat\", \"grep\") and process.args : \"/proc/*/maps\" and process.entry_leader.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n)\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "2f95540c-923e-4f57-9dae-de30169c68b9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "2f95540c-923e-4f57-9dae-de30169c68b9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json deleted file mode 100644 index 8e09a711684..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "type": "eql", "version": 109}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json deleted file mode 100644 index 7095fb72391..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 104}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json deleted file mode 100644 index 47598f01bdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 105}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json deleted file mode 100644 index 108526ed9eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 106}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json deleted file mode 100644 index aee3629af7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 107}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json b/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json deleted file mode 100644 index d1415392fca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2fba96c0-ade5-4bce-b92f-a5df2509da3f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written or modified in the startup folder by unsigned processes. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Folder Persistence via Unsigned Process", "note": "## Triage and analysis\n\n### Investigating Startup Folder Persistence via Unsigned Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for unsigned processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to Startup folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=5s\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.code_signature.trusted == false and\n /* suspicious paths can be added here */\n process.executable : (\"C:\\\\Users\\\\*.exe\",\n \"C:\\\\ProgramData\\\\*.exe\",\n \"C:\\\\Windows\\\\Temp\\\\*.exe\",\n \"C:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"C:\\\\Intel\\\\*.exe\",\n \"C:\\\\PerfLogs\\\\*.exe\")\n ]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "type": "eql", "version": 108}, "id": "2fba96c0-ade5-4bce-b92f-a5df2509da3f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json deleted file mode 100644 index af9723fc3b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json deleted file mode 100644 index 071640139ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json deleted file mode 100644 index 861846fe078..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json deleted file mode 100644 index 5a58defcee4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json deleted file mode 100644 index a9c667b87ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json deleted file mode 100644 index 07344bb7fd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not process.executable :\n (\"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\")\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json deleted file mode 100644 index 7fdc7fb5f4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json deleted file mode 100644 index 143bd373c37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json deleted file mode 100644 index 74b51397346..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_112.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_112.json deleted file mode 100644 index 8a15c792801..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_113.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_113.json deleted file mode 100644 index 17f792fabb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_114.json b/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_114.json deleted file mode 100644 index 24c9a990af9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/2ffa1f1e-b6db-47fa-994b-1512743847eb_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Windows Defender registry settings to disable the service or set the service to be started manually.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Defender Disabled via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Windows Defender Disabled via Registry Modification\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for configurations that disable Windows Defender or the start of its service.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if this operation was approved and performed according to the organization's change management policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Re-enable Windows Defender and restore the service configurations to automatic start.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n (\n (\n registry.path: (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\"\n ) and\n registry.data.strings: (\"1\", \"0x00000001\")\n ) or\n (\n registry.path: (\n \"HKLM\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\*ControlSet*\\\\Services\\\\WinDefend\\\\Start\"\n ) and\n registry.data.strings in (\"3\", \"4\", \"0x00000003\", \"0x00000004\")\n )\n ) and\n\n not\n (\n process.executable : (\n \"?:\\\\WINDOWS\\\\system32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\NTRmv.exe\"\n ) and user.id : \"S-1-5-18\"\n )\n", "references": ["https://thedfirreport.com/2020/12/13/defender-control/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "2ffa1f1e-b6db-47fa-994b-1512743847eb", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "2ffa1f1e-b6db-47fa-994b-1512743847eb_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json deleted file mode 100644 index ba048067281..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": ["Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "30562697-9859-4ae0-a8c5-dab45d664170", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json b/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json deleted file mode 100644 index ff0f1a63450..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30562697-9859-4ae0-a8c5-dab45d664170_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is created in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may create a new firewall rule in order to weaken their target's security controls and allow more permissive ingress or egress traffic flows for their benefit.", "false_positives": ["Firewall rules may be created by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.insert or google.appengine.*.Firewall.Create*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "30562697-9859-4ae0-a8c5-dab45d664170", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "30562697-9859-4ae0-a8c5-dab45d664170_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b.json b/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b.json deleted file mode 100644 index b83d970b732..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.", "false_positives": ["Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Object Versioning Suspended", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Object Versioning Suspended\n\nThis rule detects when object versioning for an S3 bucket is suspended. Adversaries with access to a misconfigured S3 bucket may disable object versioning prior to replacing or deleting S3 objects, inhibiting recovery initiatives.\nThis rule uses [EQL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-eql-rule) to look for use of the `PutBucketVersioning` operation where the `request_parameters` include `Status=Suspended`.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the action aligns with legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation:\n\n- **Immediate Review**: If the activity was unauthorized, search for replaced or deleted objects and review the bucket's access logs for any suspicious activity.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.action == \"PutBucketVersioning\"\n and event.outcome == \"success\" \n and stringContains(aws.cloudtrail.request_parameters, \"Status=Suspended\")\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/", "https://www.invictus-ir.com/news/ransomware-in-the-cloud/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "30b5bb96-c7db-492c-80e9-1eab00db580b", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "30b5bb96-c7db-492c-80e9-1eab00db580b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b_1.json b/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b_1.json deleted file mode 100644 index 58523888765..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30b5bb96-c7db-492c-80e9-1eab00db580b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when object versioning is suspended for an Amazon S3 bucket. Object versioning allows for multiple versions of an object to exist in the same bucket. This allows for easy recovery of deleted or overwritten objects. When object versioning is suspended for a bucket, it could indicate an adversary's attempt to inhibit system recovery following malicious activity. Additionally, when versioning is suspended, buckets can then be deleted.", "false_positives": ["Administrators within an AWS Organization structure may legitimately suspend object versioning. Ensure that this behavior is not part of a legitimate operation before taking action."], "from": "now-6m", "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Object Versioning Suspended", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Object Versioning Suspended\n\nThis rule detects when object versioning for an S3 bucket is suspended. Adversaries with access to a misconfigured S3 bucket may disable object versioning prior to replacing or deleting S3 objects, inhibiting recovery initiatives.\nThis rule uses [EQL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-eql-rule) to look for use of the `PutBucketVersioning` operation where the `request_parameters` include `Status=Suspended`.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the action aligns with legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation:\n\n- **Immediate Review**: If the activity was unauthorized, search for replaced or deleted objects and review the bucket's access logs for any suspicious activity.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.action == \"PutBucketVersioning\"\n and event.outcome == \"success\" \n and stringContains(aws.cloudtrail.request_parameters, \"Status=Suspended\")\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html/", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketVersioning.html/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/", "https://www.invictus-ir.com/news/ransomware-in-the-cloud/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-2-prevention-and-defense/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "30b5bb96-c7db-492c-80e9-1eab00db580b", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "30b5bb96-c7db-492c-80e9-1eab00db580b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json deleted file mode 100644 index 9edf0315737..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"touch\" and process.args == \"-r\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json deleted file mode 100644 index 004471538eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json deleted file mode 100644 index b685101c0c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json deleted file mode 100644 index e452c9b715c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json deleted file mode 100644 index 4004b358421..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json deleted file mode 100644 index 2523f8a0e01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json deleted file mode 100644 index b764d6b6d9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\")\nand process.name : \"touch\" and process.args : \"-r\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json b/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json deleted file mode 100644 index c6ace8c2cbb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'touch' command is executed on a Linux system with the \"-r\" flag, which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the touch command arguments may indicate that a threat actor is attempting to tamper with timestamps of VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Timestomping using Touch Command", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"touch\" and process.args == \"-r\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "30bfddd7-2954-4c9d-bbc6-19a99ca47e23_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384.json b/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384.json deleted file mode 100644 index f9313827cc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated by the \"sudo\" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via \"sudo\". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Sudo Binary", "query": "network where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"connection_attempted\", \"ipv4_connection_attempt_event\") and process.name == \"sudo\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_1.json b/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_1.json deleted file mode 100644 index ecbc9ed887e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated by the \"sudo\" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via \"sudo\". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Connection via Sudo Binary", "query": "network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and\nprocess.name == \"sudo\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json b/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json deleted file mode 100644 index 3de83be22ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30e1e9f2-eb9c-439f-aff6-1e3068e99384_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated by the \"sudo\" binary. This behavior is uncommon and may occur in instances where reverse shell shellcode is injected into a process run with elevated permissions via \"sudo\". Attackers may attempt to inject shellcode into processes running as root, to escalate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Connection via Sudo Binary", "query": "network where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"connection_attempted\", \"ipv4_connection_attempt_event\") and process.name == \"sudo\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "30e1e9f2-eb9c-439f-aff6-1e3068e99384_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da.json b/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da.json deleted file mode 100644 index a14a3c8180a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.", "false_positives": ["Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetCallerIdentity API Called for the First Time", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "## Triage and analysis\n\n### Investigating AWS GetCallerIdentity API Called for the First Time\n\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \nNo permissions are required to run this operation and the same information is returned even when access is denied.\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.dataset:\"aws.cloudtrail\" and event.provider:\"sts.amazonaws.com\" and event.action:\"GetCallerIdentity\"\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html", "https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials", "https://detectioninthe.cloud/ttps/discovery/get_caller_identity/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "30fbf4db-c502-4e68-a239-2e99af0f70da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.004", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1087/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "30fbf4db-c502-4e68-a239-2e99af0f70da", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json b/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json deleted file mode 100644 index 19a92afd251..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.", "false_positives": ["Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetCallerIdentity API Called for the First Time", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "## Triage and analysis\n\n### Investigating AWS GetCallerIdentity API Called for the First Time\n\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \nNo permissions are required to run this operation and the same information is returned even when access is denied.\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.dataset:\"aws.cloudtrail\" and event.provider:\"sts.amazonaws.com\" and event.action:\"GetCallerIdentity\"\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html", "https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials", "https://detectioninthe.cloud/ttps/discovery/get_caller_identity/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "30fbf4db-c502-4e68-a239-2e99af0f70da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.004", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1087/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "30fbf4db-c502-4e68-a239-2e99af0f70da_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_2.json b/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_2.json deleted file mode 100644 index c1822b395d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/30fbf4db-c502-4e68-a239-2e99af0f70da_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to verify that the credentials are valid and determine what account they are using. This rule looks for the first time an identity has called the STS `GetCallerIdentity` API operation in the last 15 days, which may be an indicator of compromised credentials. A legitimate user would not need to call this operation as they should know the account they are using.", "false_positives": ["Verify whether the user identity should be using the STS `GetCallerIdentity` API operation. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetCallerIdentity API Called for the First Time", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "## Triage and analysis\n\n### Investigating AWS GetCallerIdentity API Called for the First Time\n\nAWS Security Token Service (AWS STS) is a service that enables you to request temporary, limited-privilege credentials for users.\nThe `GetCallerIdentity` function returns details about the IAM user or role owning the credentials used to call the operation. \nNo permissions are required to run this operation and the same information is returned even when access is denied.\nThis rule looks for use of the `GetCallerIdentity` operation. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has called this operation within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, a role belonging to a service like Lambda or an EC2 instance would be highly suspicious.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n- Automation workflows that rely on the results from this API request may also generate false-positives. We recommend adding exceptions related to the `user.name` or `aws.cloudtrail.user_identity.arn` values to ignore these.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"sts.amazonaws.com\" and event.action: \"GetCallerIdentity\"\nand not aws.cloudtrail.user_identity.type: \"AssumedRole\"\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetCallerIdentity.html", "https://www.secureworks.com/research/detecting-the-use-of-stolen-aws-lambda-credentials", "https://detectioninthe.cloud/ttps/discovery/get_caller_identity/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "30fbf4db-c502-4e68-a239-2e99af0f70da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.004", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1087/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "30fbf4db-c502-4e68-a239-2e99af0f70da_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json deleted file mode 100644 index 34ac0a86f79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch/mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Mismatched Agent ID", "query": "event.agent_id_status:(agent_id_mismatch or mismatch)\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}], "risk_score": 73, "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json deleted file mode 100644 index de48a056d9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Mismatched Agent ID", "query": "event.agent_id_status:agent_id_mismatch\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}], "risk_score": 73, "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", "severity": "high", "tags": ["Elastic", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json b/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json deleted file mode 100644 index 54d41b5edae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3115bd2c-0baa-4df0-80ea-45e474b5ef93_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects events that have a mismatch on the expected event agent ID. The status \"agent_id_mismatch\" occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate attempts to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Mismatched Agent ID", "query": "event.agent_id_status:agent_id_mismatch\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}], "risk_score": 73, "rule_id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "3115bd2c-0baa-4df0-80ea-45e474b5ef93_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json deleted file mode 100644 index 05e03b5e2c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", "false_positives": ["If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", "note": "", "query": "(event.dataset: network_traffic.http OR (event.category: network_traffic AND network.protocol: http)) AND\n status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT\n _exists_:http.request.headers.authorization\n", "references": ["https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"], "related_integrations": [], "risk_score": 47, "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "31295df3-277b-4c56-a1fb-84e31b4222a9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json deleted file mode 100644 index 55fc049038e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", "false_positives": ["If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", "note": "", "query": "event.category:network_traffic AND network.protocol:http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", "references": ["https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"], "related_integrations": [], "risk_score": 47, "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "severity": "medium", "tags": ["Elastic", "Network", "Threat Detection", "Initial Access", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "31295df3-277b-4c56-a1fb-84e31b4222a9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json deleted file mode 100644 index 55227697181..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", "false_positives": ["If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", "note": "", "query": "event.dataset: network_traffic.http AND status:OK AND destination.port:9200 AND network.direction:inbound AND NOT http.response.headers.content-type:\"image/x-icon\" AND NOT _exists_:http.request.headers.authorization\n", "references": ["https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"], "related_integrations": [], "risk_score": 47, "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "31295df3-277b-4c56-a1fb-84e31b4222a9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json b/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json deleted file mode 100644 index 0d2699e5ed6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31295df3-277b-4c56-a1fb-84e31b4222a9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are accepting inbound network connections over the default Elasticsearch port.", "false_positives": ["If you have front-facing proxies that provide authentication and TLS, this rule would need to be tuned to eliminate the source IP address of your reverse-proxy."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Inbound Connection to an Unsecure Elasticsearch Node", "note": "", "query": "(event.dataset: network_traffic.http or (event.category: network_traffic and network.protocol: http)) and\n status:OK and destination.port:9200 and network.direction:inbound and NOT http.response.headers.content-type:\"image/x-icon\" and not\n _exists_:http.request.headers.authorization\n", "references": ["https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers"], "related_integrations": [], "risk_score": 47, "rule_id": "31295df3-277b-4c56-a1fb-84e31b4222a9", "setup": "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "31295df3-277b-4c56-a1fb-84e31b4222a9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json deleted file mode 100644 index 51f354f82d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json deleted file mode 100644 index 9f4da9c9aac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json deleted file mode 100644 index be728037db5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json deleted file mode 100644 index 4736d5f9f86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json deleted file mode 100644 index 8be91bdf737..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json deleted file mode 100644 index bc3c90e1453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json deleted file mode 100644 index f3da277c16f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_110.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_110.json deleted file mode 100644 index 5399eacb2c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json deleted file mode 100644 index 5772596600e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json deleted file mode 100644 index 1d5c52f51b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_113.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_113.json deleted file mode 100644 index 31165f539c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_114.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_114.json deleted file mode 100644 index d51b2a3fddd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_314.json b/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_314.json deleted file mode 100644 index 377dcd2a34e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Bypass UAC via Event Viewer", "note": "## Triage and analysis\n\n### Investigating Bypass UAC via Event Viewer\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nDuring startup, `eventvwr.exe` checks the registry value of the `HKCU\\Software\\Classes\\mscfile\\shell\\open\\command` registry key for the location of `mmc.exe`, which is used to open the `eventvwr.msc` saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user. This rule detects this UAC bypass by monitoring processes spawned by `eventvwr.exe` other than `mmc.exe` and `werfault.exe`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"eventvwr.exe\" and\n not process.executable :\n (\"?:\\\\Windows\\\\SysWOW64\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json deleted file mode 100644 index 84db3a90d3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", "false_positives": ["Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "3202e172-01b1-4738-a932-d024c514ba72", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json b/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json deleted file mode 100644 index f3955452560..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3202e172-01b1-4738-a932-d024c514ba72_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A publisher application creates and sends messages to a topic. Deleting a topic can interrupt message flow in the Pub/Sub pipeline.", "false_positives": ["Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.DeleteTopic and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "3202e172-01b1-4738-a932-d024c514ba72", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "3202e172-01b1-4738-a932-d024c514ba72_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756.json b/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756.json deleted file mode 100644 index 7262b52c507..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection from Binary with RWX Memory Region", "query": "sample by host.id, process.pid, process.name\n /* auditd.data.a2 == \"7\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"mprotect\" and auditd.data.a2 == \"7\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "32300431-c2d5-432d-8ec8-0e03f9924756", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "32300431-c2d5-432d-8ec8-0e03f9924756", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json b/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json deleted file mode 100644 index 34676ca31fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection from Binary with RWX Memory Region", "query": "sample by host.id, process.pid, process.name\n /* auditd.data.a2 == \"7\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"mprotect\" and auditd.data.a2 == \"7\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "32300431-c2d5-432d-8ec8-0e03f9924756", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "32300431-c2d5-432d-8ec8-0e03f9924756_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_2.json b/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_2.json deleted file mode 100644 index 7d916e56904..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32300431-c2d5-432d-8ec8-0e03f9924756_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a unix binary with read, write and execute memory region permissions, followed by a network connection. The mprotect() system call is used to change the access protections on a region of memory that has already been allocated. This syscall allows a process to modify the permissions of pages in its virtual address space, enabling or disabling permissions such as read, write, and execute for those pages. RWX permissions on memory is in many cases overly permissive, and should (especially in conjunction with an outbound network connection) be analyzed thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection from Binary with RWX Memory Region", "query": "sample by host.id, process.pid, process.name\n /* auditd.data.a2 == \"7\" translates to RWX memory region protection (PROT_READ | PROT_WRITE | PROT_EXEC) */\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"mprotect\" and auditd.data.a2 == \"7\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://man7.org/linux/man-pages/man2/mprotect.2.html", "https://www.elastic.co/security-labs/linux-detection-engineering-with-auditd"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "32300431-c2d5-432d-8ec8-0e03f9924756", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S mprotect\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "32300431-c2d5-432d-8ec8-0e03f9924756_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json deleted file mode 100644 index 65d16987db3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", "false_positives": ["Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Network Watcher Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "323cb487-279d-4218-bcbd-a568efe930c6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json b/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json deleted file mode 100644 index 41ef95815a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/323cb487-279d-4218-bcbd-a568efe930c6_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an attempt to evade defenses.", "false_positives": ["Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Network Watcher Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "323cb487-279d-4218-bcbd-a568efe930c6", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "323cb487-279d-4218-bcbd-a568efe930c6_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json deleted file mode 100644 index e14323d552f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "32923416-763a-4531-bb35-f33b9232ecdb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json deleted file mode 100644 index af0eb430051..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) to the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "32923416-763a-4531-bb35-f33b9232ecdb_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json deleted file mode 100644 index 3617b716cf4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "32923416-763a-4531-bb35-f33b9232ecdb_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json deleted file mode 100644 index 24e1383db35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "32923416-763a-4531-bb35-f33b9232ecdb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json b/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json deleted file mode 100644 index 2057c8f82b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32923416-763a-4531-bb35-f33b9232ecdb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RPC traffic to the Internet. RPC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPC (Remote Procedure Call) to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:135 or event.dataset:zeek.dce_rpc) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "32923416-763a-4531-bb35-f33b9232ecdb", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "32923416-763a-4531-bb35-f33b9232ecdb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json deleted file mode 100644 index d7db68e1c98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json deleted file mode 100644 index 4fbbfafc665..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json deleted file mode 100644 index f7ad9f6990b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json deleted file mode 100644 index 2c97a74a00a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json deleted file mode 100644 index 2313307c83e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json deleted file mode 100644 index b5aba5f9475..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json deleted file mode 100644 index 92dce93c11d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json deleted file mode 100644 index aa5b3dd9473..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110.json deleted file mode 100644 index 18b731eba4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111.json deleted file mode 100644 index 424c2eaddd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311.json b/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311.json deleted file mode 100644 index 28133ae2ff2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass detections allowlisting those folders.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Program Files Directory Masquerading", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*Program*Files*\\\\*.exe\" and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Downloaded Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?FilesOpera*\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\.opera\\\\????????????\\\\CProgram?Files?(x86)Opera*\\\\*.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1.json deleted file mode 100644 index d574bd75211..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects successful Microsoft 365 portal logins from rare locations. Rare locations are defined as locations that are not commonly associated with the user's account. This behavior may indicate an adversary attempting to access a Microsoft 365 account from an unusual location or behind a VPN.", "false_positives": ["False positives may occur when users are using a VPN or when users are traveling to different locations."], "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-o365.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Portal Login from Rare Location", "new_terms_fields": ["o365.audit.UserId", "source.geo.country_name"], "query": "event.dataset: \"o365.audit\"\n and event.provider: \"AzureActiveDirectory\"\n and event.action: \"UserLoggedIn\"\n and event.outcome: \"success\"\n", "references": ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "32d3ad0e-6add-11ef-8c7b-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json deleted file mode 100644 index 66b52b25cfd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 315}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json deleted file mode 100644 index 0d1366ea6f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json deleted file mode 100644 index c6dfb8930a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json deleted file mode 100644 index bb39eeca38e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json deleted file mode 100644 index 369b0c4de5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json deleted file mode 100644 index 8b7455cb82e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_109.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_109.json deleted file mode 100644 index 915a20a549f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json deleted file mode 100644 index 8ee77ac2552..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json deleted file mode 100644 index eaccf30df50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_212.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_212.json deleted file mode 100644 index 4f397eb2067..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json deleted file mode 100644 index f7f15aa01e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_314.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_314.json deleted file mode 100644 index 78b57b53649..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_315.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_315.json deleted file mode 100644 index dcfb36c8594..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_315.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 315}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_315", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_415.json b/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_415.json deleted file mode 100644 index 79a7d272eae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/32f4675e-6c49-4ace-80f9-97c9259dca2e_415.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Outlook Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Outlook Child Process\n\nMicrosoft Outlook is an email client that provides contact, email calendar, and task management features. Outlook is widely used, either standalone or as part of the Office suite.\n\nThis rule looks for suspicious processes spawned by MS Outlook, which can be the result of the execution of malicious documents and/or exploitation for initial access.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently opened files received via email and opened by the user that could cause this behavior. Common locations include but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"outlook.exe\" and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\",\n \"cdb.exe\", \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\",\n \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\",\n \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\",\n \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "32f4675e-6c49-4ace-80f9-97c9259dca2e", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 415}, "id": "32f4675e-6c49-4ace-80f9-97c9259dca2e_415", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json deleted file mode 100644 index 63f774926f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", "false_positives": ["Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json deleted file mode 100644 index 06b566220b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", "false_positives": ["Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json deleted file mode 100644 index 62f4522c1f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", "false_positives": ["Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json deleted file mode 100644 index 5ca031d4bb7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", "false_positives": ["Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json b/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json deleted file mode 100644 index f5b5faabc74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/333de828-8190-4cf5-8d7c-7575846f6fe0_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM).", "false_positives": ["Adding users to a specified group may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. User additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM User Addition to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Addition to Group\n\nAWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.\n\nThis rule looks for the addition of users to a specified user group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions \u2014 to reduce noise from onboarding processes and administrator activities.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:AddUserToGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "333de828-8190-4cf5-8d7c-7575846f6fe0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "333de828-8190-4cf5-8d7c-7575846f6fe0_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json deleted file mode 100644 index d3f7cbfcc19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"find\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json deleted file mode 100644 index 13db7b96b7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json deleted file mode 100644 index 89e1d62da92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json deleted file mode 100644 index f6b208f71a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json deleted file mode 100644 index f9bab7917da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json deleted file mode 100644 index ae932ccfe57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"find\" and\nprocess.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json b/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json deleted file mode 100644 index d534f5a1695..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33a6752b-da5e-45f8-b13a-5f094c09522f_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as \"/etc/vmware/\", \"/usr/lib/vmware/\", or \"/vmfs/*\". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ESXI Discovery via Find", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"find\" and process.args : (\"/etc/vmware/*\", \"/usr/lib/vmware/*\", \"/vmfs/*\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "33a6752b-da5e-45f8-b13a-5f094c09522f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "33a6752b-da5e-45f8-b13a-5f094c09522f_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json deleted file mode 100644 index c82e8f9881d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n[network where host.os.type == \"windows\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\n \"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\",\n \"*.windowsupdate.com\", \"metadata.google.internal\", \"dist.nuget.org\",\n \"artifacts.elastic.co\", \"*.digicert.com\", \"packages.chocolatey.org\",\n \"outlook.office365.com\"\n ) and not user.id : \"S-1-5-18\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 110}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json deleted file mode 100644 index fc14c9c4e7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 104}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json deleted file mode 100644 index ecfc93df52d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 105}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json deleted file mode 100644 index a044d33a3fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 106}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json deleted file mode 100644 index 7c7a29e63d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\", \"*.windowsupdate.com\", \"metadata.google.internal\") and\n not user.domain : \"NT AUTHORITY\"]\n [file where host.os.type == \"windows\" and process.name : \"powershell.exe\" and event.type == \"creation\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 107}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json deleted file mode 100644 index 9103729f300..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n[network where host.os.type == \"windows\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\n \"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\",\n \"*.windowsupdate.com\", \"metadata.google.internal\", \"dist.nuget.org\",\n \"artifacts.elastic.co\", \"*.digicert.com\", \"packages.chocolatey.org\",\n \"outlook.office365.com\"\n ) and not user.id : \"S-1-5-18\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 108}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json b/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json deleted file mode 100644 index b54a0e1c1be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/33f306e8-417c-411b-965c-c2812d6d3f4d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies powershell.exe being used to download an executable file from an untrusted remote destination.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via PowerShell", "note": "## Triage and analysis\n\n### Investigating Remote File Download via PowerShell\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nPowerShell is one of system administrators' main tools for automation, report routines, and other tasks. This makes it available for use in various environments and creates an attractive way for attackers to execute code and perform actions. This rule correlates network and file events to detect downloads of executable and script files performed using PowerShell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators can use PowerShell legitimately to download executable and script files. Analysts can dismiss the alert if the Administrator is aware of the activity and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=30s\n\n[network where host.os.type == \"windows\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and network.protocol == \"dns\" and\n not dns.question.name : (\n \"localhost\", \"*.microsoft.com\", \"*.azureedge.net\", \"*.powershellgallery.com\",\n \"*.windowsupdate.com\", \"metadata.google.internal\", \"dist.nuget.org\",\n \"artifacts.elastic.co\", \"*.digicert.com\", \"packages.chocolatey.org\",\n \"outlook.office365.com\"\n ) and not user.id : \"S-1-5-18\"]\n[file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"powershell.exe\" and file.extension : (\"exe\", \"dll\", \"ps1\", \"bat\") and\n not file.name : \"__PSScriptPolicy*.ps1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "33f306e8-417c-411b-965c-c2812d6d3f4d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 109}, "id": "33f306e8-417c-411b-965c-c2812d6d3f4d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee.json b/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee.json deleted file mode 100644 index f485c6faef3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/342f834b-21a6-41bf-878c-87d116eba3ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object Inside A Container", "query": "file where event.module== \"cloud_defend\" and event.type != \"deletion\" and file.path== \"/etc/ld.so.preload\"\n", "references": ["https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/", "https://sysdig.com/blog/threat-detection-aws-cloud-containers/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 73, "rule_id": "342f834b-21a6-41bf-878c-87d116eba3ee", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "342f834b-21a6-41bf-878c-87d116eba3ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b.json b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b.json deleted file mode 100644 index bfceec33dac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Repository Deleted", "query": "configuration where event.module == \"github\" and event.action == \"repo.destroy\"\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json deleted file mode 100644 index 5b2ed1ec952..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Repository Deleted", "query": "configuration where event.module == \"github\" and event.action == \"repo.destroy\"\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_102.json b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_102.json new file mode 100644 index 00000000000..68f925a9a17 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/345889c4-23a8-4bc0-b7ca-756bd17ce83b_102.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a GitHub repository is deleted within your organization. Repositories are a critical component used within an organization to manage work, collaborate with others and release products to the public. Any delete action against a repository should be investigated to determine it's validity. Unauthorized deletion of organization repositories could cause irreversible loss of intellectual property and indicate compromise within your organization.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Repository Deleted", + "query": "configuration where event.module == \"github\" and event.action == \"repo.destroy\"\n", + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1485", + "name": "Data Destruction", + "reference": "https://attack.mitre.org/techniques/T1485/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 102 + }, + "id": "345889c4-23a8-4bc0-b7ca-756bd17ce83b_102", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json deleted file mode 100644 index ebc5129c577..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", "false_positives": ["IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "query": "(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\n and event.type:connection and not event.action:(\n flow_dropped or flow_denied or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n and destination.port:23\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "34fde489-94b0-4500-a76f-b8a157cf9269", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json deleted file mode 100644 index f4f929d7f5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", "false_positives": ["IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "query": "event.category:(network or network_traffic) and destination.port:23\n and network.direction:(inbound or ingress or outbound or egress)\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host", "Lateral Movement", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "34fde489-94b0-4500-a76f-b8a157cf9269_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json deleted file mode 100644 index 0f2aedb81c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", "false_positives": ["IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "query": "event.dataset: network_traffic.flow and event.type: connection\n and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "34fde489-94b0-4500-a76f-b8a157cf9269_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json deleted file mode 100644 index a541d7239fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", "false_positives": ["IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "query": "(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\n and event.type:connection and not event.action:(\n flow_dropped or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n and destination.port:23\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "34fde489-94b0-4500-a76f-b8a157cf9269_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_105.json b/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_105.json deleted file mode 100644 index 7bc34f195f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/34fde489-94b0-4500-a76f-b8a157cf9269_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic.", "false_positives": ["IoT (Internet of Things) devices and networks may use telnet and can be excluded if desired. Some business work-flows may use Telnet for administration of older devices. These often have a predictable behavior. Telnet activity involving an unusual source or destination may be more suspicious. Telnet activity involving a production server that has no known associated Telnet work-flow or business requirement is often suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Accepted Default Telnet Port Connection", "query": "(event.dataset:network_traffic.flow or event.category:(network or network_traffic))\n and event.type:connection and not event.action:(\n flow_dropped or flow_denied or denied or deny or\n flow_terminated or timeout or Reject or network_flow)\n and destination.port:23\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "34fde489-94b0-4500-a76f-b8a157cf9269_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json deleted file mode 100644 index 68b58ae3d83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution via Electron Child Process Node.js Module", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", "references": ["https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json deleted file mode 100644 index 906c075676d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution via Electron Child Process Node.js Module", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", "references": ["https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json deleted file mode 100644 index 85786527320..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution via Electron Child Process Node.js Module", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", "references": ["https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json deleted file mode 100644 index d84005771bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution via Electron Child Process Node.js Module", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", "references": ["https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json b/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json deleted file mode 100644 index 12fff5c85b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35330ba2-c859-4c98-8b7f-c19159ea0e58_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution via Electron Child Process Node.js Module", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:(\"-e\" and const*require*child_process*)\n", "references": ["https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html", "https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/", "https://nodejs.org/api/child_process.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "35330ba2-c859-4c98-8b7f-c19159ea0e58", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "35330ba2-c859-4c98-8b7f-c19159ea0e58_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json deleted file mode 100644 index 8f633c1f6db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json deleted file mode 100644 index a312c26d7fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json deleted file mode 100644 index 05a546fb3cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json deleted file mode 100644 index 56f4f8447a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json deleted file mode 100644 index a648560e50b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json deleted file mode 100644 index 919ba7e6eb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json deleted file mode 100644 index b62b5ad418c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json deleted file mode 100644 index cac2401c5cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_211.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_211.json deleted file mode 100644 index ac4334b6111..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json b/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json deleted file mode 100644 index 7a07f8720a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new port forwarding rule. An adversary may abuse this technique to bypass network segmentation restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Port Forwarding Rule Addition", "note": "## Triage and analysis\n\n### Investigating Port Forwarding Rule Addition\n\nNetwork port forwarding is a mechanism to redirect incoming TCP connections (IPv4 or IPv6) from the local TCP port to any other port number, or even to a port on a remote computer.\n\nAttackers may configure port forwarding rules to bypass network segmentation restrictions, using the host as a jump box to access previously unreachable systems.\n\nThis rule monitors the modifications to the `HKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\` subkeys.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify the target host IP address, check the connections originating from the host where the modification occurred, and inspect the credentials used.\n - Investigate suspicious login activity, such as unauthorized access and logins from outside working hours and unusual locations.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Delete the port forwarding rule.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\PortProxy\\\\v4tov4\\\\*\"\n)\n", "references": ["https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "3535c8bb-3bd5-40f4-ae32-b7cd589d5372_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d.json deleted file mode 100644 index 0580256ec6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device", "name": "Spike in Bytes Sent to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 4}, "id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json deleted file mode 100644 index 26719cfc6a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device", "name": "Spike in Bytes Sent to an External Device", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 1}, "id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_2.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_2.json deleted file mode 100644 index 9b3742ad5b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device", "name": "Spike in Bytes Sent to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 2}, "id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json b/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json deleted file mode 100644 index a82abe18e15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device", "name": "Spike in Bytes Sent to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 3}, "id": "35a3b253-eea8-46f0-abd3-68bdd47e6e3d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1.json deleted file mode 100644 index 091d136ace4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", "note": "This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.", "query": "from logs-azure.signinlogs*\n// truncate the timestamp to a 30-minute window\n| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)\n| WHERE\n event.dataset == \"azure.signinlogs\"\n and event.category == \"authentication\"\n and to_lower(azure.signinlogs.properties.resource_display_name) rlike \"(.*)365(.*)\"\n and azure.signinlogs.category in (\"NonInteractiveUserSignInLogs\", \"SignInLogs\")\n and event.outcome != \"success\"\n // for tuning review azure.signinlogs.properties.status.error_code\n // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes\n// count the number of login sources and failed login attempts\n| stats\n login_source_count = count(source.ip),\n failed_login_count = count(*) by target_time_window, azure.signinlogs.properties.user_principal_name\n\n// filter for users with more than 20 login sources or failed login attempts\n| where (login_source_count >= 20 or failed_login_count >= 20)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", "https://github.com/0xZDH/o365spray"], "risk_score": 47, "rule_id": "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json deleted file mode 100644 index d2e7ed2f2d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json deleted file mode 100644 index deb8d3bdc3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json deleted file mode 100644 index e4ee042b344..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json deleted file mode 100644 index 4dae380408f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json deleted file mode 100644 index e5d5a7e0654..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json deleted file mode 100644 index 0743d9ed916..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_109.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_109.json deleted file mode 100644 index fe27e4719b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json deleted file mode 100644 index 9b975fd79f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json deleted file mode 100644 index f5d5078beae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_112.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_112.json deleted file mode 100644 index 5be08f772c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_113.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_113.json deleted file mode 100644 index 8e2039e63cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_313.json b/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_313.json deleted file mode 100644 index 04d24aaab31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35df0dd8-092d-4a83-88c1-5151a804f31b_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent-Child Relationship", "note": "## Triage and analysis\n\n### Investigating Unusual Parent-Child Relationship\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is parent-child relationships. These relationships can be used to baseline the typical behavior of the system and then alert on occurrences that don't comply with the baseline.\n\nThis rule uses this information to spot suspicious parent and child processes.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.parent.name != null and\n (\n /* suspicious parent processes */\n (process.name:\"autochk.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"fontdrvhost.exe\", \"dwm.exe\") and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:(\"consent.exe\", \"RuntimeBroker.exe\", \"TiWorker.exe\") and not process.parent.name:\"svchost.exe\") or\n (process.name:\"SearchIndexer.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"SearchProtocolHost.exe\" and not process.parent.name:(\"SearchIndexer.exe\", \"dllhost.exe\")) or\n (process.name:\"dllhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"smss.exe\" and not process.parent.name:(\"System\", \"smss.exe\")) or\n (process.name:\"csrss.exe\" and not process.parent.name:(\"smss.exe\", \"svchost.exe\")) or\n (process.name:\"wininit.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:\"winlogon.exe\" and not process.parent.name:\"smss.exe\") or\n (process.name:(\"lsass.exe\", \"LsaIso.exe\") and not process.parent.name:\"wininit.exe\") or\n (process.name:\"LogonUI.exe\" and not process.parent.name:(\"wininit.exe\", \"winlogon.exe\")) or\n (process.name:\"services.exe\" and not process.parent.name:\"wininit.exe\") or\n (process.name:\"svchost.exe\" and not process.parent.name:(\"MsMpEng.exe\", \"services.exe\", \"svchost.exe\")) or\n (process.name:\"spoolsv.exe\" and not process.parent.name:\"services.exe\") or\n (process.name:\"taskhost.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\", \"ngentask.exe\")) or\n (process.name:\"taskhostw.exe\" and not process.parent.name:(\"services.exe\", \"svchost.exe\")) or\n (process.name:\"userinit.exe\" and not process.parent.name:(\"dwm.exe\", \"winlogon.exe\")) or\n (process.name:(\"wmiprvse.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") and not process.parent.name:\"svchost.exe\") or\n /* suspicious child processes */\n (process.parent.name:(\"SearchProtocolHost.exe\", \"taskhost.exe\", \"csrss.exe\") and not process.name:(\"werfault.exe\", \"wermgr.exe\", \"WerFaultSecure.exe\", \"conhost.exe\")) or\n (process.parent.name:\"autochk.exe\" and not process.name:(\"chkdsk.exe\", \"doskey.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"smss.exe\" and not process.name:(\"autochk.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"winlogon.exe\", \"setupcl.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"wermgr.exe\" and not process.name:(\"WerFaultSecure.exe\", \"wermgr.exe\", \"WerFault.exe\")) or\n (process.parent.name:\"conhost.exe\" and not process.name:(\"mscorsvw.exe\", \"wermgr.exe\", \"WerFault.exe\", \"WerFaultSecure.exe\"))\n )\n", "references": ["https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/Windows%20Processes%20TH.map.png", "https://www.andreafortuna.org/2017/06/15/standard-windows-processes-a-brief-reference/", "https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "35df0dd8-092d-4a83-88c1-5151a804f31b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "35df0dd8-092d-4a83-88c1-5151a804f31b_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json deleted file mode 100644 index abb491c5237..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_destination_country", "name": "Network Traffic to Rare Destination Country", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "35f86980-1fb1-4dff-b311-3be941549c8d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json deleted file mode 100644 index 0e3385094a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_destination_country", "name": "Network Traffic to Rare Destination Country", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "35f86980-1fb1-4dff-b311-3be941549c8d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json deleted file mode 100644 index 3b6f8d905ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_destination_country", "name": "Network Traffic to Rare Destination Country", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "35f86980-1fb1-4dff-b311-3be941549c8d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_103.json b/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_103.json deleted file mode 100644 index e56bba95cd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/35f86980-1fb1-4dff-b311-3be941549c8d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from a server in a country which does not normally appear in network traffic or business work-flows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. A new business workflow with an organization in a country with which no workflows previously existed may trigger this alert - although the model will learn that the new destination country is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many countries for brief periods may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_destination_country", "name": "Network Traffic to Rare Destination Country", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "35f86980-1fb1-4dff-b311-3be941549c8d", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "35f86980-1fb1-4dff-b311-3be941549c8d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json deleted file mode 100644 index 37ca286c543..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json deleted file mode 100644 index 82f0eba8cc3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json deleted file mode 100644 index 907b697b03c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json deleted file mode 100644 index 60ffc58e65f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json deleted file mode 100644 index 49b853be145..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json b/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json deleted file mode 100644 index 7f8a98ecb09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3688577a-d196-11ec-90b0-f661ea17fbce_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) should be at a minimum with this detection as PID files are meant to hold process IDs, not inherently be executables that spawn processes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Started from Process ID (PID) File", "note": "## Triage and analysis\n\n### Investigating Process Started from Process ID (PID) File\nDetection alerts from this rule indicate a process spawned from an executable masqueraded as a legitimate PID file which is very unusual and should not occur. Here are some possible avenues of investigation:\n- Examine parent and child process relationships of the new process to determine if other processes are running.\n- Examine the /var/run directory using Osquery to determine other potential PID files with unsually large file sizes, indicative of it being an executable: \"SELECT f.size, f.uid, f.type, f.path from file f WHERE path like '/var/run/%%';\"\n- Examine the reputation of the SHA256 hash from the PID file in a database like VirusTotal to identify additional pivots and artifacts for investigation.\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\"\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3688577a-d196-11ec-90b0-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3688577a-d196-11ec-90b0-f661ea17fbce_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json deleted file mode 100644 index e379cc9e271..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"ImagePath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json deleted file mode 100644 index 9a8b41605d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json deleted file mode 100644 index 47b4220e337..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json deleted file mode 100644 index c20636841b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json deleted file mode 100644 index 38a1b170d61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json deleted file mode 100644 index 011a2b66a5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json deleted file mode 100644 index f29285b2dac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_108.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_108.json deleted file mode 100644 index 985eb8fb8a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"ImagePath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_109.json b/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_109.json deleted file mode 100644 index 6215eefaaaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36a8e048-d888-4f61-a8b9-0f9e2e40f317_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ImagePath Service Creation", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : \"ImagePath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and\n /* add suspicious registry ImagePath values here */\n registry.data.strings : (\"%COMSPEC%*\", \"*\\\\.\\\\pipe\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "36a8e048-d888-4f61-a8b9-0f9e2e40f317_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9.json deleted file mode 100644 index 19c9f295041..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_process_args", "name": "High Mean of Process Arguments in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json deleted file mode 100644 index 5944bc5bba0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_process_args", "name": "High Mean of Process Arguments in an RDP Session", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_2.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_2.json deleted file mode 100644 index 4be53782405..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_process_args", "name": "High Mean of Process Arguments in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json b/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json deleted file mode 100644 index 89214bea601..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_process_args", "name": "High Mean of Process Arguments in an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "36c48a0c-c63a-4cbc-aee1-8cac87db31a9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128.json deleted file mode 100644 index 81d805994d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1, "name": "Potential Suspicious File Edit", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and\nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "3728c08d-9b70-456b-b6b8-007c7d246128", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json deleted file mode 100644 index 34a4a908dc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious File Edit", "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.hosts.swp\", \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\",\n \"/etc/ld.so.conf.d/.*.swp\", \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\",\n \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\", \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 21, "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "3728c08d-9b70-456b-b6b8-007c7d246128_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json deleted file mode 100644 index f5389f11767..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Suspicious File Edit", "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.hosts.swp\", \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\",\n \"/etc/ld.so.conf.d/.*.swp\", \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\",\n \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\", \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 21, "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3728c08d-9b70-456b-b6b8-007c7d246128_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json deleted file mode 100644 index 2b43b9ae5ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "max_signals": 1, "name": "Potential Suspicious File Edit", "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 21, "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "3728c08d-9b70-456b-b6b8-007c7d246128_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json b/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json deleted file mode 100644 index bbc6f123d8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3728c08d-9b70-456b-b6b8-007c7d246128_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential edit of a suspicious file. In Linux, when editing a file through an editor, a temporary .swp file is created. By monitoring for the creation of this .swp file, we can detect potential file edits of suspicious files. The execution of this rule is not a clear sign of the file being edited, as just opening the file through an editor will trigger this event. Attackers may alter any of the files added in this rule to establish persistence, escalate privileges or perform reconnaisance on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1, "name": "Potential Suspicious File Edit", "query": "file where event.action in (\"creation\", \"file_create_event\") and file.extension == \"swp\" and \nfile.path : (\n /* common interesting files and locations */\n \"/etc/.shadow.swp\", \"/etc/.shadow-.swp\", \"/etc/.shadow~.swp\", \"/etc/.gshadow.swp\", \"/etc/.gshadow-.swp\",\n \"/etc/.passwd.swp\", \"/etc/.pwd.db.swp\", \"/etc/.master.passwd.swp\", \"/etc/.spwd.db.swp\", \"/etc/security/.opasswd.swp\",\n \"/etc/.environment.swp\", \"/etc/.profile.swp\", \"/etc/sudoers.d/.*.swp\", \"/etc/ld.so.conf.d/.*.swp\",\n \"/etc/init.d/.*.swp\", \"/etc/.rc.local.swp\", \"/etc/rc*.d/.*.swp\", \"/dev/shm/.*.swp\", \"/etc/update-motd.d/.*.swp\",\n \"/usr/lib/update-notifier/.*.swp\",\n\n /* service, timer, want, socket and lock files */\n \"/etc/systemd/system/.*.swp\", \"/usr/local/lib/systemd/system/.*.swp\", \"/lib/systemd/system/.*.swp\",\n \"/usr/lib/systemd/system/.*.swp\",\"/home/*/.config/systemd/user/.*.swp\", \"/run/.*.swp\", \"/var/run/.*.swp/\",\n\n /* profile and shell configuration files */ \n \"/home/*.profile.swp\", \"/home/*.bash_profile.swp\", \"/home/*.bash_login.swp\", \"/home/*.bashrc.swp\", \"/home/*.bash_logout.swp\",\n \"/home/*.zshrc.swp\", \"/home/*.zlogin.swp\", \"/home/*.tcshrc.swp\", \"/home/*.kshrc.swp\", \"/home/*.config.fish.swp\",\n \"/root/*.profile.swp\", \"/root/*.bash_profile.swp\", \"/root/*.bash_login.swp\", \"/root/*.bashrc.swp\", \"/root/*.bash_logout.swp\",\n \"/root/*.zshrc.swp\", \"/root/*.zlogin.swp\", \"/root/*.tcshrc.swp\", \"/root/*.kshrc.swp\", \"/root/*.config.fish.swp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 21, "rule_id": "3728c08d-9b70-456b-b6b8-007c7d246128", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "3728c08d-9b70-456b-b6b8-007c7d246128_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json deleted file mode 100644 index fa778b679de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json deleted file mode 100644 index b6eaa011134..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json deleted file mode 100644 index dc64ae7c3d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json deleted file mode 100644 index 59d0d87619f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json b/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json deleted file mode 100644 index fa40f62f7ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/378f9024-8a0c-46a5-aa08-ce147ac73a4e_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.003", "name": "Cloud Account", "reference": "https://attack.mitre.org/techniques/T1136/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "378f9024-8a0c-46a5-aa08-ce147ac73a4e_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json deleted file mode 100644 index 60409881e63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese"], "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk Sign-in", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.risk_level_aggregated", "type": "keyword"}, {"ecs": false, "name": "azure.signinlogs.properties.risk_level_during_signin", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 73, "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "37994bca-0611-4500-ab67-5588afe73b77", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json b/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json deleted file mode 100644 index a7e2cadca14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37994bca-0611-4500-ab67-5588afe73b77_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Willem D'Haese"], "description": "Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory High Risk Sign-in", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory High Risk Sign-in\n\nMicrosoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks.\n\nThis rule identifies events produced by Microsoft Identity Protection with high risk levels or high aggregated risk level.\n\n#### Possible investigation steps\n\n- Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection).\n- Identify the user account involved and validate whether the suspicious activity is normal for that user.\n - Consider the source IP address and geolocation for the involved user account. Do they look normal?\n - Consider the device used to sign in. Is it registered and compliant?\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and\n event.outcome:(success or Success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.risk_level_aggregated", "type": "keyword"}, {"ecs": false, "name": "azure.signinlogs.properties.risk_level_during_signin", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 73, "rule_id": "37994bca-0611-4500-ab67-5588afe73b77", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nNote that details for `azure.signinlogs.properties.risk_level_during_signin` and `azure.signinlogs.properties.risk_level_aggregated`\nare only available for Azure AD Premium P2 customers. All other customers will be returned `hidden`.", "severity": "high", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "37994bca-0611-4500-ab67-5588afe73b77_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json deleted file mode 100644 index 21e751c75ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SSM", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json deleted file mode 100644 index 013703f75c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Initial Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json deleted file mode 100644 index 368dcf3345c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json deleted file mode 100644 index 4d8b3962086..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json deleted file mode 100644 index 3704e930c69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_209.json b/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_209.json deleted file mode 100644 index 96186f4ec6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37b211e8-4e2f-440f-86d8-06cc8f158cfa_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suspicious commands from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Execution via System Manager", "note": "## Triage and analysis\n\n### Investigating AWS Execution via System Manager\n\nAmazon EC2 Systems Manager is a management service designed to help users automatically collect software inventory, apply operating system patches, create system images, and configure Windows and Linux operating systems.\n\nThis rule looks for the execution of commands and scripts using System Manager. Note that the actual contents of these scripts and commands are not included in the event, so analysts must gain visibility using an host-level security product.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate the commands or scripts using host-level visibility.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ssm.amazonaws.com and event.action:SendCommand and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SSM", "Use Case: Log Auditing", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "37b211e8-4e2f-440f-86d8-06cc8f158cfa_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json deleted file mode 100644 index 04ac7a48628..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\",\n \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\") and\n not process.Ext.effective_parent.executable : (\"/Applications/Google Drive.app/Contents/MacOS/Google Drive\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Applications/Nextcloud.app/Contents/MacOS/Nextcloud\",\n \"/Library/Application Support/Checkpoint/Endpoint Security/AMFinderExtensions.app/Contents/MacOS/AMFinderExtensions\",\n \"/Applications/pCloud Drive.app/Contents/MacOS/pCloud Drive\")\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 206}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json deleted file mode 100644 index db97cf2bef7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json deleted file mode 100644 index c50c64538a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json deleted file mode 100644 index 235091a7f2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json deleted file mode 100644 index f952f153bec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json b/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json deleted file mode 100644 index 118520f4c92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/37f638ea-909d-4f94-9248-edd21e4a9906_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Finder Sync plugins enable users to extend Finder\u2019s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.", "false_positives": ["Trusted Finder Sync Plugins"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Finder Sync Plugin Registered and Enabled", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"pluginkit\" and\n process.args : \"-e\" and process.args : \"use\" and process.args : \"-i\" and\n not process.args :\n (\n \"com.google.GoogleDrive.FinderSyncAPIExtension\",\n \"com.google.drivefs.findersync\",\n \"com.boxcryptor.osx.Rednif\",\n \"com.adobe.accmac.ACCFinderSync\",\n \"com.microsoft.OneDrive.FinderSync\",\n \"com.insynchq.Insync.Insync-Finder-Integration\",\n \"com.box.desktop.findersyncext\"\n ) and\n not process.parent.executable : (\n \"/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp\"\n )\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "37f638ea-909d-4f94-9248-edd21e4a9906", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "37f638ea-909d-4f94-9248-edd21e4a9906_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json deleted file mode 100644 index 7b38255192b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json deleted file mode 100644 index b1c0ae8d6ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json deleted file mode 100644 index dd1d9d24225..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json deleted file mode 100644 index 8c253010b3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json deleted file mode 100644 index d6554b93c1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json deleted file mode 100644 index c2a41cb6fc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json deleted file mode 100644 index 6ee26bd2ea1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_208.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_208.json deleted file mode 100644 index b785b976d10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_210.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_210.json deleted file mode 100644 index ef2431a9fe5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempted Bypass of Okta MFA", "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1111", "name": "Multi-Factor Authentication Interception", "reference": "https://attack.mitre.org/techniques/T1111/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 210}, "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_310.json b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_310.json new file mode 100644 index 00000000000..2ba2a12d2c5 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3805c3dc-f82c-4f8d-891e-63c24d3102b0_310.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempted Bypass of Okta MFA", + "note": "## Triage and analysis\n\n### Investigating Attempted Bypass of Okta MFA\n\nMulti-factor authentication (MFA) is a crucial security measure in preventing unauthorized access. Okta MFA, like other MFA solutions, requires the user to provide multiple means of identification at login. An adversary might attempt to bypass Okta MFA to gain unauthorized access to an application.\n\nThis rule detects attempts to bypass Okta MFA. It might indicate a serious attempt to compromise a user account within the organization's network.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the bypass attempt.\n- Check the `okta.outcome.result` field to confirm the MFA bypass attempt.\n- Check if there are multiple unsuccessful MFA attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the MFA bypass attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the bypass attempt.\n\n### False positive analysis\n\n- Check if there were issues with the MFA system at the time of the bypass attempt. This could indicate a system error rather than a genuine bypass attempt.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the login attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's MFA settings to ensure they are correctly configured.\n\n### Response and remediation\n\n- If unauthorized access is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific MFA bypass technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:user.mfa.attempt_bypass\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1111", + "name": "Multi-Factor Authentication Interception", + "reference": "https://attack.mitre.org/techniques/T1111/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 310 + }, + "id": "3805c3dc-f82c-4f8d-891e-63c24d3102b0_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json deleted file mode 100644 index 79bb74cd45c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name in (\"localhost\", \"*.digicert.com\", \"ctldl.windowsupdate.com\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json deleted file mode 100644 index 0ceb7ade272..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 104}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json deleted file mode 100644 index e289a0e7b62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 105}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json deleted file mode 100644 index 5a372814ae2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 106}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json deleted file mode 100644 index b9406e62681..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"certutil.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 107}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json deleted file mode 100644 index d156ebc4a6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json deleted file mode 100644 index 54e4468f342..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json deleted file mode 100644 index 78b3b772301..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_111.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_111.json deleted file mode 100644 index 938ee954377..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name in (\"localhost\", \"*.digicert.com\", \"ctldl.windowsupdate.com\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_112.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_112.json deleted file mode 100644 index 3e4da8c7a9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name in (\"localhost\", \"*.digicert.com\", \"ctldl.windowsupdate.com\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_113.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_113.json deleted file mode 100644 index 2adf325dfa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name in (\"localhost\", \"*.digicert.com\", \"ctldl.windowsupdate.com\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_114.json b/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_114.json deleted file mode 100644 index 8a18a62f6ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3838e0e3-1850-4850-a411-2e8c5ba40ba8_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Certutil", "note": "## Triage and analysis\n\n### Investigating Network Connection via Certutil\n\nAttackers can abuse `certutil.exe` to download malware, offensive security tools, and certificates from external sources in order to take the next steps in a compromised environment.\n\nThis rule looks for network events where `certutil.exe` contacts IP ranges other than the ones specified in [IANA IPv4 Special-Purpose Address Registry](https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml)\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Investigate if the downloaded file was executed.\n- Determine the context in which `certutil.exe` and the file were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If trusted software uses this command and the triage has not identified anything suspicious, this alert can be closed as a false positive.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and process.name : \"certutil.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name in (\"localhost\", \"*.digicert.com\", \"ctldl.windowsupdate.com\")\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://frsecure.com/malware-incident-response-playbook/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "3838e0e3-1850-4850-a411-2e8c5ba40ba8_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json deleted file mode 100644 index e3ac2397c2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "query": "process where event.action == \"exec\" and host.os.type == \"macos\" and\n process.name : \"osascript\" and process.args : \"-e\" and process.command_line : (\"*osascript*display*dialog*password*\", \"*osascript*display*dialog*passphrase*\") and\n not (process.parent.executable : \"/usr/bin/sudo\" and process.command_line : \"*Encryption Key Escrow*\") and\n not (process.command_line : \"*-e with timeout of 3600 seconds*\" and user.id == \"0\" and process.parent.executable : \"/bin/bash\") and\n not process.Ext.effective_parent.executable : (\"/usr/local/jamf/*\", \n \"/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements\",\n \"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService\")\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json deleted file mode 100644 index a675471e7c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json deleted file mode 100644 index 010f62ecbed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json deleted file mode 100644 index de4c5bef645..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json deleted file mode 100644 index 5772ed1bb97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json deleted file mode 100644 index ffaf2517792..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json deleted file mode 100644 index 762c2747544..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*display dialog*password*\"\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_207.json b/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_207.json deleted file mode 100644 index ab21c176b16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38948d29-3d5d-42e3-8aec-be832aaaf8eb_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Prompt for Credentials with OSASCRIPT", "query": "process where event.action == \"exec\" and\n process.name : \"osascript\" and process.args : \"-e\" and process.command_line : (\"*osascript*display*dialog*password*\", \"*osascript*display*dialog*passphrase*\") and\n not (process.parent.executable : \"/usr/bin/sudo\" and process.command_line : \"*Encryption Key Escrow*\") and\n not (process.command_line : \"*-e with timeout of 3600 seconds*\" and user.id == \"0\" and process.parent.executable : \"/bin/bash\") and\n not process.Ext.effective_parent.executable : (\"/usr/local/jamf/*\", \n \"/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements\",\n \"/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService\")\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py", "https://ss64.com/osx/osascript.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.002", "name": "GUI Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "38948d29-3d5d-42e3-8aec-be832aaaf8eb_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1.json deleted file mode 100644 index f7f4eb315c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects successful Microsoft 365 portal logins from impossible travel locations. Impossible travel locations are defined as two different countries within a short time frame. This behavior may indicate an adversary attempting to access a Microsoft 365 account from a compromised account or a malicious actor attempting to access a Microsoft 365 account from a different location.", "false_positives": ["False positives may occur when users are using a VPN or when users are traveling to different locations for legitimate purposes."], "from": "now-15m", "index": ["filebeat-*", "logs-o365.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Portal Logins from Impossible Travel Locations", "query": "event.dataset: \"o365.audit\"\n and event.provider: \"AzureActiveDirectory\"\n and event.action: \"UserLoggedIn\"\n and event.outcome: \"success\"\n", "references": ["https://www.huntress.com/blog/time-travelers-busted-how-to-detect-impossible-travel-"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "threshold": {"cardinality": [{"field": "source.geo.country_name", "value": 2}], "field": ["o365.audit.UserId"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "3896d4c0-6ad1-11ef-8c7b-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json deleted file mode 100644 index 3a9845f65c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Service Principal", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json b/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json deleted file mode 100644 index 0cf4d10a8de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Service Principal", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to service principal\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "38e5acdd-5f20-4d99-8fe4-f0a1a592077f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json deleted file mode 100644 index 6fef91404f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", "false_positives": ["Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "External User Added to Google Workspace Group", "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", "references": ["https://support.google.com/a/answer/33329"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "user.target.email", "type": "keyword"}, {"ecs": true, "name": "user.target.group.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json deleted file mode 100644 index a796304ee1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", "false_positives": ["Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "External User Added to Google Workspace Group", "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", "references": ["https://support.google.com/a/answer/33329"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "user.target.email", "type": "keyword"}, {"ecs": true, "name": "user.target.group.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Initial Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json deleted file mode 100644 index 5e9ac1c765f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/38f384e0-aef8-11ed-9a38-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects an external Google Workspace user account being added to an existing group. Adversaries may add external user accounts as a means to intercept shared files or emails with that specific group.", "false_positives": ["Administrators may add external users to groups to share files and communication with them via the intended recipient be the group they are added to. It is unlikely an external user account would be added to an organization's group where administrators should create a new user account."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "External User Added to Google Workspace Group", "note": "## Triage and analysis\n\n### Investigating External User Added to Google Workspace Group\n\nGoogle Workspace groups allow organizations to assign specific users to a group that can share resources. Application specific roles can be manually set for each group, but if not inherit permissions from the top-level organizational unit.\n\nThreat actors may use phishing techniques and container-bound scripts to add external Google accounts to an organization's groups with editorial privileges. As a result, the user account is unable to manually access the organization's resources, settings and files, but will receive anything shared to the group. As a result, confidential information could be leaked or perhaps documents shared with editorial privileges be weaponized for further intrusion.\n\nThis rule identifies when an external user account is added to an organization's groups where the domain name of the target does not match the Google Workspace domain.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `user.email` in the alert\n - The `user.target.email` field contains the user added to the groups\n - The `group.name` field contains the group the target user was added to\n- Identify specific application settings given to the group which may indicate motive for the external user joining a particular group\n- With the user identified, verify administrative privileges are scoped properly to add external users to the group\n - Unauthorized actions may indicate the `user.email` account has been compromised or leveraged to add an external user\n- To identify other users in this group, search for `event.action: \"ADD_GROUP_MEMBER\"`\n - It is important to understand if external users with `@gmail.com` are expected to be added to this group based on historical references\n- Review Gmail logs where emails were sent to and from the `group.name` value\n - This may indicate potential internal spearphishing\n\n### False positive analysis\n- With the user account whom added the new user, verify this action was intentional\n- Verify that the target whom was added to the group is expected to have access to the organization's resources and data\n- If other members have been added to groups that are external, this may indicate historically that this action is expected\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "iam where event.dataset == \"google_workspace.admin\" and event.action == \"ADD_GROUP_MEMBER\" and\n not endsWith(user.target.email, user.target.group.domain)\n", "references": ["https://support.google.com/a/answer/33329"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "user.target.email", "type": "keyword"}, {"ecs": true, "name": "user.target.group.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "38f384e0-aef8-11ed-9a38-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json deleted file mode 100644 index 9b012ea6303..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", "false_positives": ["Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json deleted file mode 100644 index 286f94df5cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", "false_positives": ["Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json deleted file mode 100644 index 187b30217dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", "false_positives": ["Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json deleted file mode 100644 index b889f80ba74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", "false_positives": ["Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json b/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json deleted file mode 100644 index a52910a1acc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39144f38-5284-4f8e-a2ae-e3fd628d90b0_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number.", "false_positives": ["Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateNetworkAcl or CreateNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "39144f38-5284-4f8e-a2ae-e3fd628d90b0_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07.json b/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07.json deleted file mode 100644 index 6659ee57ab3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Downloaded Shortcut Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"lnk\" and file.Ext.windows.zone_identifier > 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "39157d52-4035-44a8-9d1a-6f8c5f580a07", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "39157d52-4035-44a8-9d1a-6f8c5f580a07", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json b/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json deleted file mode 100644 index 07c0d3cd696..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Downloaded Shortcut Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"lnk\" and file.Ext.windows.zone_identifier > 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "39157d52-4035-44a8-9d1a-6f8c5f580a07", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "39157d52-4035-44a8-9d1a-6f8c5f580a07_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_2.json b/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_2.json deleted file mode 100644 index 53723ebf4eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39157d52-4035-44a8-9d1a-6f8c5f580a07_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies .lnk shortcut file downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Downloaded Shortcut Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"lnk\" and file.Ext.windows.zone_identifier > 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "39157d52-4035-44a8-9d1a-6f8c5f580a07", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "39157d52-4035-44a8-9d1a-6f8c5f580a07_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_1.json deleted file mode 100644 index c67f4ae6049..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS EC2 Multi-Region DescribeInstances API Calls", "query": "from logs-aws.cloudtrail-*\n\n// filter for DescribeInstances API calls\n| where event.dataset == \"aws.cloudtrail\" and event.provider == \"ec2.amazonaws.com\" and event.action == \"DescribeInstances\"\n\n// truncate the timestamp to a 30-second window\n| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)\n\n// count the number of unique regions and total API calls within the 30-second window\n| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn\n\n// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window\n| where region_count >= 10 and window_count >= 10\n\n// sort the results by time windows in descending order\n| sort target_time_window desc\n", "references": ["https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html"], "risk_score": 21, "rule_id": "393ef120-63d1-11ef-8e38-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "393ef120-63d1-11ef-8e38-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_2.json deleted file mode 100644 index 82ab285d82b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/393ef120-63d1-11ef-8e38-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a single AWS resource is making `DescribeInstances` API calls in more than 10 regions within a 30-second window. This could indicate a potential threat actor attempting to discover the AWS infrastructure across multiple regions using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS EC2 Multi-Region DescribeInstances API Calls", "query": "from logs-aws.cloudtrail-*\n\n// filter for DescribeInstances API calls\n| where event.dataset == \"aws.cloudtrail\" and event.provider == \"ec2.amazonaws.com\" and event.action == \"DescribeInstances\"\n\n// truncate the timestamp to a 30-second window\n| eval target_time_window = DATE_TRUNC(30 seconds, @timestamp)\n\n// keep only the relevant fields\n| keep target_time_window, aws.cloudtrail.user_identity.arn, cloud.region\n\n// count the number of unique regions and total API calls within the 30-second window\n| stats region_count = count_distinct(cloud.region), window_count = count(*) by target_time_window, aws.cloudtrail.user_identity.arn\n\n// filter for resources making DescribeInstances API calls in more than 10 regions within the 30-second window\n| where region_count >= 10 and window_count >= 10\n\n// sort the results by time windows in descending order\n| sort target_time_window desc\n", "references": ["https://www.sentinelone.com/labs/exploring-fbot-python-based-malware-targeting-cloud-and-payment-services/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html"], "risk_score": 21, "rule_id": "393ef120-63d1-11ef-8e38-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "393ef120-63d1-11ef-8e38-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json deleted file mode 100644 index 65ba300a5d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json deleted file mode 100644 index 85695b8cc30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json deleted file mode 100644 index 8791c82bf01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json deleted file mode 100644 index 46d6c2f3477..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json deleted file mode 100644 index 1b4f7c2564c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json deleted file mode 100644 index 3c4d01fd2d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json b/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json deleted file mode 100644 index b4e9e08720d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/397945f3-d39a-4e6f-8bcb-9656c2031438_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.", "false_positives": ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."], "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Outlook VBA", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Outlook\\\\VbaProject.OTM\"\n", "references": ["https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "397945f3-d39a-4e6f-8bcb-9656c2031438", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "397945f3-d39a-4e6f-8bcb-9656c2031438_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede.json b/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede.json deleted file mode 100644 index 4889f61eae8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Generator Created", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n\"/run/systemd/system-generators/*\", \"/etc/systemd/system-generators/*\",\n\"/usr/local/lib/systemd/system-generators/*\", \"/lib/systemd/system-generators/*\",\n\"/usr/lib/systemd/system-generators/*\", \"/etc/systemd/user-generators/*\",\n\"/usr/local/lib/systemd/user-generators/*\", \"/usr/lib/systemd/user-generators/*\",\n\"/lib/systemd/user-generators/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable == null\n)\n", "references": ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "39c06367-b700-4380-848a-cab06e7afede", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "39c06367-b700-4380-848a-cab06e7afede", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_1.json b/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_1.json deleted file mode 100644 index 00efee98b81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Generator Created", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n\"/run/systemd/system-generators/*\", \"/etc/systemd/system-generators/*\",\n\"/usr/local/lib/systemd/system-generators/*\", \"/lib/systemd/system-generators/*\",\n\"/usr/lib/systemd/system-generators/*\", \"/etc/systemd/user-generators/*\",\n\"/usr/local/lib/systemd/user-generators/*\", \"/usr/lib/systemd/user-generators/*\",\n\"/lib/systemd/user-generators/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable == null\n)\n", "references": ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "39c06367-b700-4380-848a-cab06e7afede", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "39c06367-b700-4380-848a-cab06e7afede_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_2.json b/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_2.json deleted file mode 100644 index 50cd84f63af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/39c06367-b700-4380-848a-cab06e7afede_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation of a systemd generator file. Generators are small executables executed by systemd at bootup and during configuration reloads. Their main role is to convert non-native configuration and execution parameters into dynamically generated unit files, symlinks, or drop-ins, extending the unit file hierarchy for the service manager. Systemd generators can be used to execute arbitrary code at boot time, which can be leveraged by attackers to maintain persistence on a Linux system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Generator Created", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n\"/run/systemd/system-generators/*\", \"/etc/systemd/system-generators/*\",\n\"/usr/local/lib/systemd/system-generators/*\", \"/lib/systemd/system-generators/*\",\n\"/usr/lib/systemd/system-generators/*\", \"/etc/systemd/user-generators/*\",\n\"/usr/local/lib/systemd/user-generators/*\", \"/usr/lib/systemd/user-generators/*\",\n\"/lib/systemd/user-generators/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable == null\n)\n", "references": ["https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "39c06367-b700-4380-848a-cab06e7afede", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "39c06367-b700-4380-848a-cab06e7afede_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json deleted file mode 100644 index 307aa5caa61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 111}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json deleted file mode 100644 index 5acfdffad30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "threshold": {"field": ["host.id"], "value": 15}, "type": "threshold", "version": 104}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json deleted file mode 100644 index 480389374b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "threshold": {"field": ["host.id"], "value": 15}, "type": "threshold", "version": 105}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json deleted file mode 100644 index 8b7071fe74b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "threshold": {"field": ["host.id"], "value": 15}, "type": "threshold", "version": 106}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json deleted file mode 100644 index 46a8a5b7805..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and event.type:start and process.name:nslookup.exe and process.args:(-querytype=* or -qt=* or -q=* or -type=*)\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "threshold": {"field": ["host.id"], "value": 15}, "type": "threshold", "version": 107}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json deleted file mode 100644 index 115fb8dd11c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 108}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_109.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_109.json deleted file mode 100644 index 0491179938d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 109}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json deleted file mode 100644 index c28e93e7b0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 110}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_111.json b/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_111.json deleted file mode 100644 index d343cd899eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a59fc81-99d3-47ea-8cd6-d48d561fca20_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a large number (15) of nslookup.exe executions with an explicit query type from the same host. This may indicate command and control activity utilizing the DNS protocol.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential DNS Tunneling via NsLookup", "note": "## Triage and analysis\n\n### Investigating Potential DNS Tunneling via NsLookup\n\nAttackers can abuse existing network rules that allow DNS communication with external resources to use the protocol as their command and control and/or exfiltration channel.\n\nDNS queries can be used to infiltrate data such as commands to be run, malicious files, etc., and also for exfiltration, since queries can be used to send data to the attacker-controlled DNS server. This process is commonly known as DNS tunneling.\n\nMore information on how tunneling works and how it can be abused can be found on [Palo Alto Unit42 Research](https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors).\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the DNS query and identify the information sent.\n- Extract this communication's indicators of compromise (IoCs) and use traffic logs to search for other potentially compromised hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. If the parent process is trusted and the data sent is not sensitive nor command and control related, this alert can be closed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Immediately block the identified indicators of compromise (IoCs).\n- Implement any temporary network rules, procedures, and segmentation required to contain the attack.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Update firewall rules to be more restrictive.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=5m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nslookup.exe\" and process.args:(\"-querytype=*\", \"-qt=*\", \"-q=*\", \"-type=*\")] with runs = 10\n", "references": ["https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}, {"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 111}, "id": "3a59fc81-99d3-47ea-8cd6-d48d561fca20_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json deleted file mode 100644 index ad918b9a963..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json deleted file mode 100644 index 85b2503744e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "note": "", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json deleted file mode 100644 index b4a0b7c80e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "note": "", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json deleted file mode 100644 index 07ab33623a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "note": "", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json deleted file mode 100644 index 05bf3604f74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_6.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_6.json deleted file mode 100644 index 7a910b5faaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json deleted file mode 100644 index de37616d8ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json b/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json deleted file mode 100644 index 21507a7d56c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies LSASS loading an unsigned or untrusted DLL. Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Module Loaded by LSASS", "query": "library where host.os.type == \"windows\" and process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n not (dll.code_signature.subject_name :\n (\"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows Software Compatibility Publisher\",\n \"Microsoft Windows Hardware Compatibility Publisher\",\n \"McAfee, Inc.\",\n \"SecMaker AB\",\n \"HID Global Corporation\",\n \"HID Global\",\n \"Apple Inc.\",\n \"Citrix Systems, Inc.\",\n \"Dell Inc\",\n \"Hewlett-Packard Company\",\n \"Symantec Corporation\",\n \"National Instruments Corporation\",\n \"DigitalPersona, Inc.\",\n \"Novell, Inc.\",\n \"gemalto\",\n \"EasyAntiCheat Oy\",\n \"Entrust Datacard Corporation\",\n \"AuriStor, Inc.\",\n \"LogMeIn, Inc.\",\n \"VMware, Inc.\",\n \"Istituto Poligrafico e Zecca dello Stato S.p.A.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"Yubico AB\",\n \"GEMALTO SA\",\n \"Secure Endpoints, Inc.\",\n \"Sophos Ltd\",\n \"Morphisec Information Security 2014 Ltd\",\n \"Entrust, Inc.\",\n \"Nubeva Technologies Ltd\",\n \"Micro Focus (US), Inc.\",\n \"F5 Networks Inc\",\n \"Bit4id\",\n \"Thales DIS CPL USA, Inc.\",\n \"Micro Focus International plc\",\n \"HYPR Corp\",\n \"Intel(R) Software Development Products\",\n \"PGP Corporation\",\n \"Parallels International GmbH\",\n \"FrontRange Solutions Deutschland GmbH\",\n \"SecureLink, Inc.\",\n \"Tidexa OU\",\n \"Amazon Web Services, Inc.\",\n \"SentryBay Limited\",\n \"Audinate Pty Ltd\",\n \"CyberArk Software Ltd.\",\n \"McAfeeSysPrep\",\n \"NVIDIA Corporation PE Sign v2016\",\n \"Trend Micro, Inc.\",\n \"Fortinet Technologies (Canada) Inc.\",\n \"Carbon Black, Inc.\") and\n dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\")) and\n\n not dll.hash.sha256 :\n (\"811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c\",\n \"1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1\",\n \"ed6e735aa6233ed262f50f67585949712f1622751035db256811b4088c214ce3\",\n \"26be2e4383728eebe191c0ab19706188f0e9592add2e0bf86b37442083ae5e12\",\n \"9367e78b84ef30cf38ab27776605f2645e52e3f6e93369c674972b668a444faa\",\n \"d46cc934765c5ecd53867070f540e8d6f7701e834831c51c2b0552aba871921b\",\n \"0f77a3826d7a5cd0533990be0269d951a88a5c277bc47cff94553330b715ec61\",\n \"4aca034d3d85a9e9127b5d7a10882c2ef4c3e0daa3329ae2ac1d0797398695fb\",\n \"86031e69914d9d33c34c2f4ac4ae523cef855254d411f88ac26684265c981d95\")\n", "references": ["https://blog.xpnsec.com/exploring-mimikatz-part-2/", "https://github.com/jas502n/mimikat_ssp"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "3a6001a0-0939-4bbe-86f4-47d8faeb7b97_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc.json deleted file mode 100644 index bf9baaaf37d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.", "filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "rapid7.tc.vulnerability.id", "negate": true, "type": "exists"}, "query": {"exists": {"field": "rapid7.tc.vulnerability.id"}}}], "from": "now-35m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "30m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Rapid7 Threat Command CVEs Correlation", "note": "## Triage and Analysis\n\n### Investigating Rapid7 Threat Command CVEs Correlation\n\nRapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations.\n\nThe matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation\n- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation\n\nAdditional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior.\n\n- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity.\n- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n", "query": "vulnerability.id : *\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://docs.elastic.co/integrations/ti_rapid7_threat_command"], "related_integrations": [{"package": "ti_rapid7_threat_command", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "vulnerability.id", "type": "keyword"}], "risk_score": 99, "rule_id": "3a657da0-1df2-11ef-a327-f661ea17fbcc", "setup": "\n## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n\n## Max Signals\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Data Source: Windows", "Data Source: Network", "Data Source: Rapid7 Threat Command", "Rule Type: Threat Match", "Resources: Investigation Guide", "Use Case: Vulnerability", "Use Case: Asset Visibility", "Use Case: Continuous Monitoring"], "threat_index": ["logs-ti_rapid7_threat_command_latest.vulnerability"], "threat_indicator_path": "rapid7.tc.vulnerability", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "vulnerability.id", "type": "mapping", "value": "vulnerability.id"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and vulnerability.id : * and event.module: ti_rapid7_threat_command", "timestamp_override": "event.ingested", "type": "threat_match", "version": 103}, "id": "3a657da0-1df2-11ef-a327-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json deleted file mode 100644 index ba637a06e51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.", "filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "rapid7.tc.vulnerability.id", "negate": true, "type": "exists"}, "query": {"exists": {"field": "rapid7.tc.vulnerability.id"}}}], "from": "now-35m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "30m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Rapid7 Threat Command CVEs Correlation", "note": "## Triage and Analysis\n\n### Investigating Rapid7 Threat Command CVEs Correlation\n\nRapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations.\n\nThe matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation\n- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation\n\nAdditional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior.\n\n- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity.\n- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n", "query": "vulnerability.id : *\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://docs.elastic.co/integrations/ti_rapid7_threat_command"], "related_integrations": [{"package": "ti_rapid7_threat_command", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "vulnerability.id", "type": "keyword"}], "risk_score": 99, "rule_id": "3a657da0-1df2-11ef-a327-f661ea17fbcc", "setup": "\n## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n\n## Max Signals\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Data Source: Windows", "Data Source: Network", "Data Source: Rapid7 Threat Command", "Rule Type: Threat Match", "Resources: Investigation Guide", "Use Case: Vulnerability", "Use Case: Asset Visibility", "Use Case: Continuous Monitoring"], "threat_index": ["logs-ti_rapid7_threat_command_latest.vulnerability"], "threat_indicator_path": "rapid7.tc.vulnerability", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "vulnerability.id", "type": "mapping", "value": "vulnerability.id"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and vulnerability.id : * and event.module: ti_rapid7_threat_command", "timestamp_override": "event.ingested", "type": "threat_match", "version": 1}, "id": "3a657da0-1df2-11ef-a327-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_2.json deleted file mode 100644 index 4c62a9734a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3a657da0-1df2-11ef-a327-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against vulnerabilities that were found in the customer environment.", "filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "rapid7.tc.vulnerability.id", "negate": true, "type": "exists"}, "query": {"exists": {"field": "rapid7.tc.vulnerability.id"}}}], "from": "now-35m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "30m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Rapid7 Threat Command CVEs Correlation", "note": "## Triage and Analysis\n\n### Investigating Rapid7 Threat Command CVEs Correlation\n\nRapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations.\n\nThe matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation.\n\nIf a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched.\n\n- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation\n- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation\n- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation\n\nAdditional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior.\n\n- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity.\n- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior.\n- Consider the user and their role within the company: is this something related to their job or work function?\n", "query": "vulnerability.id : *\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://docs.elastic.co/integrations/ti_rapid7_threat_command"], "related_integrations": [{"package": "ti_rapid7_threat_command", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "vulnerability.id", "type": "keyword"}], "risk_score": 99, "rule_id": "3a657da0-1df2-11ef-a327-f661ea17fbcc", "setup": "\n## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n\n## Max Signals\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Data Source: Windows", "Data Source: Network", "Data Source: Rapid7 Threat Command", "Rule Type: Threat Match", "Resources: Investigation Guide", "Use Case: Vulnerability", "Use Case: Asset Visibility", "Use Case: Continuous Monitoring"], "threat_index": ["logs-ti_rapid7_threat_command_latest.vulnerability"], "threat_indicator_path": "rapid7.tc.vulnerability", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "vulnerability.id", "type": "mapping", "value": "vulnerability.id"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and vulnerability.id : * and event.module: ti_rapid7_threat_command", "timestamp_override": "event.ingested", "type": "threat_match", "version": 2}, "id": "3a657da0-1df2-11ef-a327-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json deleted file mode 100644 index 63f9c59fd4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json deleted file mode 100644 index 23eec93975c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json deleted file mode 100644 index 389fba2e745..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json deleted file mode 100644 index 370d476b3b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json b/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json deleted file mode 100644 index b95838f6d22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad49c61-7adc-42c1-b788-732eda2f5abf_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic to the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be made directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "3ad49c61-7adc-42c1-b788-732eda2f5abf", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "3ad49c61-7adc-42c1-b788-732eda2f5abf_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json deleted file mode 100644 index 41a400996dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", "false_positives": ["Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Full Network Packet Capture Detected", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION or\n MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\n ) and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json deleted file mode 100644 index f70847b070c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", "false_positives": ["Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Full Network Packet Capture Detected", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json b/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json deleted file mode 100644 index a3047f22b3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted internal traffic.", "false_positives": ["Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Full Network Packet Capture Detected", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\n (\n \"MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION\" or\n \"MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE\"\n ) and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b.json b/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b.json deleted file mode 100644 index 76524f8b49e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of IP Address For GitHub User", "new_terms_fields": ["user.name", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and user.name:*\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_1.json b/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_1.json deleted file mode 100644 index ef94330c2b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of IP Address For GitHub User", "new_terms_fields": ["user.name", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and user.name:*\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_103.json b/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_103.json new file mode 100644 index 00000000000..f242ba68d8c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/3af4cb9b-973f-4c54-be2b-7623c0e21b2b_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of IP Address For GitHub User", + "new_terms_fields": [ + "user.name", + "github.actor_ip" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and user.name:*\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.actor_ip", + "type": "ip" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "3af4cb9b-973f-4c54-be2b-7623c0e21b2b_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json deleted file mode 100644 index 37df89cb703..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "3b382770-efbb-44f4-beed-f5e0a051b895", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json deleted file mode 100644 index 6d5b6304f79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", "severity": "high", "tags": ["Elastic", "Elastic Endgame"], "type": "query", "version": 100}, "id": "3b382770-efbb-44f4-beed-f5e0a051b895_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json deleted file mode 100644 index 8a61430a015..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "type": "query", "version": 101}, "id": "3b382770-efbb-44f4-beed-f5e0a051b895_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_102.json b/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_102.json deleted file mode 100644 index 4e9de65f5f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b382770-efbb-44f4-beed-f5e0a051b895_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Malware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Malware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "3b382770-efbb-44f4-beed-f5e0a051b895", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3b382770-efbb-44f4-beed-f5e0a051b895_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json deleted file mode 100644 index 869db37ae7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json deleted file mode 100644 index 357b159d940..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json deleted file mode 100644 index 53c44d18adb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json deleted file mode 100644 index 6908a2f25ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json deleted file mode 100644 index c9fbb3535c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json deleted file mode 100644 index 08d2fe3256f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json deleted file mode 100644 index d17dae21170..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json deleted file mode 100644 index 559fd2b3a90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_211.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_211.json deleted file mode 100644 index b32b3a08a33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json deleted file mode 100644 index b5a1fa7c14e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_313.json b/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_313.json deleted file mode 100644 index 1b53b24226e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3b47900d-e793-49e8-968f-c90dc3526aa1_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Parent Process for cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and\n process.parent.name : (\"lsass.exe\",\n \"csrss.exe\",\n \"epad.exe\",\n \"regsvr32.exe\",\n \"dllhost.exe\",\n \"LogonUI.exe\",\n \"wermgr.exe\",\n \"spoolsv.exe\",\n \"jucheck.exe\",\n \"jusched.exe\",\n \"ctfmon.exe\",\n \"taskhostw.exe\",\n \"GoogleUpdate.exe\",\n \"sppsvc.exe\",\n \"sihost.exe\",\n \"slui.exe\",\n \"SIHClient.exe\",\n \"SearchIndexer.exe\",\n \"SearchProtocolHost.exe\",\n \"FlashPlayerUpdateService.exe\",\n \"WerFault.exe\",\n \"WUDFHost.exe\",\n \"unsecapp.exe\",\n \"wlanext.exe\" ) and\n not (process.parent.name : \"dllhost.exe\" and process.parent.args : \"/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3b47900d-e793-49e8-968f-c90dc3526aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "3b47900d-e793-49e8-968f-c90dc3526aa1_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json deleted file mode 100644 index 1f5f91d941f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json deleted file mode 100644 index b0f54696c7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json deleted file mode 100644 index 9f988ee43a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json deleted file mode 100644 index e6f3cc53fad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json deleted file mode 100644 index b7705e2d475..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json deleted file mode 100644 index db341a857a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_109.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_109.json deleted file mode 100644 index c4dddffb5b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n (process.pe.original_file_name : \"esentutl.exe\" and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.args : (\"*\\\\ntds.dit\", \"*\\\\config\\\\SAM\", \"\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_110.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_110.json deleted file mode 100644 index 4512da4ce51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json deleted file mode 100644 index c54aba8c775..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json deleted file mode 100644 index 92222353deb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_113.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_113.json deleted file mode 100644 index e1229450619..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_114.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_114.json deleted file mode 100644 index 5bab916f080..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_314.json b/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_314.json deleted file mode 100644 index f3fd0f270ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3bc6deaa-fbd4-433a-ae21-3e892f95624f_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies a copy operation of the Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files. Those files contain sensitive information including hashed domain and/or local credentials.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "NTDS or SAM Database File Copied", "note": "## Triage and analysis\n\n### Investigating NTDS or SAM Database File Copied\n\nThe Active Directory Domain Database (ntds.dit) and Security Account Manager (SAM) files are critical components in Windows environments, containing sensitive information such as hashed domain and local credentials.\n\nThis rule identifies copy operations of these files using specific command-line tools, such as Cmd.Exe, PowerShell.EXE, XCOPY.EXE, and esentutl.exe. By monitoring for the presence of these tools and their associated arguments, the rule aims to detect potential credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, command lines, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check for any recent changes in user account privileges or group memberships that may have allowed the unauthorized access.\n- Determine whether the file was potentially exfiltrated from the subject host.\n- Scope compromised credentials and disable the accounts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\") or process.name : (\"Cmd.Exe\", \"PowerShell.EXE\", \"XCOPY.EXE\")) and\n process.args : (\"copy\", \"xcopy\", \"Copy-Item\", \"move\", \"cp\", \"mv\")\n ) or\n ((?process.pe.original_file_name : \"esentutl.exe\" or process.name : \"esentutl.exe\") and process.args : (\"*/y*\", \"*/vss*\", \"*/d*\"))\n ) and\n process.command_line : (\"*\\\\ntds.dit*\", \"*\\\\config\\\\SAM*\", \"*\\\\*\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy*\\\\*\", \"*/system32/config/SAM*\", \"*\\\\User Data\\\\*\")\n", "references": ["https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", "https://www.elastic.co/security-labs/detect-credential-access", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "3bc6deaa-fbd4-433a-ae21-3e892f95624f_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json deleted file mode 100644 index f35c4be8352..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_port_activity"], "name": "Unusual Linux Network Port Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json deleted file mode 100644 index 13dec13c8b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_port_activity"], "name": "Unusual Linux Network Port Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json deleted file mode 100644 index 94c3279138e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_port_activity"], "name": "Unusual Linux Network Port Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_103.json b/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_103.json deleted file mode 100644 index 70269edbc33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3c7e32e6-6104-46d9-a06e-da0f8b5795a0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies unusual destination port activity that can indicate command-and-control, persistence mechanism, or data exfiltration activity. Rarely used destination port activity is generally unusual in Linux fleets, and can indicate unauthorized access or threat actor activity.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_port_activity"], "name": "Unusual Linux Network Port Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "3c7e32e6-6104-46d9-a06e-da0f8b5795a0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73.json b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73.json deleted file mode 100644 index 6196dce2d06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ScreenConnect Server Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"ScreenConnect.Service.exe\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"csc.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json deleted file mode 100644 index dcd9b8430f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ScreenConnect Server Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"ScreenConnect.Service.exe\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"csc.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "3d00feab-e203-4acc-a463-c3e15b7e9a73_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_2.json b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_2.json deleted file mode 100644 index 0e9d9fcaa9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ScreenConnect Server Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"ScreenConnect.Service.exe\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"csc.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3d00feab-e203-4acc-a463-c3e15b7e9a73_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_202.json b/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_202.json deleted file mode 100644 index 720ccb6ca47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d00feab-e203-4acc-a463-c3e15b7e9a73_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "ScreenConnect Server Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"ScreenConnect.Service.exe\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"csc.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3d00feab-e203-4acc-a463-c3e15b7e9a73", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 202}, "id": "3d00feab-e203-4acc-a463-c3e15b7e9a73_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d.json deleted file mode 100644 index 60c90f3a39e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n ) and\n not file.directory : \"C:\\Program Files\\WindowsAdminCenter\\PowerShellModules\\Microsoft.WindowsAdminCenter.Configuration\"\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json deleted file mode 100644 index 0378e9c11d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json deleted file mode 100644 index fb62167e45d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_106.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_106.json deleted file mode 100644 index 16f9413db87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n ) and\n not file.directory : \"C:\\Program Files\\WindowsAdminCenter\\PowerShellModules\\Microsoft.WindowsAdminCenter.Configuration\"\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_107.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_107.json deleted file mode 100644 index d9ce7369f73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\Microsoft.PowerShell.Management\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Resources\\\\*\\\\M365Library.ps1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n ) and\n not file.directory : \"C:\\Program Files\\WindowsAdminCenter\\PowerShellModules\\Microsoft.WindowsAdminCenter.Configuration\"\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json deleted file mode 100644 index 4d94c95f2b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json deleted file mode 100644 index 5e8fe9de7d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json deleted file mode 100644 index 397cdec5d3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json b/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json deleted file mode 100644 index f758de60e67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3d3aa8f9-12af-441f-9344-9f31053e316d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Windows event log deletion activities. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Log Clear Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Clear-EventLog\" or\n \"Remove-EventLog\" or\n (\"Eventing.Reader.EventLogSession\" and \".ClearLog\") or\n (\"Diagnostics.EventLog\" and \".Clear\")\n ) and\n not file.path : (\n ?\\:\\\\\\\\*\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\Microsoft.PowerShell.Management\\\\\\\\*.psd1\n ) and\n not powershell.file.script_block_text : (\n \"CmdletsToExport=@(\\\"Add-Content\\\"\"\n )\n", "references": ["https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventlog.clear", "https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.eventing.reader.eventlogsession.clearlog"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "3d3aa8f9-12af-441f-9344-9f31053e316d", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "3d3aa8f9-12af-441f-9344-9f31053e316d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json deleted file mode 100644 index b9e0c57b862..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", "false_positives": ["Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Cloudtrail", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json deleted file mode 100644 index 59e3dec12ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", "false_positives": ["Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json deleted file mode 100644 index 1193a783372..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", "false_positives": ["Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json deleted file mode 100644 index 0c17f2777bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", "false_positives": ["Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json b/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json deleted file mode 100644 index 738b915e26e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e002465-876f-4f04-b016-84ef48ce7e5d_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an update to an AWS log trail setting that specifies the delivery of log files.", "false_positives": ["Trail updates may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Updated", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Updated\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies a modification on CloudTrail settings using the API `UpdateTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the response elements of the event to determine the scope of the changes.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:UpdateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "3e002465-876f-4f04-b016-84ef48ce7e5d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "3e002465-876f-4f04-b016-84ef48ce7e5d_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61.json deleted file mode 100644 index a6b2daf9356..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", "name": "Spike in Number of Connections Made from a Source IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json deleted file mode 100644 index 173f9664874..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", "name": "Spike in Number of Connections Made from a Source IP", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "3e0561b5-3fac-4461-84cc-19163b9aaa61_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_2.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_2.json deleted file mode 100644 index fb58ffe96e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", "name": "Spike in Number of Connections Made from a Source IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "3e0561b5-3fac-4461-84cc-19163b9aaa61_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json b/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json deleted file mode 100644 index a6bdafdfe92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0561b5-3fac-4461-84cc-19163b9aaa61_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_rdp_distinct_count_destination_ip_for_source", "name": "Spike in Number of Connections Made from a Source IP", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3e0561b5-3fac-4461-84cc-19163b9aaa61", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "3e0561b5-3fac-4461-84cc-19163b9aaa61_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json deleted file mode 100644 index 58b59aff97d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or ?process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")\n ) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (\n process.parent.name : \"wsl.exe\" and ?process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\"\n ) or \n (\n process.name : \"wsl.exe\" and process.args : (\n \"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\", \"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"\n ) and not process.args : (\"wsl-bootstrap\", \"docker-desktop-data\", \"*.vscode-server*\")\n )\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json deleted file mode 100644 index b5d1ab3b22d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json deleted file mode 100644 index 5f8c1b55ac7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json deleted file mode 100644 index f29d9b616bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n ((process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (process.parent.name : \"wsl.exe\" and process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\") or \n (process.name : \"wsl.exe\" and process.args : (\"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\",\"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"))\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_5.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_5.json deleted file mode 100644 index 5288e5f3b22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or ?process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")\n ) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (\n process.parent.name : \"wsl.exe\" and ?process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\"\n ) or \n (\n process.name : \"wsl.exe\" and process.args : (\n \"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\", \"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"\n ) and not process.args : (\"wsl-bootstrap\", \"docker-desktop-data\", \"*.vscode-server*\")\n )\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json deleted file mode 100644 index b8d34865eb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or ?process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")\n ) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (\n process.parent.name : \"wsl.exe\" and ?process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\"\n ) or \n (\n process.name : \"wsl.exe\" and process.args : (\n \"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\", \"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"\n ) and not process.args : (\"wsl-bootstrap\", \"docker-desktop-data\", \"*.vscode-server*\")\n )\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_7.json b/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_7.json deleted file mode 100644 index b1c1dc1f9b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e0eeb75-16e8-4f2f-9826-62461ca128b7_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\bash.exe\" or ?process.pe.original_file_name == \"Bash.exe\") and \n not process.command_line : (\"bash\", \"bash.exe\")\n ) or \n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Packages\\\\*\\\\rootfs\\\\usr\\\\bin\\\\bash\" or \n (\n process.parent.name : \"wsl.exe\" and ?process.parent.command_line : \"bash*\" and not process.name : \"wslhost.exe\"\n ) or \n (\n process.name : \"wsl.exe\" and process.args : (\n \"curl\", \"/etc/shadow\", \"/etc/passwd\", \"cat\", \"--system\", \"root\", \"-e\", \"--exec\", \"bash\", \"/mnt/c/*\"\n ) and not process.args : (\"wsl-bootstrap\", \"docker-desktop-data\", \"*.vscode-server*\")\n )\n ) and \n not process.parent.executable : (\"?:\\\\Program Files\\\\Docker\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\Docker\\\\*.exe\")\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/", "https://blog.qualys.com/vulnerabilities-threat-research/2022/03/22/implications-of-windows-subsystem-for-linux-for-adversaries-defenders-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "3e0eeb75-16e8-4f2f-9826-62461ca128b7_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96.json deleted file mode 100644 index 486decaa6f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load", "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\")\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "3e12a439-d002-4944-bc42-171c0dcb9b96", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json deleted file mode 100644 index 2b73aa1f9f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load", "query": "driver where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \nevent.action == \"loaded-kernel-module\" and auditd.data.syscall in (\"init_module\", \"finit_module\")\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json deleted file mode 100644 index af60097ffac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load", "query": "driver where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \nevent.action == \"loaded-kernel-module\" and auditd.data.syscall in (\"init_module\", \"finit_module\")\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json b/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json deleted file mode 100644 index 8214344ab31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e12a439-d002-4944-bc42-171c0dcb9b96_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the loading of a Linux kernel module through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load", "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\")\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "3e12a439-d002-4944-bc42-171c0dcb9b96", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "3e12a439-d002-4944-bc42-171c0dcb9b96_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json deleted file mode 100644 index 60ee2d568ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3e3d15c6-1509-479a-b125-21718372157e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json deleted file mode 100644 index da704774d17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "3e3d15c6-1509-479a-b125-21718372157e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json deleted file mode 100644 index 032b67eecbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "3e3d15c6-1509-479a-b125-21718372157e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json deleted file mode 100644 index 81469e6d76b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3e3d15c6-1509-479a-b125-21718372157e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json deleted file mode 100644 index 4a67e9ad611..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3e3d15c6-1509-479a-b125-21718372157e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json b/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json deleted file mode 100644 index d2527073a69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e3d15c6-1509-479a-b125-21718372157e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Emond Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name : \"emond\" and\n process.name : (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"Python\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"touch\",\n \"echo\",\n \"base64\",\n \"launchctl\")\n", "references": ["https://www.xorrior.com/emond-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3e3d15c6-1509-479a-b125-21718372157e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3e3d15c6-1509-479a-b125-21718372157e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada.json b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada.json deleted file mode 100644 index e7f645cfd6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote File Execution via MSIEXEC", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and process.args : \"/V\"] by process.entity_id\n [network where host.os.type == \"windows\" and process.name : \"msiexec.exe\" and\n event.action == \"connection_attempted\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and user.id : (\"S-1-5-21-*\", \"S-1-5-12-1-*\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\Installer\\\\MSI*.tmp\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\System32\\\\sc.exe\",\n \"?:\\\\Windows\\\\system32\\\\Wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\twain_32\\\\fjscan32\\\\SOP\\\\crtdmprc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\system32\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdbinst.exe\") and\n not (process.code_signature.subject_name == \"Citrix Systems, Inc.\" and process.code_signature.trusted == true) and\n not (process.name : (\"regsvr32.exe\", \"powershell.exe\", \"rundll32.exe\", \"wscript.exe\") and\n process.Ext.token.integrity_level_name == \"high\" and\n process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")) and\n not (process.executable : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and process.code_signature.trusted == true) and\n not (process.name : \"rundll32.exe\" and process.args : \"printui.dll,PrintUIEntry\")\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "3e441bdb-596c-44fd-8628-2cfdf4516ada", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 3}, "id": "3e441bdb-596c-44fd-8628-2cfdf4516ada", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json deleted file mode 100644 index e58fb78047b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote File Execution via MSIEXEC", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and process.args : \"/V\"] by process.entity_id\n [network where host.os.type == \"windows\" and process.name : \"msiexec.exe\" and\n event.action == \"connection_attempted\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and user.id : (\"S-1-5-21-*\", \"S-1-5-12-1-*\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\Installer\\\\MSI*.tmp\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\System32\\\\sc.exe\",\n \"?:\\\\Windows\\\\system32\\\\Wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\twain_32\\\\fjscan32\\\\SOP\\\\crtdmprc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\system32\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdbinst.exe\") and\n not (process.code_signature.subject_name == \"Citrix Systems, Inc.\" and process.code_signature.trusted == true) and\n not (process.name : (\"regsvr32.exe\", \"powershell.exe\", \"rundll32.exe\", \"wscript.exe\") and\n process.Ext.token.integrity_level_name == \"high\" and\n process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")) and\n not (process.executable : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and process.code_signature.trusted == true) and\n not (process.name : \"rundll32.exe\" and process.args : \"printui.dll,PrintUIEntry\")\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "3e441bdb-596c-44fd-8628-2cfdf4516ada", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 1}, "id": "3e441bdb-596c-44fd-8628-2cfdf4516ada_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json b/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json deleted file mode 100644 index 680d87bae51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3e441bdb-596c-44fd-8628-2cfdf4516ada_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the built-in Windows Installer, msiexec.exe, to install a remote package. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote File Execution via MSIEXEC", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and process.args : \"/V\"] by process.entity_id\n [network where host.os.type == \"windows\" and process.name : \"msiexec.exe\" and\n event.action == \"connection_attempted\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and user.id : (\"S-1-5-21-*\", \"S-1-5-12-1-*\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\Installer\\\\MSI*.tmp\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\ie4uinit.exe\",\n \"?:\\\\Windows\\\\System32\\\\sc.exe\",\n \"?:\\\\Windows\\\\system32\\\\Wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\twain_32\\\\fjscan32\\\\SOP\\\\crtdmprc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\taskkill.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\system32\\\\schtasks.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdbinst.exe\") and\n not (process.code_signature.subject_name == \"Citrix Systems, Inc.\" and process.code_signature.trusted == true) and\n not (process.name : (\"regsvr32.exe\", \"powershell.exe\", \"rundll32.exe\", \"wscript.exe\") and\n process.Ext.token.integrity_level_name == \"high\" and\n process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")) and\n not (process.executable : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and process.code_signature.trusted == true) and\n not (process.name : \"rundll32.exe\" and process.args : \"printui.dll,PrintUIEntry\")\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "3e441bdb-596c-44fd-8628-2cfdf4516ada", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 2}, "id": "3e441bdb-596c-44fd-8628-2cfdf4516ada_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json deleted file mode 100644 index 675e0decd4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json deleted file mode 100644 index 4f1b2ff715b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json deleted file mode 100644 index bbeecd51559..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json deleted file mode 100644 index 1fc195c6fd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json deleted file mode 100644 index 1bea19500d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json deleted file mode 100644 index 1f12bf153fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\") and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_108.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_108.json deleted file mode 100644 index af9ab35943f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json deleted file mode 100644 index 1b278b12162..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json deleted file mode 100644 index 086834a45a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_111.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_111.json deleted file mode 100644 index e4ab53275d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_311.json b/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_311.json deleted file mode 100644 index bb0a582b21e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ecbdc9e-e4f2-43fa-8cca-63802125e582_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit's meterpreter getsystem command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Named Pipe Impersonation", "note": "## Triage and analysis\n\n### Investigating Privilege Escalation via Named Pipe Impersonation\n\nA named pipe is a type of inter-process communication (IPC) mechanism used in operating systems like Windows, which allows two or more processes to communicate with each other by sending and receiving data through a well-known point.\n\nAttackers can abuse named pipes to elevate their privileges by impersonating the security context in which they execute code. Metasploit, for example, creates a service and a random pipe, and then uses the service to connect to the pipe and impersonate the service security context, which is SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - If any suspicious processes were found, examine the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"Cmd.Exe\", \"PowerShell.EXE\") or ?process.pe.original_file_name in (\"Cmd.Exe\", \"PowerShell.EXE\")) and\n process.args : \"echo\" and process.args : \">\" and process.args : \"\\\\\\\\.\\\\pipe\\\\*\"\n", "references": ["https://www.ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation", "https://www.cobaltstrike.com/blog/what-happens-when-i-type-getsystem/", "https://redcanary.com/blog/getsystem-offsec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "3ecbdc9e-e4f2-43fa-8cca-63802125e582_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json deleted file mode 100644 index 4827f639363..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "keyword"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 208}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json deleted file mode 100644 index 13a6ac59ffe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "unknown"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 104}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json deleted file mode 100644 index 768de642983..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "unknown"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 105}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json deleted file mode 100644 index 09224778b0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "keyword"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 106}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json deleted file mode 100644 index e293830932c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "keyword"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 207}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json b/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json deleted file mode 100644 index d0b3e7dbb93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a process is created and immediately accessed from an unknown memory code region and by the same parent process. This may indicate a code injection attempt.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Creation CallTrace", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Creation CallTrace\n\nAttackers may inject code into child processes' memory to hide their actual activity, evade detection mechanisms, and decrease discoverability during forensics. This rule looks for a spawned process by Microsoft Office, scripting, and command line applications, followed by a process access event for an unknown memory region by the parent process, which can indicate a code injection attempt.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Create a memory dump of the child process for analysis.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"windows\" and event.code == \"1\" and\n /* sysmon process creation */\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\", \"fltldr.exe\",\n \"mspub.exe\", \"msaccess.exe\",\"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") and\n\n /* noisy FP patterns */\n not (process.parent.name : \"EXCEL.EXE\" and process.executable : \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\Office*\\\\ADDINS\\\\*.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\splwow64.exe\" and process.args in (\"8192\", \"12288\") and process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"rundll32.exe\" and process.parent.args : (\"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\", \"--no-sandbox\")) and\n not (process.executable :\n (\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\msedgewebview2.exe\",\n \"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\Acrobat.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\DWWIN.EXE\") and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\")) and\n not (process.parent.name : \"regsvr32.exe\" and process.parent.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))\n ] by process.parent.entity_id, process.entity_id\n [process where host.os.type == \"windows\" and event.code == \"10\" and\n /* Sysmon process access event from unknown module */\n winlog.event_data.CallTrace : \"*UNKNOWN*\"] by process.entity_id, winlog.event_data.TargetProcessGUID\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetProcessGUID", "type": "keyword"}], "risk_score": 47, "rule_id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 208}, "id": "3ed032b2-45d8-4406-bc79-7ad1eabb2c72_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json deleted file mode 100644 index 2b23b6d7d84..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json deleted file mode 100644 index 5d65866ba95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 101}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json deleted file mode 100644 index d1ae813648f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 102}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_103.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_103.json deleted file mode 100644 index bf7b5914c4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 103}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json deleted file mode 100644 index 693098d61de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 104}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json deleted file mode 100644 index 996473cce00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 106}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json b/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json deleted file mode 100644 index 596f9e8466f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3efee4f0-182a-40a8-a835-102c68a4175d_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Password Spraying of Microsoft 365 User Accounts", "note": "", "query": "event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and\nevent.action:(\"UserLoginFailed\" or \"PasswordLogonInitialAuthUsingPassword\")\n", "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "3efee4f0-182a-40a8-a835-102c68a4175d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "3efee4f0-182a-40a8-a835-102c68a4175d_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json deleted file mode 100644 index ff09f3f2441..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.", "false_positives": ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."], "from": "now-30m", "index": ["filebeat-*", "logs-cyberarkpas.audit*"], "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Error", "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and event.type:error\n", "references": ["https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"], "related_integrations": [{"package": "cyberarkpas", "version": "^2.2.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", "rule_name_override": "event.action", "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json b/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json deleted file mode 100644 index bb6dd38d808..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.", "false_positives": ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."], "from": "now-30m", "index": ["filebeat-*", "logs-cyberarkpas.audit*"], "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Error", "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk error events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and event.type:error\n", "references": ["https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3"], "related_integrations": [{"package": "cyberarkpas", "version": "^2.2.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54", "rule_name_override": "event.action", "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "cyberarkpas", "SecOps", "Log Auditing", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd.json deleted file mode 100644 index bbd310c7564..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Client\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 5}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json deleted file mode 100644 index cb6d2e9db6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 1}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json deleted file mode 100644 index 629febe1871..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 2}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json deleted file mode 100644 index f763a301c2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 3}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4.json deleted file mode 100644 index 616418a48d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Client\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 4}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json b/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json deleted file mode 100644 index 99ba5e2f281..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel client utility followed by a connection attempt. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Client", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Client\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` client tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args == \"client\" and process.args : (\"R*\", \"*:*\", \"*socks*\", \"*.*\") and process.args_count >= 4 and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 5}, "id": "3f12325a-4cc6-410b-8d4c-9fbbeb744cfd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json deleted file mode 100644 index e1c85334d53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nuser.id == \"0\" and process.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\", \n\"/var/run/argo/argoexec\") and not process.parent.command_line : \"/usr/bin/runc init\"\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json deleted file mode 100644 index f1c3efca3d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action : (\"exec\", \"exec_event\") and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json deleted file mode 100644 index 09ad2a52c12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n event.action : (\"exec\", \"exec_event\") and user.name == \"root\" and\n process.executable : (\n \"/dev/shm/*\",\n \"/run/shm/*\",\n \"/var/run/*\",\n \"/var/lock/*\"\n ) and\n not process.executable : ( \"/var/run/docker/*\")\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json deleted file mode 100644 index 7d2280d1666..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\") and\nuser.id == \"0\"\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json deleted file mode 100644 index fd9039daf2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\") and\nuser.id == \"0\"\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json deleted file mode 100644 index 1b7e488244a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\") and\nuser.id == \"0\"\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_109.json b/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_109.json deleted file mode 100644 index cf521fd05ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f3f9fe2-d095-11ec-95dc-f661ea17fbce_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.", "false_positives": ["Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Binary Executed from Shared Memory Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nuser.id == \"0\" and process.executable : (\"/dev/shm/*\", \"/run/shm/*\", \"/var/run/*\", \"/var/lock/*\") and\nnot process.executable : (\"/var/run/docker/*\", \"/var/run/utsns/*\", \"/var/run/s6/*\", \"/var/run/cloudera-scm-agent/*\", \n\"/var/run/argo/argoexec\") and not process.parent.command_line : \"/usr/bin/runc init\"\n", "references": ["https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "3f3f9fe2-d095-11ec-95dc-f661ea17fbce_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75.json deleted file mode 100644 index 1a2e0a48262..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Process Discovery via Built-In Applications", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.name in (\n \"ps\", \"pstree\", \"htop\", \"pgrep\"\n) and \nnot process.parent.name in (\"amazon-ssm-agent\", \"snap\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3f4d7734-2151-4481-b394-09d7c6c91f75", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "3f4d7734-2151-4481-b394-09d7c6c91f75", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json deleted file mode 100644 index 87d7a3b4634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Process Discovery via Built-In Applications", "query": "process where event.type == \"start\" and event.action == \"exec\" and\n process.name :(\"ps\", \"pstree\", \"htop\", \"pgrep\") and\n not (event.action == \"exec\" and process.parent.name in (\"amazon-ssm-agent\", \"snap\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3f4d7734-2151-4481-b394-09d7c6c91f75", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "3f4d7734-2151-4481-b394-09d7c6c91f75_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json b/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json deleted file mode 100644 index 319ee03ef0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4d7734-2151-4481-b394-09d7c6c91f75_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to discover running processes on an endpoint.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Process Discovery via Built-In Applications", "query": "process where event.type == \"start\" and event.action == \"exec\" and\n process.name :(\"ps\", \"pstree\", \"htop\", \"pgrep\") and\n not (event.action == \"exec\" and process.parent.name in (\"amazon-ssm-agent\", \"snap\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3f4d7734-2151-4481-b394-09d7c6c91f75", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3f4d7734-2151-4481-b394-09d7c6c91f75_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969.json deleted file mode 100644 index 715876b4435..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_unusual_time_weekday_rdp_session_start", "name": "Unusual Time or Day for an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3f4e2dba-828a-452a-af35-fe29c5e78969", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "3f4e2dba-828a-452a-af35-fe29c5e78969", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json deleted file mode 100644 index 1df93139c98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_unusual_time_weekday_rdp_session_start", "name": "Unusual Time or Day for an RDP Session", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "3f4e2dba-828a-452a-af35-fe29c5e78969", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "3f4e2dba-828a-452a-af35-fe29c5e78969_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_2.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_2.json deleted file mode 100644 index 41675c7f7b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_unusual_time_weekday_rdp_session_start", "name": "Unusual Time or Day for an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3f4e2dba-828a-452a-af35-fe29c5e78969", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "3f4e2dba-828a-452a-af35-fe29c5e78969_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json b/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json deleted file mode 100644 index eda470905d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3f4e2dba-828a-452a-af35-fe29c5e78969_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an RDP session started at an usual time or weekday. An RDP session at an unusual time could be followed by other suspicious activities, so catching this is a good first step in detecting a larger attack.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_unusual_time_weekday_rdp_session_start", "name": "Unusual Time or Day for an RDP Session", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "3f4e2dba-828a-452a-af35-fe29c5e78969", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "3f4e2dba-828a-452a-af35-fe29c5e78969_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550.json b/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550.json deleted file mode 100644 index b50b98ce3ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "DNF Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/python*/site-packages/dnf-plugins/*\", \"/etc/dnf/plugins/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pwnshift.github.io/2020/10/01/persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\n\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\n\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_1.json b/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_1.json deleted file mode 100644 index da82e033175..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "DNF Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/python*/site-packages/dnf-plugins/*\", \"/etc/dnf/plugins/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pwnshift.github.io/2020/10/01/persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\n\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\n\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_2.json b/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_2.json deleted file mode 100644 index 4bfe8a4ac2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/3fe4e20c-a600-4a86-9d98-3ecb1ef23550_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the plugin directories for the Yum package manager. In Linux, DNF (Dandified YUM) is a command-line utility used for handling packages on Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor DNF to gain persistence by injecting malicious code into plugins that DNF runs, thereby ensuring continued unauthorized access or control each time DNF is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "DNF Package Manager Plugin File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : (\"/usr/lib/python*/site-packages/dnf-plugins/*\", \"/etc/dnf/plugins/*\") and not (\n process.executable in (\n \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\", \"/usr/bin/microdnf\", \"/bin/rpm\",\n \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\", \"/bin/puppet\",\n \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\", \"/bin/autossl_check\",\n \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\",\n \"/usr/libexec/netplan/generate\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pwnshift.github.io/2020/10/01/persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\n\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\n\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "3fe4e20c-a600-4a86-9d98-3ecb1ef23550_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb.json deleted file mode 100644 index f2680205e64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json deleted file mode 100644 index 5774d6780d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 1}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2.json deleted file mode 100644 index 5f4be221cb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 2}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json deleted file mode 100644 index 746c17ca8a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 3}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json deleted file mode 100644 index c2274a9b4f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 4}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5.json deleted file mode 100644 index 2baba5406ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6.json b/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6.json deleted file mode 100644 index 32f61223136..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_user", "name": "Unusual Process Spawned by a User", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 6}, "id": "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f.json b/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f.json deleted file mode 100644 index cfe9e80579b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A GitHub user was blocked from access to an organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub User Blocked From Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.block_user\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4030c951-448a-4017-a2da-ed60f6d14f4f", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4030c951-448a-4017-a2da-ed60f6d14f4f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_1.json b/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_1.json deleted file mode 100644 index 2ff065f3ac1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A GitHub user was blocked from access to an organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub User Blocked From Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.block_user\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4030c951-448a-4017-a2da-ed60f6d14f4f", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4030c951-448a-4017-a2da-ed60f6d14f4f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_103.json b/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_103.json new file mode 100644 index 00000000000..0d6deeed2f9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4030c951-448a-4017-a2da-ed60f6d14f4f_103.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "A GitHub user was blocked from access to an organization.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub User Blocked From Organization", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.block_user\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4030c951-448a-4017-a2da-ed60f6d14f4f", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "4030c951-448a-4017-a2da-ed60f6d14f4f_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json deleted file mode 100644 index 047ec008189..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"ServiceDLL\", \"ImagePath\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"\\\\??\\\\?:\\\\Windows\\\\syswow64\\\\*.sys\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\WaaSMedicAgent.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json deleted file mode 100644 index 7bffff0ca1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json deleted file mode 100644 index 40b0650a78f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json deleted file mode 100644 index 63a6a3f484d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json deleted file mode 100644 index 0eb73988c69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_106.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_106.json deleted file mode 100644 index 8fd5ba30bc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json deleted file mode 100644 index 1be1e7a2f3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json deleted file mode 100644 index 12dd105bd13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_109.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_109.json deleted file mode 100644 index 54d6b2631f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"ServiceDLL\", \"ImagePath\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"\\\\??\\\\?:\\\\Windows\\\\syswow64\\\\*.sys\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\WaaSMedicAgent.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_110.json b/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_110.json deleted file mode 100644 index 0824e764210..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/403ef0d3-8259-40c9-a5b6-d48354712e49_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes modifying the services registry key directly, instead of through the expected Windows APIs. This could be an indication of an adversary attempting to stealthily persist through abnormal service creation or modification of an existing service.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Persistence via Services Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"ServiceDLL\", \"ImagePath\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not registry.data.strings : (\n \"?:\\\\windows\\\\system32\\\\Drivers\\\\*.sys\",\n \"\\\\SystemRoot\\\\System32\\\\drivers\\\\*.sys\",\n \"\\\\??\\\\?:\\\\Windows\\\\system32\\\\Drivers\\\\*.SYS\",\n \"\\\\??\\\\?:\\\\Windows\\\\syswow64\\\\*.sys\",\n \"system32\\\\DRIVERS\\\\USBSTOR\") and\n not (process.name : \"procexp??.exe\" and registry.data.strings : \"?:\\\\*\\\\procexp*.sys\") and\n not process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\winsxs\\\\*\\\\TiWorker.exe\",\n \"?:\\\\Windows\\\\System32\\\\drvinst.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\regsvr32.exe\",\n \"?:\\\\Windows\\\\System32\\\\WaaSMedicAgent.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "403ef0d3-8259-40c9-a5b6-d48354712e49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "403ef0d3-8259-40c9-a5b6-d48354712e49_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json deleted file mode 100644 index 979a18301bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and not process.name:(\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\n aide or modprobe or python*\n)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json deleted file mode 100644 index b173336082d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\") or process.title : (\"*grep*\") or process.parent.pid == 1)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.title", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json deleted file mode 100644 index 298661da54c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json deleted file mode 100644 index d295e5cac6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_105.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_105.json deleted file mode 100644 index 7721371302a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and \nnot process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json deleted file mode 100644 index 881b0cf2cbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and \nnot process.name:(cp or dpkg or dockerd or lynis or mkinitramfs or snapd)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json deleted file mode 100644 index 40529fae495..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\" or \"/etc/modprobe.d\" or /etc/modprobe.d/*) and not process.name:(\n cp or dpkg or dockerd or lynis or mkinitramfs or snapd or systemd-udevd or grep or borg or auditbeat or lspci or\n aide or modprobe or python*\n)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json deleted file mode 100644 index 4773527de34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"dpkg\", \"cp\") or \n process.title : \"*grep*\" or process.parent.pid == 1\n)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.title", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json b/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json deleted file mode 100644 index 358f9216a8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Modprobe File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and\nfile.path : (\"/etc/modprobe.conf\", \"/etc/modprobe.d\", \"/etc/modprobe.d/*\") and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"dpkg\", \"cp\", \"mkinitramfs\",\n \"readlink\") or process.title : \"*grep*\" or process.parent.pid == 1\n)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.title", "type": "keyword"}], "risk_score": 21, "rule_id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /etc/modprobe.conf -p wa -k modprobe\n-w /etc/modprobe.d -p wa -k modprobe\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2.json b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2.json deleted file mode 100644 index 556c3e9de56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Unix Socket Connection", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and \n process.args == \"-U\" and process.args : (\"/usr/local/*\", \"/run/*\", \"/var/run/*\")) or\n (process.name == \"socat\" and \n process.args == \"-\" and process.args : (\"UNIX-CLIENT:/usr/local/*\", \"UNIX-CLIENT:/run/*\", \"UNIX-CLIENT:/var/run/*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json deleted file mode 100644 index e4199fca9a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unix Socket Connection", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and \n process.args == \"-U\" and process.args : (\"/usr/local/*\", \"/run/*\", \"/var/run/*\")) or\n (process.name == \"socat\" and \n process.args == \"-\" and process.args : (\"UNIX-CLIENT:/usr/local/*\", \"UNIX-CLIENT:/run/*\", \"UNIX-CLIENT:/var/run/*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json b/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json deleted file mode 100644 index e76309036f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41284ba3-ed1a-4598-bfba-a97f75d9aba2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for inter-process communication via Unix sockets. Adversaries may attempt to communicate with local Unix sockets to enumerate application details, find vulnerabilities/configuration mistakes and potentially escalate privileges or set up malicious communication channels via Unix sockets for inter-process communication to attempt to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Unix Socket Connection", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name in (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and \n process.args == \"-U\" and process.args : (\"/usr/local/*\", \"/run/*\", \"/var/run/*\")) or\n (process.name == \"socat\" and \n process.args == \"-\" and process.args : (\"UNIX-CLIENT:/usr/local/*\", \"UNIX-CLIENT:/run/*\", \"UNIX-CLIENT:/var/run/*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "41284ba3-ed1a-4598-bfba-a97f75d9aba2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json deleted file mode 100644 index 08051422e61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "416697ae-e468-4093-a93d-59661fa619ec", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json deleted file mode 100644 index 5d172e80d5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "416697ae-e468-4093-a93d-59661fa619ec_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json deleted file mode 100644 index 8726b551e1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "416697ae-e468-4093-a93d-59661fa619ec_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json deleted file mode 100644 index f15ad4f4919..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "416697ae-e468-4093-a93d-59661fa619ec_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json deleted file mode 100644 index 03cbcddbae4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "416697ae-e468-4093-a93d-59661fa619ec_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json deleted file mode 100644 index f5244d746f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "416697ae-e468-4093-a93d-59661fa619ec_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_109.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_109.json deleted file mode 100644 index 492db5c819f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "416697ae-e468-4093-a93d-59661fa619ec_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json deleted file mode 100644 index 3649cf2227f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "416697ae-e468-4093-a93d-59661fa619ec_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json deleted file mode 100644 index 23b04187824..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "416697ae-e468-4093-a93d-59661fa619ec_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_112.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_112.json deleted file mode 100644 index 7998febd96d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "416697ae-e468-4093-a93d-59661fa619ec_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_312.json b/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_312.json deleted file mode 100644 index 91d372aa3dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/416697ae-e468-4093-a93d-59661fa619ec_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. Adversaries may abuse control.exe to proxy execution of malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Control Panel Process with Unusual Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\control.exe\", \"?:\\\\Windows\\\\System32\\\\control.exe\") and\n process.command_line :\n (\"*.jpg*\",\n \"*.png*\",\n \"*.gif*\",\n \"*.bmp*\",\n \"*.jpeg*\",\n \"*.TIFF*\",\n \"*.inf*\",\n \"*.cpl:*/*\",\n \"*../../..*\",\n \"*/AppData/Local/*\",\n \"*:\\\\Users\\\\Public\\\\*\",\n \"*\\\\AppData\\\\Local\\\\*\")\n", "references": ["https://www.joesandbox.com/analysis/476188/1/html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "416697ae-e468-4093-a93d-59661fa619ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.002", "name": "Control Panel", "reference": "https://attack.mitre.org/techniques/T1218/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "416697ae-e468-4093-a93d-59661fa619ec_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d.json b/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d.json deleted file mode 100644 index 73791443ab3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of User-Agent For a GitHub User", "new_terms_fields": ["user.name", "github.user_agent"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and user.name:*\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.user_agent", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41761cd3-380f-4d4d-89f3-46d6853ee35d", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "41761cd3-380f-4d4d-89f3-46d6853ee35d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_1.json b/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_1.json deleted file mode 100644 index ed1dc8ecc14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of User-Agent For a GitHub User", "new_terms_fields": ["user.name", "github.user_agent"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and user.name:*\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.user_agent", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41761cd3-380f-4d4d-89f3-46d6853ee35d", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "41761cd3-380f-4d4d-89f3-46d6853ee35d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_103.json b/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_103.json new file mode 100644 index 00000000000..a4f2f2e7ce4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/41761cd3-380f-4d4d-89f3-46d6853ee35d_103.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new user agent used for a GitHub user not previously seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of User-Agent For a GitHub User", + "new_terms_fields": [ + "user.name", + "github.user_agent" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.user_agent:* and user.name:*\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.user_agent", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "41761cd3-380f-4d4d-89f3-46d6853ee35d", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "41761cd3-380f-4d4d-89f3-46d6853ee35d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json deleted file mode 100644 index 39eb97f4c01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "EggShell Backdoor Execution", "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", "references": ["https://github.com/neoneggplant/EggShell"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json deleted file mode 100644 index 23d47392216..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "EggShell Backdoor Execution", "query": "event.category:process and event.type:(start or process_started) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", "references": ["https://github.com/neoneggplant/EggShell"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", "severity": "high", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json b/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json deleted file mode 100644 index 5fa31688beb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41824afb-d68c-4d0e-bfee-474dac1fa56e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "EggShell Backdoor Execution", "query": "event.category:process and event.type:(process_started or start) and process.name:espl and process.args:eyJkZWJ1ZyI6*\n", "references": ["https://github.com/neoneggplant/EggShell"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "41824afb-d68c-4d0e-bfee-474dac1fa56e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "41824afb-d68c-4d0e-bfee-474dac1fa56e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce.json deleted file mode 100644 index e5787aad67a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.", "false_positives": ["AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS EC2 EBS Snapshot Shared with Another Account", "note": "\n## Triage and Analysis\n\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\n\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"ec2.amazonaws.com\" and event.action == \"ModifySnapshotAttribute\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\"\n| where operationType == \"add\" and cloud.account.id != userId\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\n", "references": ["https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump"], "risk_score": 21, "rule_id": "4182e486-fc61-11ee-a05d-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "4182e486-fc61-11ee-a05d-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json deleted file mode 100644 index e28fe7c5829..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4182e486-fc61-11ee-a05d-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS EC2 EBS snaphots being shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this in order to copy the snapshot into an environment they control, to access the data.", "false_positives": ["AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS EC2 EBS Snapshot Shared with Another Account", "note": "\n## Triage and Analysis\n\n### Investigating AWS EC2 EBS Snapshot Shared with Another Account\n\nThis rule detects when an AWS EC2 EBS snapshot is shared with another AWS account. EBS virtual disks can be copied into snapshots, which can then be shared with an external AWS account or made public. Adversaries may attempt this to copy the snapshot into an environment they control to access the data. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the snapshot permissions. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the snapshot sharing aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning snapshot management and sharing permissions.\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing EBS snapshots and securing AWS environments, refer to the [AWS EBS documentation](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html) and AWS best practices for security. Additionally, consult the following resources for specific details on EBS snapshot security:\n- [AWS EBS Snapshot Permissions](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html)\n- [AWS API ModifySnapshotAttribute](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html)\n- [AWS EBS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump)\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"ec2.amazonaws.com\" and event.action == \"ModifySnapshotAttribute\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?snapshotId}=%{snapshotId},%{?attributeType}=%{attributeType},%{?createVolumePermission}={%{operationType}={%{?items}=[{%{?userId}=%{userId}}]}}}\"\n| where operationType == \"add\" and cloud.account.id != userId\n| keep @timestamp, aws.cloudtrail.user_identity.arn, cloud.account.id, event.action, snapshotId, attributeType, operationType, userId\n", "references": ["https://docs.aws.amazon.com/ebs/latest/userguide/ebs-modifying-snapshot-permissions.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump"], "risk_score": 21, "rule_id": "4182e486-fc61-11ee-a05d-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "4182e486-fc61-11ee-a05d-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json deleted file mode 100644 index 7af289ae220..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Hidden Local User Account Creation", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", "references": ["https://support.apple.com/en-us/HT203998"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json deleted file mode 100644 index 065bfc8b307..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Hidden Local User Account Creation", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", "references": ["https://support.apple.com/en-us/HT203998"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json deleted file mode 100644 index 2759b64af52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Hidden Local User Account Creation", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", "references": ["https://support.apple.com/en-us/HT203998"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json deleted file mode 100644 index a2e0ccc8212..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Hidden Local User Account Creation", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", "references": ["https://support.apple.com/en-us/HT203998"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json b/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json deleted file mode 100644 index 903e130f61b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41b638a1-8ab6-4f8e-86d9-466317ef2db5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Hidden Local User Account Creation", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes))\n", "references": ["https://support.apple.com/en-us/HT203998"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "41b638a1-8ab6-4f8e-86d9-466317ef2db5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/41f7da9e-4e9f-4a81-9b58-40d725d83bc0.json b/packages/security_detection_engine/kibana/security_rule/41f7da9e-4e9f-4a81-9b58-40d725d83bc0.json deleted file mode 100644 index 9e23faf6656..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/41f7da9e-4e9f-4a81-9b58-40d725d83bc0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a device or file system accessible to the system, and then to connect its root directory to a specified mount point on the local file system. When launched inside a privileged container--a container deployed with all the capabilities of the host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine. Any usage of mount inside a running privileged container should be further investigated.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Mount Launched Inside a Privileged Container", "query": "process where event.module == \"cloud_defend\" and event.type== \"start\" and \n(process.name== \"mount\" or process.args== \"mount\") and container.security_context.privileged == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.security_context.privileged", "type": "boolean"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "41f7da9e-4e9f-4a81-9b58-40d725d83bc0", "severity": "low", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "41f7da9e-4e9f-4a81-9b58-40d725d83bc0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1.json b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1.json deleted file mode 100644 index efd216ec8cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.", "false_positives": ["An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh"], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Interactive Exec Command Launched Against A Running Container", "query": "process where container.id : \"*\" and event.type== \"start\" and \n\n/* use of kubectl exec to enter a container */\nprocess.entry_leader.entry_meta.type : \"container\" and \n\n/* process is the inital process run in a container */\nprocess.entry_leader.same_as_process== true and\n\n/* interactive process */\nprocess.interactive == true\n", "references": ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}], "risk_score": 73, "rule_id": "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}, {"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json b/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json deleted file mode 100644 index 6b8239f8eb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects interactive 'exec' events launched against a container using the 'exec' command. Using the 'exec' command in a pod allows a user to establish a temporary shell session and execute any process/command inside the container. This rule specifically targets higher-risk interactive commands that allow real-time interaction with a container's shell. A malicious actor could use this level of access to further compromise the container environment or attempt a container breakout.", "false_positives": ["An administrator may need to exec into a pod for a legitimate reason like debugging purposes. Containers built from Linux and Windows OS images, tend to include debugging utilities. In this case, an admin may choose to run commands inside a specific container with kubectl exec ${POD_NAME} -c ${CONTAINER_NAME} -- ${CMD} ${ARG1} ${ARG2} ... ${ARGN}. For example, the following command can be used to look at logs from a running Cassandra pod: kubectl exec cassandra --cat /var/log/cassandra/system.log . Additionally, the -i and -t arguments might be used to run a shell connected to the terminal: kubectl exec -i -t cassandra -- sh"], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Interactive Exec Command Launched Against A Running Container", "query": "process where container.id : \"*\" and event.type== \"start\" and \n\n/* use of kubectl exec to enter a container */\nprocess.entry_leader.entry_meta.type : \"container\" and \n\n/* process is the inital process run in a container */\nprocess.entry_leader.same_as_process== true and\n\n/* interactive process */\nprocess.interactive == true\n", "references": ["https://kubernetes.io/docs/tasks/debug/debug-application/debug-running-pod/", "https://kubernetes.io/docs/tasks/debug/debug-application/get-shell-running-container/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}], "risk_score": 73, "rule_id": "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}, {"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json deleted file mode 100644 index 21f0292030f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json deleted file mode 100644 index e963934811e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 102}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json deleted file mode 100644 index ed201be2f16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 103}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json deleted file mode 100644 index 7b444f04baf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 104}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json deleted file mode 100644 index fd96cb90bf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 105}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json deleted file mode 100644 index fc36d8222fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 106}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json deleted file mode 100644 index b101d96fc77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "type": "threshold", "version": 207}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_208.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_208.json deleted file mode 100644 index 9af61a9003c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_209.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_209.json deleted file mode 100644 index 63090b05ee6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 209}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_211.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_211.json deleted file mode 100644 index 48791c38b36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta Brute Force or Password Spraying Attack", "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["source.ip"], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 211}, "id": "42bf698b-4738-445b-8231-c834ddefd8a0_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_311.json b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_311.json new file mode 100644 index 00000000000..80fb4f0ef46 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/42bf698b-4738-445b-8231-c834ddefd8a0_311.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.", + "false_positives": [ + "Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta Brute Force or Password Spraying Attack", + "note": "## Triage and analysis\n\n### Investigating Okta Brute Force or Password Spraying Attack\n\nThis rule alerts when a high number of failed Okta user authentication attempts occur from a single IP address. This could be indicative of a brute force or password spraying attack, where an adversary may attempt to gain unauthorized access to user accounts by guessing the passwords.\n\n#### Possible investigation steps:\n\n- Review the `source.ip` field to identify the IP address from which the high volume of failed login attempts originated.\n- Look into the `event.outcome` field to verify that these are indeed failed authentication attempts.\n- Determine the `user.name` or `user.email` related to these failed login attempts. If the attempts are spread across multiple accounts, it might indicate a password spraying attack.\n- Check the timeline of the events. Are the failed attempts spread out evenly, or are there burst periods, which might indicate an automated tool?\n- Determine the geographical location of the source IP. Is this location consistent with the user's typical login location?\n- Analyze any previous successful logins from this IP. Was this IP previously associated with successful logins?\n\n### False positive analysis:\n\n- A single user or automated process that attempts to authenticate using expired or wrong credentials multiple times may trigger a false positive.\n- Analyze the behavior of the source IP. If the IP is associated with legitimate users or services, it may be a false positive.\n\n### Response and remediation:\n\n- If you identify unauthorized access attempts, consider blocking the source IP at the firewall level.\n- Notify the users who are targeted by the attack. Ask them to change their passwords and ensure they use unique, complex passwords.\n- Enhance monitoring on the affected user accounts for any suspicious activity.\n- If the attack is persistent, consider implementing CAPTCHA or account lockouts after a certain number of failed login attempts.\n- If the attack is persistent, consider implementing multi-factor authentication (MFA) for the affected user accounts.\n- Review and update your security policies based on the findings from the incident.", + "query": "event.dataset:okta.system and event.category:authentication and event.outcome:failure\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "42bf698b-4738-445b-8231-c834ddefd8a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "source.ip" + ], + "value": 25 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 311 + }, + "id": "42bf698b-4738-445b-8231-c834ddefd8a0_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json deleted file mode 100644 index 26c4759bc3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "## Setup\n\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 10}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_10.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_10.json deleted file mode 100644 index dd6c12bbb27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "## Setup\n\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 10}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json deleted file mode 100644 index b49f754758a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "note": "", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where host.os.type == \"windows\" and event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where host.os.type == \"windows\" and event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 5}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json deleted file mode 100644 index 0385173b148..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "note": "", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 6}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json deleted file mode 100644 index 9201db2d8f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "note": "", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "Audit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 7}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json deleted file mode 100644 index 98bb3c7f87c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 8}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json b/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json deleted file mode 100644 index 1248f23bdba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/42eeee3d-947f-46d3-a14d-7036b962c266_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process creation with alternate credentials. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Creation via Secondary Logon", "query": "sequence by winlog.computer_name with maxspan=1m\n\n[authentication where event.action:\"logged-in\" and\n event.outcome == \"success\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* seclogon service */\n process.name == \"svchost.exe\" and\n winlog.event_data.LogonProcessName : \"seclogo*\" and source.ip == \"::1\" ] by winlog.event_data.TargetLogonId\n\n[process where event.type == \"start\"] by winlog.event_data.TargetLogonId\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "42eeee3d-947f-46d3-a14d-7036b962c266", "setup": "## Setup\n\nAudit events 4624 and 4688 are needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "type": "eql", "version": 9}, "id": "42eeee3d-947f-46d3-a14d-7036b962c266_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json deleted file mode 100644 index eddab70425a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies an unusually high number of authentication attempts.", "false_positives": ["Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "suspicious_login_activity", "name": "Unusual Login Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 104}, "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json deleted file mode 100644 index 99a47d017ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies an unusually high number of authentication attempts.", "false_positives": ["Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "suspicious_login_activity", "name": "Unusual Login Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 101}, "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json deleted file mode 100644 index 90d8fc4abc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies an unusually high number of authentication attempts.", "false_positives": ["Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "suspicious_login_activity", "name": "Unusual Login Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 102}, "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json b/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json deleted file mode 100644 index f82d055cd6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4330272b-9724-4bc6-a3ca-f1532b81e5c2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies an unusually high number of authentication attempts.", "false_positives": ["Security audits may trigger this alert. Conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "suspicious_login_activity", "name": "Unusual Login Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 103}, "id": "4330272b-9724-4bc6-a3ca-f1532b81e5c2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json deleted file mode 100644 index f4df9b55a98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n) and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json deleted file mode 100644 index 8a27cc0b2c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json deleted file mode 100644 index dd0eb54437b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json deleted file mode 100644 index 97ed4978228..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json deleted file mode 100644 index ee27340000d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json deleted file mode 100644 index 69596058cc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.parent.name == \"sudo\" and\nprocess.args in (\"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\n \"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\") and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json deleted file mode 100644 index c6666d4ae99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n) and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_7.json b/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_7.json deleted file mode 100644 index b30c6ca2782..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/43d6ec12-2b1c-47b5-8f35-e9de65551d3b_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add a user to a privileged group. Attackers may add users to a privileged group in order to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating Linux User User Added to Privileged Group\n\nThe `usermod`, `adduser`, and `gpasswd` commands can be used to assign user accounts to new groups in Linux-based operating systems.\n\nAttackers may add users to a privileged group in order to escalate privileges or establish persistence on a system or domain.\n\nThis rule identifies the usages of `usermod`, `adduser` and `gpasswd` to assign user accounts to a privileged group.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was succesfully added to the privileged group.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Retrieve information about the privileged group to which the user was added.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Adding accounts to a group is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the account that seems to be involved in malicious activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.args in (\n \"root\", \"admin\", \"wheel\", \"staff\", \"sudo\",\"disk\", \"video\", \"shadow\", \"lxc\", \"lxd\"\n) and\n(\n process.name in (\"usermod\", \"adduser\") or\n process.name == \"gpasswd\" and \n process.args in (\"-a\", \"--add\", \"-M\", \"--members\") \n)\n", "references": ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "43d6ec12-2b1c-47b5-8f35-e9de65551d3b_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json deleted file mode 100644 index 7fe2d177499..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json deleted file mode 100644 index e4f63ee7ca6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json deleted file mode 100644 index c063920235b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json deleted file mode 100644 index 95253f78c00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json deleted file mode 100644 index 36f119e21c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json deleted file mode 100644 index 440ef3b9f8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json deleted file mode 100644 index 0f2fab43fbb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json deleted file mode 100644 index 3ccd5876617..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_111.json b/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_111.json deleted file mode 100644 index ced35c794eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/440e2db4-bc7f-4c96-a068-65b78da59bde_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies files written to or modified in the startup folder by commonly abused processes. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup Persistence by a Suspicious Process", "note": "## Triage and analysis\n\n### Investigating Startup Persistence by a Suspicious Process\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule monitors for commonly abused processes writing to the Startup folder locations.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n user.domain != \"NT AUTHORITY\" and\n file.path : (\"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\") and\n process.name : (\"cmd.exe\",\n \"powershell.exe\",\n \"wmic.exe\",\n \"mshta.exe\",\n \"pwsh.exe\",\n \"cscript.exe\",\n \"wscript.exe\",\n \"regsvr32.exe\",\n \"RegAsm.exe\",\n \"rundll32.exe\",\n \"EQNEDT32.EXE\",\n \"WINWORD.EXE\",\n \"EXCEL.EXE\",\n \"POWERPNT.EXE\",\n \"MSPUB.EXE\",\n \"MSACCESS.EXE\",\n \"iexplore.exe\",\n \"InstallUtil.exe\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "440e2db4-bc7f-4c96-a068-65b78da59bde", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "440e2db4-bc7f-4c96-a068-65b78da59bde_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json deleted file mode 100644 index 01bc302f569..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 105}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json deleted file mode 100644 index f1234c7517e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 102}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json deleted file mode 100644 index e2f79c8d772..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 103}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json deleted file mode 100644 index 0edf4ec031e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 104}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json deleted file mode 100644 index 39b20fb81c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 105}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_106.json b/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_106.json deleted file mode 100644 index 81a8f23f81a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/445a342e-03fb-42d0-8656-0367eb2dead5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies processes started from atypical folders in the file system, which might indicate malware execution or persistence mechanisms. In corporate Windows environments, software installation is centrally managed and it is unusual for programs to be executed from user or temporary directories. Processes executed from these locations can denote that a user downloaded software directly from the Internet or a malicious script or macro executed malware.", "false_positives": ["A new and unusual program or artifact download in the course of software upgrades, debugging, or troubleshooting could trigger this alert. Users downloading and running programs from unusual locations, such as temporary directories, browser caches, or profile paths could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_path_activity"], "name": "Unusual Windows Path Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "445a342e-03fb-42d0-8656-0367eb2dead5", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 106}, "id": "445a342e-03fb-42d0-8656-0367eb2dead5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc.json deleted file mode 100644 index 22d29d95621..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as VLC DLL", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"libvlc.dll\", \"libvlccore.dll\", \"axvlc.dll\") and\n not (\n dll.code_signature.subject_name : (\"VideoLAN\", \"716F2E5E-A03A-486B-BC67-9B18474B9D51\")\n and dll.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json deleted file mode 100644 index c77cdce08cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as VLC DLL", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"libvlc.dll\", \"libvlccore.dll\", \"axvlc.dll\") and\n not (\n dll.code_signature.subject_name : (\"VideoLAN\", \"716F2E5E-A03A-486B-BC67-9B18474B9D51\")\n and dll.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json deleted file mode 100644 index 1a4bf08e58a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as VLC DLL", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"libvlc.dll\", \"libvlccore.dll\", \"axvlc.dll\") and\n not (\n dll.code_signature.subject_name : (\"VideoLAN\", \"716F2E5E-A03A-486B-BC67-9B18474B9D51\")\n and dll.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_3.json b/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_3.json deleted file mode 100644 index ce67e65f85f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4494c14f-5ff8-4ed2-8e99-bf816a1642fc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances of VLC-related DLLs which are not signed by the original developer. Attackers may name their payload as legitimate applications to blend into the environment, or embedding its malicious code within legitimate applications to deceive machine learning algorithms by incorporating authentic and benign code.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as VLC DLL", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"libvlc.dll\", \"libvlccore.dll\", \"axvlc.dll\") and\n not (\n dll.code_signature.subject_name : (\"VideoLAN\", \"716F2E5E-A03A-486B-BC67-9B18474B9D51\")\n and dll.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4494c14f-5ff8-4ed2-8e99-bf816a1642fc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json deleted file mode 100644 index efda8e4b832..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 11}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json deleted file mode 100644 index 3cd5f51595d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 10}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_11.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_11.json deleted file mode 100644 index 393e5e1a4c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 11}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json deleted file mode 100644 index 296f8ca456a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "note": "", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where host.os.type == \"windows\" and event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where host.os.type == \"windows\" and event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 5}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json deleted file mode 100644 index 5890d1762c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "note": "", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 6}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json deleted file mode 100644 index 72711c0b02f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "note": "", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" or winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 7}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json deleted file mode 100644 index b0d80d3d55b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "note": "", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 8}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json b/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json deleted file mode 100644 index 22f3ff52d9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Vault Web Credentials Read", "query": "sequence by winlog.computer_name, winlog.process.pid with maxspan=1s\n\n /* 2 consecutive vault reads from same pid for web creds */\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n\n [any where event.code : \"5382\" and\n (winlog.event_data.SchemaFriendlyName : \"Windows Web Password Credential\" and winlog.event_data.Resource : \"http*\") and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and \n not winlog.event_data.Resource : \"http://localhost/\"]\n", "references": ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Resource", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SchemaFriendlyName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.process.pid", "type": "long"}], "risk_score": 47, "rule_id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "type": "eql", "version": 9}, "id": "44fc462c-1159-4fa8-b1b7-9b6296ab4f96_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce.json deleted file mode 100644 index 894a229d237..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks.", "false_positives": ["Legitimate deletion of Route53 Resolver Query Log Configuration by authorized personnel."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Route53 Resolver Query Log Configuration Deleted", "note": "## Triage and Analysis\n\n### Investigating Route53 Resolver Query Log Configuration Deleted\n\nThis rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network.\n\nAdversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts.\n\n#### Possible Investigation Steps\n\n- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated.\n - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.\n- **Contextualize with User Actions**: Assess whether the deletion aligns with the user\u2019s role and job responsibilities.\n - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.\n- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations.\n - Investigate any recent permission changes that might indicate role abuse or credentials compromise.\n- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion.\n - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.\n- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel.\n\n### Response and Remediation\n\n- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries.\n- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations.\n - Adjust AWS IAM policies to reinforce security measures.\n- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions.\n- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities.\n\n### Additional Information\n\nFor detailed instructions on managing Route53 Resolver and securing its configurations, refer to the [Amazon Route53 Resolver documentation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html).\n\n", "query": "event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com\n and event.action: DeleteResolverQueryLogConfig and event.outcome: success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "453183fa-f903-11ee-8e88-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon Route53", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.008", "name": "Disable or Modify Cloud Logs", "reference": "https://attack.mitre.org/techniques/T1562/008/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "453183fa-f903-11ee-8e88-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce_1.json deleted file mode 100644 index 5a82fff175c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453183fa-f903-11ee-8e88-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Route53 Resolver Query Log Configuration is deleted. When a Route53 Resolver query log configuration is deleted, Resolver stops logging DNS queries and responses for the specified configuration. Adversaries may delete query log configurations to evade detection or cover their tracks.", "false_positives": ["Legitimate deletion of Route53 Resolver Query Log Configuration by authorized personnel."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Route53 Resolver Query Log Configuration Deleted", "note": "\n## Triage and Analysis\n\n### Investigating Route53 Resolver Query Log Configuration Deleted\n\nThis rule detects when a Route53 Resolver Query Log Configuration is deleted. Deleting these configurations stops the logging of DNS queries and responses, which can significantly impede network monitoring and compromise security visibility. Adversaries may delete these configurations to evade detection, remove evidence, or obscure their activities within a network.\n\nAdversaries target Route53 Resolver query log configurations because these logs can contain evidence of malicious domain queries or responses. By deleting these logs, an adversary can prevent the capture of information that could reveal unauthorized network activities, aiding in avoiding detection and thwarting incident response efforts.\n\n#### Possible Investigation Steps\n\n- **Review the Deletion Details**: Examine the CloudTrail logs to identify when and by whom the deletion was initiated.\n - Check the `event.action` and `user_identity` elements to understand the scope and authorization of the deletion.\n- **Contextualize with User Actions**: Assess whether the deletion aligns with the user\u2019s role and job responsibilities.\n - Investigate if similar modifications have occurred recently that could suggest a pattern or broader campaign.\n- **Analyze Access Patterns and Permissions**: Verify whether the user had the appropriate permissions to delete log configurations.\n - Investigate any recent permission changes that might indicate role abuse or credentials compromise.\n- **Correlate with Other Security Incidents**: Look for related security alerts or incidents that could be connected to the log deletion.\n - This includes unusual network traffic, alerts from other AWS services, or findings from intrusion detection systems.\n- **Interview the Responsible Team**: If the deletion was initiated by an internal team member, confirm their intent and authorization to ensure it was a legitimate action.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Actions**: Confirm that the deletion was part of scheduled IT operations or network management activities, possibly linked to maintenance or infrastructure updates. Validate this action against change management records or through interviews with relevant personnel.\n\n### Response and Remediation\n\n- **Restore Logs if Feasible**: If the deletion was unauthorized, consider restoring the configuration from backups to ensure continuous visibility into DNS queries.\n- **Review and Tighten Permissions**: Ensure that only authorized personnel have the capability to delete critical configurations.\n - Adjust AWS IAM policies to reinforce security measures.\n- **Enhance Monitoring of Log Management**: Implement or enhance monitoring rules to detect and alert on unauthorized changes to logging configurations, focusing on critical deletions.\n- **Conduct Comprehensive Security Review**: If the deletion is verified as malicious, initiate a thorough security assessment to identify any further unauthorized changes or ongoing malicious activities.\n\n### Additional Information\n\nFor detailed instructions on managing Route53 Resolver and securing its configurations, refer to the [Amazon Route53 Resolver documentation](https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html).\n\n", "query": "event.dataset:aws.cloudtrail and event.provider: route53resolver.amazonaws.com\n and event.action: DeleteResolverQueryLogConfig and event.outcome: success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_route53resolver_DeleteResolverQueryLogConfig.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "453183fa-f903-11ee-8e88-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon Route53", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.008", "name": "Disable or Modify Cloud Logs", "reference": "https://attack.mitre.org/techniques/T1562/008/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "453183fa-f903-11ee-8e88-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json deleted file mode 100644 index 5233a5e852f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "453f659e-0429-40b1-bfdb-b6957286e04b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json deleted file mode 100644 index e39ae6a7c97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 100}, "id": "453f659e-0429-40b1-bfdb-b6957286e04b_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json deleted file mode 100644 index d48f18c4243..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 101}, "id": "453f659e-0429-40b1-bfdb-b6957286e04b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_102.json b/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_102.json deleted file mode 100644 index 84a8181e103..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/453f659e-0429-40b1-bfdb-b6957286e04b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "453f659e-0429-40b1-bfdb-b6957286e04b", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "453f659e-0429-40b1-bfdb-b6957286e04b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe.json b/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe.json deleted file mode 100644 index 178d8eca0f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.", "false_positives": ["DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Snapshot Shared with Another Account", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Snapshot Shared with Another Account\n\nThis rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.\n- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.\n- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.\n- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.\n\n### False Positive Analysis\n\n- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB snapshot sharing to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB backups and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:\n- [AWS RDS DB Snapshot Sharing](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)\n- [AWS RDS ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html)\n- [AWS RDS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and event.action in (\"ModifyDBSnapshotAttribute\", \"ModifyDBClusterSnapshotAttribute\") \n and stringContains(aws.cloudtrail.request_parameters, \"attributeName=restore\")\n and stringContains(aws.cloudtrail.request_parameters, \"valuesToAdd=[*]\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "4577ef08-61d1-4458-909f-25a4b10c87fe", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4577ef08-61d1-4458-909f-25a4b10c87fe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_1.json b/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_1.json deleted file mode 100644 index 301f8df72b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4577ef08-61d1-4458-909f-25a4b10c87fe_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS RDS DB snapshot being shared with another AWS account. DB snapshots contain a full backup of an entire DB instance including sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may use snapshots to restore a DB Instance in an environment they control as a means of data exfiltration.", "false_positives": ["DB snapshot sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-10m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Snapshot Shared with Another Account", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Snapshot Shared with Another Account\n\nThis rule identifies when an RDS DB snapshot is shared with another AWS account. While sharing DB snapshots is a common practice, adversaries may exploit this feature to exfiltrate data by sharing snapshots with external accounts under their control.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Sharing Event**: Identify the DB snapshot involved and review the event details. Look for `ModifyDBSnapshotAttribute` or `ModifyDBClusterSnapshotAttribute` actions where the snapshot attributes were changed to include additional user accounts.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the DB Snapshot Identifier and account ID with which the snapshot was shared.\n- **Verify the Shared Snapshot**: Check the DB snapshot that was shared and its contents to determine the sensitivity of the data stored within it.\n- **Validate External Account**: Examine the AWS account to which the snapshot was shared. Determine whether this account is known and previously authorized to access such resources.\n- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.\n\n### False Positive Analysis\n\n- **Legitimate Backup Actions**: Confirm if the Db snapshot sharing aligns with scheduled backups or legitimate automation tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the snapshot permissions to remove any unauthorized accounts and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Snapshots and Policies**: Conduct a comprehensive audit of all snapshots and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB snapshot sharing to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB backups and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.BackupRestore.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB snapshot security:\n- [AWS RDS DB Snapshot Sharing](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html)\n- [AWS RDS ModifyDBSnapshotAttribute](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html)\n- [AWS RDS Snapshot Dump](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and event.action in (\"ModifyDBSnapshotAttribute\", \"ModifyDBClusterSnapshotAttribute\") \n and stringContains(aws.cloudtrail.request_parameters, \"attributeName=restore\")\n and stringContains(aws.cloudtrail.request_parameters, \"valuesToAdd=[*]\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBSnapshotAttribute.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-modifydbsnapshotattribute-rds-createdbsnapshot"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "4577ef08-61d1-4458-909f-25a4b10c87fe", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4577ef08-61d1-4458-909f-25a4b10c87fe_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json deleted file mode 100644 index 6e6fee8bfd0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\" and\n not winlog.provider_name:\"AD FS Auditing\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.provider_name", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json deleted file mode 100644 index c9ca2366e0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and host.os.type:windows\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json deleted file mode 100644 index 6e2558e42b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json deleted file mode 100644 index 951dd16c77c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_108.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_108.json deleted file mode 100644 index 683c226cc75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\" and\n not winlog.provider_name:\"AD FS Auditing\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.provider_name", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_109.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_109.json deleted file mode 100644 index 49e052b6e8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\" and\n not winlog.provider_name:\"AD FS Auditing\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.provider_name", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_110.json b/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_110.json deleted file mode 100644 index ce24fcbc0dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45ac4800-840f-414c-b221-53dd36a5aaf7_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Anabella Cristaldi"], "description": "Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Event Logs Cleared", "note": "## Triage and analysis\n\n### Investigating Windows Event Logs Cleared\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the occurrence of clear actions on the `security` event log.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"audit-log-cleared\" or \"Log clear\") and winlog.api:\"wineventlog\" and\n not winlog.provider_name:\"AD FS Auditing\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.provider_name", "type": "keyword"}], "risk_score": 21, "rule_id": "45ac4800-840f-414c-b221-53dd36a5aaf7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "45ac4800-840f-414c-b221-53dd36a5aaf7_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json deleted file mode 100644 index 067b7bda65c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "45d273fb-1dca-457d-9855-bcb302180c21", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json deleted file mode 100644 index fcacb1a1526..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json deleted file mode 100644 index dcb3e392e02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json deleted file mode 100644 index 506fe0dbd8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json deleted file mode 100644 index d4689ad6cb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\") and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"-dw\", \"-tb\", \"-ta\", \"/hp*\", \"/p*\", \"/dw\", \"/tb\", \"/ta\"))\n\n or\n (process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : (\"-p*\", \"-sdel\"))\n\n /* uncomment if noisy for backup software related FPs */\n /* not process.parent.executable : (\"C:\\\\Program Files\\\\*.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\") */\n)\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json deleted file mode 100644 index e64f8bd2b60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or process.code_signature.subject_name == \"win.rar GmbH\" or\n process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json deleted file mode 100644 index ce9e95abfe3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json deleted file mode 100644 index 63fd3717b40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_112.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_112.json deleted file mode 100644 index 5dba1e825f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_113.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_113.json deleted file mode 100644 index d4b5513718a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_213.json b/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_213.json deleted file mode 100644 index ed8b2c1cc9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/45d273fb-1dca-457d-9855-bcb302180c21_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of WinRar or 7z to create an encrypted files. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encrypting Files with WinRar or 7z", "note": "## Triage and analysis\n\n### Investigating Encrypting Files with WinRar or 7z\n\nAttackers may compress and/or encrypt data collected before exfiltration. Compressing the data can help obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less apparent upon inspection by a defender.\n\nThese steps are usually done in preparation for exfiltration, meaning the attack may be in its final stages.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the encrypted file.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the password used in the encryption was included in the command line.\n- Decrypt the `.rar`/`.zip` and check if the information is sensitive.\n- If the password is not available, and the format is `.zip` or the option used in WinRAR is not the `-hp`, list the file names included in the encrypted file.\n- Investigate if the file was transferred to an attacker-controlled server.\n\n### False positive analysis\n\n- Backup software can use these utilities. Check the `process.parent.executable` and `process.parent.command_line` fields to determine what triggered the encryption.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n process.name:\"rar.exe\" or ?process.code_signature.subject_name == \"win.rar GmbH\" or\n ?process.pe.original_file_name == \"Command line RAR\"\n ) and\n process.args == \"a\" and process.args : (\"-hp*\", \"-p*\", \"/hp*\", \"/p*\")\n ) or\n (\n ?process.pe.original_file_name in (\"7z.exe\", \"7za.exe\") and\n process.args == \"a\" and process.args : \"-p*\"\n )\n) and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\ManageEngine\\\\*\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Nox\\\\bin\\\\Nox.exe\"\n )\n", "references": ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "45d273fb-1dca-457d-9855-bcb302180c21", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 213}, "id": "45d273fb-1dca-457d-9855-bcb302180c21_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json deleted file mode 100644 index 7a9ba311de1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json deleted file mode 100644 index 2bafdfa03ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"attrib.exe\" and process.args : \"+h\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json deleted file mode 100644 index e452dfbf6a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json deleted file mode 100644 index f219b386f53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json deleted file mode 100644 index 50a6caf5442..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json deleted file mode 100644 index 3349a1cfebe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json deleted file mode 100644 index 8da169bf59c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not\n (process.parent.name: \"cmd.exe\" and\n process.command_line: \"attrib +R +H +S +A *.cui\" and\n process.parent.command_line: \"?:\\\\WINDOWS\\\\system32\\\\cmd.exe /c \\\"?:\\\\WINDOWS\\\\system32\\\\*.bat\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}, {"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_110.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_110.json deleted file mode 100644 index 76235a02db1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}, {"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json deleted file mode 100644 index f8ca290cd5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}, {"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_112.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_112.json deleted file mode 100644 index 7016bb39174..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_113.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_113.json deleted file mode 100644 index a4ff2ba31d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_313.json b/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_313.json deleted file mode 100644 index eda6ce0d2d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4630d948-40d4-4cef-ac69-4002e29bc3db_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Adding Hidden File Attribute via Attrib", "note": "## Triage and analysis\n\n### Investigating Adding Hidden File Attribute via Attrib\n\nThe `Hidden` attribute is a file or folder attribute that makes the file or folder invisible to regular directory listings when the attribute is set. \n\nAttackers can use this attribute to conceal tooling and malware to prevent administrators and users from finding it, even if they are looking specifically for it.\n\nThis rule looks for the execution of the `attrib.exe` utility with a command line that indicates the modification of the `Hidden` attribute.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the target file or folder.\n - Examine the file, which process created it, header, etc.\n - If suspicious, retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"attrib.exe\" or ?process.pe.original_file_name == \"ATTRIB.EXE\") and process.args : \"+h\" and\n not (process.parent.name: \"cmd.exe\" and process.command_line: \"attrib +R +H +S +A *.cui\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4630d948-40d4-4cef-ac69-4002e29bc3db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "4630d948-40d4-4cef-ac69-4002e29bc3db_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json deleted file mode 100644 index add68b1048b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json deleted file mode 100644 index 1efb4f13369..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json deleted file mode 100644 index b46a9797230..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json deleted file mode 100644 index 19208ad7a84..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json deleted file mode 100644 index d2f90527b47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json deleted file mode 100644 index eb3030f0e95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json deleted file mode 100644 index 43252097381..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_110.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_110.json deleted file mode 100644 index c4d4538296e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_310.json b/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_310.json deleted file mode 100644 index f6846552128..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4682fd2c-cfae-47ed-a543-9bed37657aa6_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to coerce a local NTLM authentication via HTTP using the Windows Printer Spooler service as a target. An adversary may use this primitive in combination with other techniques to elevate privileges on a compromised system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Local NTLM Relay via HTTP", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"rundll32.exe\" and\n\n /* Rundll32 WbeDav Client */\n process.args : (\"?:\\\\Windows\\\\System32\\\\davclnt.dll,DavSetCookie\", \"?:\\\\Windows\\\\SysWOW64\\\\davclnt.dll,DavSetCookie\") and\n\n /* Access to named pipe via http */\n process.args : (\"http*/print/pipe/*\", \"http*/pipe/spoolss\", \"http*/pipe/srvsvc\")\n", "references": ["https://github.com/med0x2e/NTLMRelay2Self", "https://github.com/topotam/PetitPotam", "https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4682fd2c-cfae-47ed-a543-9bed37657aa6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "4682fd2c-cfae-47ed-a543-9bed37657aa6_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json deleted file mode 100644 index 29cac145453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_linux"], "name": "Unusual Process For a Linux Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "type": "machine_learning", "version": 105}, "id": "46f804f5-b289-43d6-a881-9387cf594f75", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json deleted file mode 100644 index 5747b161ce8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_linux"], "name": "Unusual Process For a Linux Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "type": "machine_learning", "version": 102}, "id": "46f804f5-b289-43d6-a881-9387cf594f75_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json deleted file mode 100644 index cae4b51d3e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_linux"], "name": "Unusual Process For a Linux Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "type": "machine_learning", "version": 103}, "id": "46f804f5-b289-43d6-a881-9387cf594f75_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json b/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json deleted file mode 100644 index 29b6c7c6340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/46f804f5-b289-43d6-a881-9387cf594f75_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_linux"], "name": "Unusual Process For a Linux Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Linux Host\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for an individual Linux host in your environment.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "46f804f5-b289-43d6-a881-9387cf594f75", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "type": "machine_learning", "version": 104}, "id": "46f804f5-b289-43d6-a881-9387cf594f75_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json deleted file mode 100644 index 5275380f235..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System V Init Script Created", "note": "## Triage and analysis\n\n### Investigating System V Init Script Created\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\", \"rename\", \"file_rename_event\")\nand file.path : \"/etc/init.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json deleted file mode 100644 index 1c096aa943b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, through the \"systemd-sysv-generator\" init.d files can be converted to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot time in order to gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_10.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_10.json deleted file mode 100644 index 3b3c51ec921..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name", "host.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\n'/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \"rpm\" or\n \"vmis-launcher\" or \"exe\" or \"platform-python\" or \"executor\" or \"podman\")) or\n (file.extension : (\"swp\" or \"swpx\")) or\n (process.name:mv and file.name:*.dpkg-remove) or\n (process.name:sed and file.name:sed*) or\n (process.name:systemd and file.name:*.dpkg-new)\n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_11.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_11.json deleted file mode 100644 index 91ad18726ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System V Init Script Created", "note": "## Triage and analysis\n\n### Investigating System V Init Script Created\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\", \"rename\", \"file_rename_event\")\nand file.path : \"/etc/init.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_12.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_12.json deleted file mode 100644 index 392b74fb4f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System V Init Script Created", "note": "## Triage and analysis\n\n### Investigating System V Init Script Created\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/init.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/init.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\", \"rename\", \"file_rename_event\")\nand file.path : \"/etc/init.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json deleted file mode 100644 index 9f8ebfab65b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd, however, through the \"systemd-sysv-generator\" init.d files can be converted to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code on boot time in order to gain persistence onto the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json deleted file mode 100644 index 2a8c7382804..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json deleted file mode 100644 index 7d44619df37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json deleted file mode 100644 index 5f3881214f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json deleted file mode 100644 index f204a044f54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json deleted file mode 100644 index c6b85b00453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \n\"rpm\" or \"vmis-launcher\" or \"exe\") and not file.extension : (\"swp\" or \"swx\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_8.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_8.json deleted file mode 100644 index da0a9b04b6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \"rpm\" or\n \"vmis-launcher\" or \"exe\" or \"platform-python\" or \"executor\" or \"podman\")) or\n (file.extension : (\"swp\" or \"swpx\")) or\n (process.name:mv and file.name:*.dpkg-remove) or\n (process.name:sed and file.name:sed*) or\n (process.name:systemd and file.name:*.dpkg-new)\n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json b/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json deleted file mode 100644 index b6f211dfc5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Files that are placed in the /etc/init.d/ directory in Unix can be used to start custom applications, services, scripts or commands during start-up. Init.d has been mostly replaced in favor of Systemd. However, the \"systemd-sysv-generator\" can convert init.d files to service unit files that run at boot. Adversaries may add or alter files located in the /etc/init.d/ directory to execute malicious code upon boot in order to gain persistence on the system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through init.d Detected", "new_terms_fields": ["file.path", "process.name", "host.id"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through init.d Detected\n\nThe `/etc/init.d` directory is used in Linux systems to store the initialization scripts for various services and daemons that are executed during system startup and shutdown.\n\nAttackers can abuse files within the `/etc/init.d/` directory to run scripts, commands or malicious software every time a system is rebooted by converting an executable file into a service file through the `systemd-sysv-generator`. After conversion, a unit file is created within the `/run/systemd/generator.late/` directory.\n\nThis rule looks for the creation of new files within the `/etc/init.d/` directory. Executable files in these directories will automatically run at boot with root privileges.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/init.d/` or `/run/systemd/generator.late/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/run/systemd/generator.late/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses init.d for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the maliciously created service/init.d files or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : /etc/init.d/* and not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"dnf\" or \"chef-client\" or \"apk\" or \"yum\" or \"rpm\" or\n \"vmis-launcher\" or \"exe\" or \"platform-python\" or \"executor\" or \"podman\")) or\n (file.extension : (\"swp\" or \"swpx\")) or\n (process.name:mv and file.name:*.dpkg-remove) or\n (process.name:sed and file.name:sed*) or\n (process.name:systemd and file.name:*.dpkg-new)\n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "474fd20e-14cc-49c5-8160-d9ab4ba16c8b_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1.json b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1.json deleted file mode 100644 index 9e387ab85de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Sensitive Files Compression Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and \n\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ \n(process.name: (\"zip\", \"tar\", \"gzip\", \"hdiutil\", \"7z\") or process.args: (\"zip\", \"tar\", \"gzip\", \"hdiutil\", \"7z\"))\nand process.args: ( \n\"/root/.ssh/id_rsa\", \n\"/root/.ssh/id_rsa.pub\", \n\"/root/.ssh/id_ed25519\", \n\"/root/.ssh/id_ed25519.pub\", \n\"/root/.ssh/authorized_keys\", \n\"/root/.ssh/authorized_keys2\", \n\"/root/.ssh/known_hosts\", \n\"/root/.bash_history\", \n\"/etc/hosts\", \n\"/home/*/.ssh/id_rsa\", \n\"/home/*/.ssh/id_rsa.pub\", \n\"/home/*/.ssh/id_ed25519\",\n\"/home/*/.ssh/id_ed25519.pub\",\n\"/home/*/.ssh/authorized_keys\",\n\"/home/*/.ssh/authorized_keys2\",\n\"/home/*/.ssh/known_hosts\",\n\"/home/*/.bash_history\",\n\"/root/.aws/credentials\",\n\"/root/.aws/config\",\n\"/home/*/.aws/credentials\",\n\"/home/*/.aws/config\",\n\"/root/.docker/config.json\",\n\"/home/*/.docker/config.json\",\n\"/etc/group\",\n\"/etc/passwd\",\n\"/etc/shadow\",\n\"/etc/gshadow\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "475b42f0-61fb-4ef0-8a85-597458bfb0a1", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "475b42f0-61fb-4ef0-8a85-597458bfb0a1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json b/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json deleted file mode 100644 index 7751449eeed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/475b42f0-61fb-4ef0-8a85-597458bfb0a1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations inside a container.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Sensitive Files Compression Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and \n\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ \n(process.name: (\"zip\", \"tar\", \"gzip\", \"hdiutil\", \"7z\") or process.args: (\"zip\", \"tar\", \"gzip\", \"hdiutil\", \"7z\"))\nand process.args: ( \n\"/root/.ssh/id_rsa\", \n\"/root/.ssh/id_rsa.pub\", \n\"/root/.ssh/id_ed25519\", \n\"/root/.ssh/id_ed25519.pub\", \n\"/root/.ssh/authorized_keys\", \n\"/root/.ssh/authorized_keys2\", \n\"/root/.ssh/known_hosts\", \n\"/root/.bash_history\", \n\"/etc/hosts\", \n\"/home/*/.ssh/id_rsa\", \n\"/home/*/.ssh/id_rsa.pub\", \n\"/home/*/.ssh/id_ed25519\",\n\"/home/*/.ssh/id_ed25519.pub\",\n\"/home/*/.ssh/authorized_keys\",\n\"/home/*/.ssh/authorized_keys2\",\n\"/home/*/.ssh/known_hosts\",\n\"/home/*/.bash_history\",\n\"/root/.aws/credentials\",\n\"/root/.aws/config\",\n\"/home/*/.aws/credentials\",\n\"/home/*/.aws/config\",\n\"/root/.docker/config.json\",\n\"/home/*/.docker/config.json\",\n\"/etc/group\",\n\"/etc/passwd\",\n\"/etc/shadow\",\n\"/etc/gshadow\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "475b42f0-61fb-4ef0-8a85-597458bfb0a1", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Collection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "475b42f0-61fb-4ef0-8a85-597458bfb0a1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/476267ff-e44f-476e-99c1-04c78cb3769d_1.json b/packages/security_detection_engine/kibana/security_rule/476267ff-e44f-476e-99c1-04c78cb3769d_1.json deleted file mode 100644 index f1f57407861..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/476267ff-e44f-476e-99c1-04c78cb3769d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Cupsd or Foomatic-rip Shell Execution", "note": "## Triage and analysis\n\n### Investigating Cupsd or Foomatic-rip Shell Execution\n\nThis rule identifies potential exploitation attempts of several vulnerabilities in the CUPS printing system (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177). These vulnerabilities allow attackers to send crafted IPP requests or manipulate UDP packets to execute arbitrary commands or modify printer configurations. Attackers can exploit these flaws to inject malicious data, leading to Remote Code Execution (RCE) on affected systems.\n\n#### Possible Investigation Steps\n\n- Investigate the incoming IPP requests or UDP packets targeting port 631.\n- Examine the printer configurations on the system to determine if any unauthorized printers or URLs have been added.\n- Investigate the process tree to check if any unexpected processes were triggered as a result of IPP activity. Review the executable files for legitimacy.\n- Check for additional alerts related to the compromised system or user within the last 48 hours.\n- Investigate network traffic logs for suspicious outbound connections to unrecognized domains or IP addresses.\n- Check if any of the contacted domains or addresses are newly registered or have a suspicious reputation.\n- Retrieve any scripts or executables dropped by the attack for further analysis in a private sandbox environment:\n- Analyze potential malicious activity, including:\n - Attempts to communicate with external servers.\n - File access or creation of unauthorized executables.\n - Cron jobs, services, or other persistence mechanisms.\n\n### Related Rules\n- Printer User (lp) Shell Execution - f86cd31c-5c7e-4481-99d7-6875a3e31309\n- Network Connection by Cups or Foomatic-rip Child - e80ee207-9505-49ab-8ca8-bc57d80e2cab\n- File Creation by Cups or Foomatic-rip Child - b9b14be7-b7f4-4367-9934-81f07d2f63c4\n- Suspicious Execution from Foomatic-rip or Cupsd Parent - 986361cd-3dac-47fe-afa1-5c5dd89f2fb4\n\n### False Positive Analysis\n\n- This activity is rarely legitimate. However, verify the context to rule out non-malicious printer configuration changes or legitimate IPP requests.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the triage outcome.\n- Isolate the compromised host to prevent further exploitation.\n- If the investigation confirms malicious activity, search the environment for additional compromised hosts.\n- Implement network segmentation or restrictions to contain the attack.\n- Stop suspicious processes or services tied to CUPS exploitation.\n- Block identified Indicators of Compromise (IoCs), including IP addresses, domains, or hashes of involved files.\n- Review compromised systems for backdoors, such as reverse shells or persistence mechanisms like cron jobs.\n- Investigate potential credential exposure on compromised systems and reset passwords for any affected accounts.\n- Restore the original printer configurations or uninstall unauthorized printer entries.\n- Perform a thorough antimalware scan to identify any lingering threats or artifacts from the attack.\n- Investigate how the attacker gained initial access and address any weaknesses to prevent future exploitation.\n- Use insights from the incident to improve detection and response times in future incidents (MTTD and MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.parent.name == \"foomatic-rip\" and\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nnot process.command_line like (\"*/tmp/foomatic-*\", \"*-sDEVICE=ps2write*\")\n", "references": ["https://www.elastic.co/security-labs/cups-overflow", "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/", "https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1", "https://github.com/RickdeJager/cupshax/blob/main/cupshax.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "476267ff-e44f-476e-99c1-04c78cb3769d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "476267ff-e44f-476e-99c1-04c78cb3769d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json deleted file mode 100644 index c5891d6d98f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 111}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json deleted file mode 100644 index f6e96e183b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where host.os.type == \"windows\" and event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where host.os.type == \"windows\" and event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 105}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json deleted file mode 100644 index 84bd81a0d9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 106}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json deleted file mode 100644 index 5e3d5185166..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 107}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json deleted file mode 100644 index 2059ee6d708..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 108}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json deleted file mode 100644 index ad5e2ab6aab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 109}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json deleted file mode 100644 index e2c3fbb143e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 110}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_111.json b/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_111.json deleted file mode 100644 index f5e0d3f3b45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47e22836-4a16-4b35-beee-98f6c4ee9bf2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Remote Registry Access via SeBackupPrivilege", "note": "## Triage and analysis\n\n### Investigating Suspicious Remote Registry Access via SeBackupPrivilege\n\nSeBackupPrivilege is a privilege that allows file content retrieval, designed to enable users to create backup copies of the system. Since it is impossible to make a backup of something you cannot read, this privilege comes at the cost of providing the user with full read access to the file system. This privilege must bypass any access control list (ACL) placed in the system.\n\nThis rule identifies remote access to the registry using an account with Backup Operators group membership. This may indicate an attempt to exfiltrate credentials by dumping the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the activities done by the subject user the login session. The field `winlog.event_data.SubjectLogonId` can be used to get this data.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate abnormal behaviors observed by the subject user such as network connections, registry or file modifications, and processes created.\n- Investigate if the registry file was retrieved or exfiltrated.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Limit or disable the involved user account to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, winlog.event_data.SubjectLogonId with maxspan=1m\n [iam where event.action == \"logged-in-special\" and\n winlog.event_data.PrivilegeList : \"SeBackupPrivilege\" and\n\n /* excluding accounts with existing privileged access */\n not winlog.event_data.PrivilegeList : \"SeDebugPrivilege\"]\n [any where event.action == \"Detailed File Share\" and winlog.event_data.RelativeTargetName : \"winreg\"]\n", "references": ["https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RelativeTargetName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}], "risk_score": 47, "rule_id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2", "setup": "## Setup\n\nThe 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success)\n```\n\nThe 'Special Logon' audit policy must be configured (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nLogon/Logoff >\nSpecial Logon (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 111}, "id": "47e22836-4a16-4b35-beee-98f6c4ee9bf2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json deleted file mode 100644 index f1276156ee5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Script Execution followed by Network Connection", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 106}, "id": "47f76567-d58a-4fed-b32b-21f571e28910", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json deleted file mode 100644 index ea8cd4cb2f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Script Execution followed by Network Connection", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Command and Control", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 102}, "id": "47f76567-d58a-4fed-b32b-21f571e28910_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json deleted file mode 100644 index e3b7e55dc32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Script Execution followed by Network Connection", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 103}, "id": "47f76567-d58a-4fed-b32b-21f571e28910_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json deleted file mode 100644 index e5b42e92b6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Script Execution followed by Network Connection", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 104}, "id": "47f76567-d58a-4fed-b32b-21f571e28910_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json b/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json deleted file mode 100644 index dd3984ffdc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/47f76567-d58a-4fed-b32b-21f571e28910_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Script Execution followed by Network Connection", "query": "sequence by host.id, process.entity_id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type == \"start\" and process.name == \"osascript\"]\n [network where host.os.type == \"macos\" and event.type != \"end\" and process.name == \"osascript\" and destination.ip != \"::1\" and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "47f76567-d58a-4fed-b32b-21f571e28910", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 105}, "id": "47f76567-d58a-4fed-b32b-21f571e28910_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json deleted file mode 100644 index ac0c3abf467..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json deleted file mode 100644 index 3d6bf7cdc1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json deleted file mode 100644 index 2bbde5a52ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json deleted file mode 100644 index b179b4b8e07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json deleted file mode 100644 index 756bff59d13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json deleted file mode 100644 index 78dbf5fc1c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_107.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_107.json deleted file mode 100644 index 178294cc4cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json deleted file mode 100644 index 4774d17c7d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json deleted file mode 100644 index c193e0efa10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_110.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_110.json deleted file mode 100644 index 92df7762378..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_310.json b/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_310.json deleted file mode 100644 index 92849d59d7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/483c4daf-b0c6-49e0-adf3-0bfa93231d6b_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.", "false_positives": ["Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known processes are causing false positives, they can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"UMService.exe\", \"UMWorkerProcess.exe\") and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\werfault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V??\\\\Bin\\\\UMWorkerProcess.exe\",\n \"?:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange 2016\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\ExchangeServer\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange\\\\Bin\\\\UMWorkerProcess.exe\",\n \"D:\\\\Exchange Server\\\\Bin\\\\UMWorkerProcess.exe\",\n \"E:\\\\Exchange Server\\\\V15\\\\Bin\\\\UMWorkerProcess.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "483c4daf-b0c6-49e0-adf3-0bfa93231d6b_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2.json deleted file mode 100644 index 6a4a8919d3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-25d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId"], "note": "## Triage and analysis\n\n### Investigating Suspicious Microsoft 365 Mail Access by ClientAppId\n\n- Verify the ClientAppId, source.ip and geolocation associated with Mail Access.\n- Verify the total number of used ClientAppId by that specific user.id.\n- Verify if the mailbox owner was on leave and just resumed working or not.\n- Verify if there are other alerts associated with the same user.id.\n- Verify the total number of connections from that ClientAppId, if it's accessing other mailboxes and with a high frequency there is a high chance it's a false positive.\n\n### False positive analysis\n\n- Legit Microsoft or third party ClientAppId.\n- User changing of ClientAppId or new connection post an extended period of leave.\n- If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive.\n", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success and \nnot o365.audit.ClientAppId : (\"13937bba-652e-4c46-b222-3003f4d1ff97\" or \"6326e366-9d6d-4c70-b22a-34c7ea72d73d\" or \n \"a3883eba-fbe9-48bd-9ed3-dca3e0e84250\" or \"d3590ed6-52b3-4102-aeff-aad2292ab01c\" or \"27922004-5251-4030-b22d-91ecd9a37ea4\" or \n \"1fec8e78-bce4-4aaf-ab1b-5451cc387264\" or \"26a7ee05-5602-4d76-a7ba-eae8b7b67941\" or \"00000002-0000-0000-c000-000000000000\" or \n \"00000002-0000-0ff1-ce00-000000000000\" or \"ffcb16e8-f789-467c-8ce9-f826a080d987\" or \"00000003-0000-0ff1-ce00-000000000000\" or \n \"00000004-0000-0ff1-ce00-000000000000\" or \"00000005-0000-0ff1-ce00-000000000000\" or \"00000006-0000-0ff1-ce00-000000000000\" or \n \"00000007-0000-0000-c000-000000000000\" or \"00000007-0000-0ff1-ce00-000000000000\" or \n \"00000009-0000-0000-c000-000000000000\" or \"0000000c-0000-0000-c000-000000000000\" or \"00000015-0000-0000-c000-000000000000\" or \n \"0000001a-0000-0000-c000-000000000000\" or \"00b41c95-dab0-4487-9791-b9d2c32c80f2\" or \"022907d3-0f1b-48f7-badc-1ba6abab6d66\" or \n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\" or \"08e18876-6177-487e-b8b5-cf950c1e598c\" or \"0cb7b9ec-5336-483b-bc31-b15b5788de71\" or \n \"0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e\" or \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\" or \"13937bba-652e-4c46-b222-3003f4d1ff97\" or \n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" or \"16aeb910-ce68-41d1-9ac3-9e1673ac9575\" or \"1786c5ed-9644-47b2-8aa0-7201292175b6\" or \n \"17d5e35f-655b-4fb0-8ae6-86356e9a49f5\" or \"18fbca16-2224-45f6-85b0-f7bf2b39b3f3\" or \"1950a258-227b-4e31-a9cf-717495945fc2\" or \n \"1b3c667f-cde3-4090-b60b-3d2abd0117f0\" or \"1fec8e78-bce4-4aaf-ab1b-5451cc387264\" or \"20a11fe0-faa8-4df5-baf2-f965f8f9972e\" or \n \"23523755-3a2b-41ca-9315-f81f3f566a95\" or \"243c63a3-247d-41c5-9d83-7788c43f1c43\" or \"268761a2-03f3-40df-8a8b-c3db24145b6b\" or \n \"26a7ee05-5602-4d76-a7ba-eae8b7b67941\" or \"26abc9a8-24f0-4b11-8234-e86ede698878\" or \"27922004-5251-4030-b22d-91ecd9a37ea4\" or \n \"28b567f6-162c-4f54-99a0-6887f387bbcc\" or \"29d9ed98-a469-4536-ade2-f981bc1d605e\" or \"2abdc806-e091-4495-9b10-b04d93c3f040\" or \n \"2d4d3d8e-2be3-4bef-9f87-7875a61c29de\" or \"2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8\" or \"3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7\" or \n \"35d54a08-36c9-4847-9018-93934c62740c\" or \"37182072-3c9c-4f6a-a4b3-b3f91cacffce\" or \"38049638-cc2c-4cde-abe4-4479d721ed44\" or \n \"3c896ded-22c5-450f-91f6-3d1ef0848f6e\" or \"4345a7b9-9a63-4910-a426-35363201d503\" or \"45a330b1-b1ec-4cc1-9161-9f03992aa49f\" or \n \"4765445b-32c6-49b0-83e6-1d93765276ca\" or \"497effe9-df71-4043-a8bb-14cf78c4b63b\" or \"4b233688-031c-404b-9a80-a4f3f2351f90\" or \n \"4d5c2d63-cf83-4365-853c-925fd1a64357\" or \"51be292c-a17e-4f17-9a7e-4b661fb16dd2\" or \n \"5572c4c0-d078-44ce-b81c-6cbf8d3ed39e\" or \"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\" or \"60c8bde5-3167-4f92-8fdb-059f6176dc0f\" or \n \"61109738-7d2b-4a0b-9fe3-660b1ff83505\" or \"62256cef-54c0-4cb4-bcac-4c67989bdc40\" or \"6253bca8-faf2-4587-8f2f-b056d80998a7\" or \n \"65d91a3d-ab74-42e6-8a2f-0add61688c74\" or \"66a88757-258c-4c72-893c-3e8bed4d6899\" or \"67e3df25-268a-4324-a550-0de1c7f97287\" or \n \"69893ee3-dd10-4b1c-832d-4870354be3d8\" or \"74658136-14ec-4630-ad9b-26e160ff0fc6\" or \"74bcdadc-2fdc-4bb3-8459-76d06952a0e9\" or \n \"797f4846-ba00-4fd7-ba43-dac1f8f63013\" or \"7ab7862c-4c57-491e-8a45-d52a7e023983\" or \"7ae974c5-1af7-4923-af3a-fb1fd14dcb7e\" or \n \"7b7531ad-5926-4f2d-8a1d-38495ad33e17\" or \"80ccca67-54bd-44ab-8625-4b79c4dc7775\" or \"835b2a73-6e10-4aa5-a979-21dfda45231c\" or \n \"871c010f-5e61-4fb1-83ac-98610a7e9110\" or \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\" or \"8edd93e1-2103-40b4-bd70-6e34e586362d\" or \n \"905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba\" or \"91ca2ca5-3b3e-41dd-ab65-809fa3dffffa\" or \"93625bc8-bfe2-437a-97e0-3d0060024faa\" or \n \"93d53678-613d-4013-afc1-62e9e444a0a5\" or \"944f0bd1-117b-4b1c-af26-804ed95e767e\" or \"94c63fef-13a3-47bc-8074-75af8c65887a\" or \n \"95de633a-083e-42f5-b444-a4295d8e9314\" or \"97cb1f73-50df-47d1-8fb0-0271f2728514\" or \"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41\" or \n \"99b904fd-a1fe-455c-b86c-2f9fb1da7687\" or \"9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7\" or \"a3475900-ccec-4a69-98f5-a65cd5dc5306\" or \n \"a3b79187-70b2-4139-83f9-6016c58cd27b\" or \"a57aca87-cbc0-4f3c-8b9e-dc095fdc8978\" or \"a970bac6-63fe-4ec5-8884-8536862c42d4\" or \n \"a9b49b65-0a12-430b-9540-c80b3332c127\" or \"ab9b8c07-8f02-4f72-87fa-80105867a763\" or \"ae8e128e-080f-4086-b0e3-4c19301ada69\" or \n \"b23dd4db-9142-4734-867f-3577f640ad0c\" or \"b4bddae8-ab25-483e-8670-df09b9f1d0ea\" or \"b669c6ea-1adf-453f-b8bc-6d526592b419\" or \n \"b6e69c34-5f1f-4c34-8cdf-7fea120b8670\" or \"bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4\" or \"bdd48c81-3a58-4ea9-849c-ebea7f6b6360\" or \n \"c1c74fed-04c9-4704-80dc-9f79a2e515cb\" or \"c35cb2ba-f88b-4d15-aa9d-37bd443522e1\" or \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\" or \n \"c9a559d2-7aab-4f13-a6ed-e7e9c52aec87\" or \"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe\" or \"cf36b471-5b44-428c-9ce7-313bf84528de\" or \n \"cf53fce8-def6-4aeb-8d30-b158e7b1cf83\" or \"d176f6e7-38e5-40c9-8a78-3998aab820e7\" or \"d3590ed6-52b3-4102-aeff-aad2292ab01c\" or \n \"d73f4b35-55c9-48c7-8b10-651f6f2acb2e\" or \"d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0\" or \"de8bc8b5-d9f9-48b1-a8ad-b748da725064\" or \n \"dfe74da8-9279-44ec-8fb2-2aed9e1c73d0\" or \"e1ef36fd-b883-4dbf-97f0-9ece4b576fc6\" or \"e64aa8bc-8eb4-40e2-898b-cf261a25954f\" or \n \"e9f49c6b-5ce5-44c8-925d-015017e9f7ad\" or \"ee272b19-4411-433f-8f28-5c13cb6fd407\" or \"f5eaa862-7f08-448c-9c4e-f4047d4d4521\" or \n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\" or \"fc0f3af4-6835-4174-b806-f7db311fd2f3\" or \"fdf9885b-dd37-42bf-82e5-c3129ef5a302\"\n)\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ClientAppId", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "## Setup\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json deleted file mode 100644 index 5e7775df9e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId", "user.id"], "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json deleted file mode 100644 index e7bb95ef364..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId", "user.id"], "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_106.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_106.json deleted file mode 100644 index 3f141a99bcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-25d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId"], "note": "## Triage and analysis\n\n### Investigating Suspicious Microsoft 365 Mail Access by ClientAppId\n\n- Verify the ClientAppId, source.ip and geolocation associated with Mail Access.\n- Verify the total number of used ClientAppId by that specific user.id.\n- Verify if the mailbox owner was on leave and just resumed working or not.\n- Verify if there are other alerts associated with the same user.id.\n- Verify the total number of connections from that ClientAppId, if it's accessing other mailboxes and with a high frequency there is a high chance it's a false positive.\n\n### False positive analysis\n\n- Legit Microsoft or third party ClientAppId.\n- User changing of ClientAppId or new connection post an extended period of leave.\n- If the total number of accessed Mailboxes by ClientAppId is too high there is a high chance it's a false positive.\n", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success and \nnot o365.audit.ClientAppId : (\"13937bba-652e-4c46-b222-3003f4d1ff97\" or \"6326e366-9d6d-4c70-b22a-34c7ea72d73d\" or \n \"a3883eba-fbe9-48bd-9ed3-dca3e0e84250\" or \"d3590ed6-52b3-4102-aeff-aad2292ab01c\" or \"27922004-5251-4030-b22d-91ecd9a37ea4\" or \n \"1fec8e78-bce4-4aaf-ab1b-5451cc387264\" or \"26a7ee05-5602-4d76-a7ba-eae8b7b67941\" or \"00000002-0000-0000-c000-000000000000\" or \n \"00000002-0000-0ff1-ce00-000000000000\" or \"00000003-0000-0000-c000-000000000000\" or \"ffcb16e8-f789-467c-8ce9-f826a080d987\" or \n \"00000003-0000-0ff1-ce00-000000000000\" or \"00000004-0000-0ff1-ce00-000000000000\" or \"00000005-0000-0ff1-ce00-000000000000\" or \n \"00000006-0000-0ff1-ce00-000000000000\" or \"00000007-0000-0000-c000-000000000000\" or \"00000007-0000-0ff1-ce00-000000000000\" or \n \"00000009-0000-0000-c000-000000000000\" or \"0000000c-0000-0000-c000-000000000000\" or \"00000015-0000-0000-c000-000000000000\" or \n \"0000001a-0000-0000-c000-000000000000\" or \"00b41c95-dab0-4487-9791-b9d2c32c80f2\" or \"022907d3-0f1b-48f7-badc-1ba6abab6d66\" or \n \"04b07795-8ddb-461a-bbee-02f9e1bf7b46\" or \"08e18876-6177-487e-b8b5-cf950c1e598c\" or \"0cb7b9ec-5336-483b-bc31-b15b5788de71\" or \n \"0cd196ee-71bf-4fd6-a57c-b491ffd4fb1e\" or \"0f698dd4-f011-4d23-a33e-b36416dcb1e6\" or \"13937bba-652e-4c46-b222-3003f4d1ff97\" or \n \"14d82eec-204b-4c2f-b7e8-296a70dab67e\" or \"16aeb910-ce68-41d1-9ac3-9e1673ac9575\" or \"1786c5ed-9644-47b2-8aa0-7201292175b6\" or \n \"17d5e35f-655b-4fb0-8ae6-86356e9a49f5\" or \"18fbca16-2224-45f6-85b0-f7bf2b39b3f3\" or \"1950a258-227b-4e31-a9cf-717495945fc2\" or \n \"1b3c667f-cde3-4090-b60b-3d2abd0117f0\" or \"1fec8e78-bce4-4aaf-ab1b-5451cc387264\" or \"20a11fe0-faa8-4df5-baf2-f965f8f9972e\" or \n \"23523755-3a2b-41ca-9315-f81f3f566a95\" or \"243c63a3-247d-41c5-9d83-7788c43f1c43\" or \"268761a2-03f3-40df-8a8b-c3db24145b6b\" or \n \"26a7ee05-5602-4d76-a7ba-eae8b7b67941\" or \"26abc9a8-24f0-4b11-8234-e86ede698878\" or \"27922004-5251-4030-b22d-91ecd9a37ea4\" or \n \"28b567f6-162c-4f54-99a0-6887f387bbcc\" or \"29d9ed98-a469-4536-ade2-f981bc1d605e\" or \"2abdc806-e091-4495-9b10-b04d93c3f040\" or \n \"2d4d3d8e-2be3-4bef-9f87-7875a61c29de\" or \"2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8\" or \"3090ab82-f1c1-4cdf-af2c-5d7a6f3e2cc7\" or \n \"35d54a08-36c9-4847-9018-93934c62740c\" or \"37182072-3c9c-4f6a-a4b3-b3f91cacffce\" or \"38049638-cc2c-4cde-abe4-4479d721ed44\" or \n \"3c896ded-22c5-450f-91f6-3d1ef0848f6e\" or \"4345a7b9-9a63-4910-a426-35363201d503\" or \"45a330b1-b1ec-4cc1-9161-9f03992aa49f\" or \n \"47629505-c2b6-4a80-adb1-9b3a3d233b7b\" or \"4765445b-32c6-49b0-83e6-1d93765276ca\" or \"497effe9-df71-4043-a8bb-14cf78c4b63b\" or \n \"4b233688-031c-404b-9a80-a4f3f2351f90\" or \"4d5c2d63-cf83-4365-853c-925fd1a64357\" or \"51be292c-a17e-4f17-9a7e-4b661fb16dd2\" or \n \"5572c4c0-d078-44ce-b81c-6cbf8d3ed39e\" or \"5e3ce6c0-2b1f-4285-8d4b-75ee78787346\" or \"60c8bde5-3167-4f92-8fdb-059f6176dc0f\" or \n \"61109738-7d2b-4a0b-9fe3-660b1ff83505\" or \"62256cef-54c0-4cb4-bcac-4c67989bdc40\" or \"6253bca8-faf2-4587-8f2f-b056d80998a7\" or \n \"65d91a3d-ab74-42e6-8a2f-0add61688c74\" or \"66a88757-258c-4c72-893c-3e8bed4d6899\" or \"67e3df25-268a-4324-a550-0de1c7f97287\" or \n \"69893ee3-dd10-4b1c-832d-4870354be3d8\" or \"74658136-14ec-4630-ad9b-26e160ff0fc6\" or \"74bcdadc-2fdc-4bb3-8459-76d06952a0e9\" or \n \"797f4846-ba00-4fd7-ba43-dac1f8f63013\" or \"7ab7862c-4c57-491e-8a45-d52a7e023983\" or \"7ae974c5-1af7-4923-af3a-fb1fd14dcb7e\" or \n \"7b7531ad-5926-4f2d-8a1d-38495ad33e17\" or \"80ccca67-54bd-44ab-8625-4b79c4dc7775\" or \"835b2a73-6e10-4aa5-a979-21dfda45231c\" or \n \"871c010f-5e61-4fb1-83ac-98610a7e9110\" or \"89bee1f7-5e6e-4d8a-9f3d-ecd601259da7\" or \"8edd93e1-2103-40b4-bd70-6e34e586362d\" or \n \"905fcf26-4eb7-48a0-9ff0-8dcc7194b5ba\" or \"91ca2ca5-3b3e-41dd-ab65-809fa3dffffa\" or \"93625bc8-bfe2-437a-97e0-3d0060024faa\" or \n \"93d53678-613d-4013-afc1-62e9e444a0a5\" or \"944f0bd1-117b-4b1c-af26-804ed95e767e\" or \"94c63fef-13a3-47bc-8074-75af8c65887a\" or \n \"95de633a-083e-42f5-b444-a4295d8e9314\" or \"97cb1f73-50df-47d1-8fb0-0271f2728514\" or \"98db8bd6-0cc0-4e67-9de5-f187f1cd1b41\" or \n \"99b904fd-a1fe-455c-b86c-2f9fb1da7687\" or \"9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7\" or \"a3475900-ccec-4a69-98f5-a65cd5dc5306\" or \n \"a3b79187-70b2-4139-83f9-6016c58cd27b\" or \"a57aca87-cbc0-4f3c-8b9e-dc095fdc8978\" or \"a970bac6-63fe-4ec5-8884-8536862c42d4\" or \n \"a9b49b65-0a12-430b-9540-c80b3332c127\" or \"ab9b8c07-8f02-4f72-87fa-80105867a763\" or \"ae8e128e-080f-4086-b0e3-4c19301ada69\" or \n \"b23dd4db-9142-4734-867f-3577f640ad0c\" or \"b4bddae8-ab25-483e-8670-df09b9f1d0ea\" or \"b669c6ea-1adf-453f-b8bc-6d526592b419\" or \n \"b6e69c34-5f1f-4c34-8cdf-7fea120b8670\" or \"bb2a2e3a-c5e7-4f0a-88e0-8e01fd3fc1f4\" or \"bdd48c81-3a58-4ea9-849c-ebea7f6b6360\" or \n \"c1c74fed-04c9-4704-80dc-9f79a2e515cb\" or \"c35cb2ba-f88b-4d15-aa9d-37bd443522e1\" or \"c44b4083-3bb0-49c1-b47d-974e53cbdf3c\" or \n \"c9a559d2-7aab-4f13-a6ed-e7e9c52aec87\" or \"cc15fd57-2c6c-4117-a88c-83b1d56b4bbe\" or \"cf36b471-5b44-428c-9ce7-313bf84528de\" or \n \"cf53fce8-def6-4aeb-8d30-b158e7b1cf83\" or \"d176f6e7-38e5-40c9-8a78-3998aab820e7\" or \"d3590ed6-52b3-4102-aeff-aad2292ab01c\" or \n \"d73f4b35-55c9-48c7-8b10-651f6f2acb2e\" or \"d9b8ec3a-1e4e-4e08-b3c2-5baf00c0fcb0\" or \"de8bc8b5-d9f9-48b1-a8ad-b748da725064\" or \n \"dfe74da8-9279-44ec-8fb2-2aed9e1c73d0\" or \"e1ef36fd-b883-4dbf-97f0-9ece4b576fc6\" or \"e64aa8bc-8eb4-40e2-898b-cf261a25954f\" or \n \"e9f49c6b-5ce5-44c8-925d-015017e9f7ad\" or \"ee272b19-4411-433f-8f28-5c13cb6fd407\" or \"f5eaa862-7f08-448c-9c4e-f4047d4d4521\" or \n \"fb78d390-0c51-40cd-8e17-fdbfab77341b\" or \"fc0f3af4-6835-4174-b806-f7db311fd2f3\" or \"fdf9885b-dd37-42bf-82e5-c3129ef5a302\")\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ClientAppId", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "## Setup\n\nThe Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json deleted file mode 100644 index 7fd0f3ead69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId", "user.id"], "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json b/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json deleted file mode 100644 index 305e3f33e1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48819484-9826-4083-9eba-1da74cd0eaf2_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.", "false_positives": ["User using a new mail client."], "from": "now-30m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Microsoft 365 Mail Access by ClientAppId", "new_terms_fields": ["o365.audit.ClientAppId", "user.id"], "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:MailItemsAccessed and event.outcome:success\n", "references": ["https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "48819484-9826-4083-9eba-1da74cd0eaf2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "48819484-9826-4083-9eba-1da74cd0eaf2_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json deleted file mode 100644 index 266f21c5ec1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and host.os.type == \"linux\" and\n event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.entity_id\n [process where event.type == \"start\" and host.os.type == \"linux\" and event.action in (\"exec\", \"fork\") and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 9}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json deleted file mode 100644 index 1a2b681504f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json deleted file mode 100644 index 6e0cde3c15d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json deleted file mode 100644 index c7b3dc99c21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json deleted file mode 100644 index d5afe900e65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"fork\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 4}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json deleted file mode 100644 index 85209b4ced1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and not \n process.args : \"*imunify360-agent*\"] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json deleted file mode 100644 index 47d44fc041a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and not \n process.args : \"*imunify360-agent*\"] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 6}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_7.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_7.json deleted file mode 100644 index 1902b3c4d67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.entity_id\n [process where event.type == \"start\" and event.action in (\"exec\", \"fork\") and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 7}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json b/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json deleted file mode 100644 index 4bd56227bb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This activity consists of a parent-child relationship where a network event is followed by the creation of a shell process. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell", "query": "sequence by host.id with maxspan=5s\n [network where event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"socat\") and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.entity_id\n [process where event.type == \"start\" and event.action in (\"exec\", \"fork\") and \n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\")\n )] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 8}, "id": "48b3d2e3-f4e8-41e6-95e6-9b2091228db3_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json deleted file mode 100644 index 1e41e9ac815..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "## Setup\n\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "48b6edfc-079d-4907-b43c-baffa243270d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_10.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_10.json deleted file mode 100644 index 32bb34c4aab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "## Setup\n\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json deleted file mode 100644 index ed4eacde732..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json deleted file mode 100644 index df6ddf0cf4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json deleted file mode 100644 index d286fab0431..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json deleted file mode 100644 index 8c20539b378..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n-", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json deleted file mode 100644 index 2ebeda46d7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 8}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json b/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json deleted file mode 100644 index 48b7f3557b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48b6edfc-079d-4907-b43c-baffa243270d_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure from the same Source Address", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure from the same Source Address\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user names.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. This activity can be related to a new or existing automation or business process that is in a failing state.\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure Followed by Logon Success - 4e85dc8a-3e41-40d8-bc28-91af7ac6cf60\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /*\n noisy failure status codes often associated to authentication misconfiguration :\n 0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.\n 0XC000005E\t- There are currently no logon servers available to service the logon request.\n 0XC0000133\t- Clocks between DC and other computer too far out of sync.\n 0XC0000192\tAn attempt was made to logon, but the Netlogon service was not started.\n */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=10\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624", "https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity", "https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "48b6edfc-079d-4907-b43c-baffa243270d", "setup": "## Setup\n\n- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 9}, "id": "48b6edfc-079d-4907-b43c-baffa243270d_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json deleted file mode 100644 index f8ab1885fea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json deleted file mode 100644 index 65a6af478e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json deleted file mode 100644 index ab830e9448e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json deleted file mode 100644 index dc4db525d67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json deleted file mode 100644 index 2a16c84234b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n\n", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json b/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json deleted file mode 100644 index d329bbb4329..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48d7f54d-c29e-4430-93a9-9db6b5892270_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unexpected Child Process of macOS Screensaver Engine", "note": "## Triage and analysis\n\n- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such\nas a download of a payload from a server.\n- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to\nidentify whether the file is malicious or not.\n\n", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and process.parent.name == \"ScreenSaverEngine\"\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "48d7f54d-c29e-4430-93a9-9db6b5892270", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "48d7f54d-c29e-4430-93a9-9db6b5892270_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json deleted file mode 100644 index 56d278a2091..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Periodic Tasks", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", "references": ["https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json deleted file mode 100644 index dae2f63d442..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Periodic Tasks", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", "references": ["https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json deleted file mode 100644 index ad52c877e94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Periodic Tasks", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", "references": ["https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json deleted file mode 100644 index 7f366d71bba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Periodic Tasks", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", "references": ["https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json b/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json deleted file mode 100644 index fed716090b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48ec9452-e1fd-4513-a376-10a1a26d2c83_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Periodic Tasks", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)\n", "references": ["https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html", "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html", "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "48ec9452-e1fd-4513-a376-10a1a26d2c83", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "48ec9452-e1fd-4513-a376-10a1a26d2c83_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a.json b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a.json deleted file mode 100644 index 9f9ff672d97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote XSL Script Execution via COM", "query": "sequence with maxspan=1m\n [library where host.os.type == \"windows\" and dll.name : \"msxml3.dll\" and\n process.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\")] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\") and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWoW64\\\\WerFault.exe\",\n \"?:\\\\windows\\\\splwow64.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*exe\")] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "48f657ee-de4f-477c-aa99-ed88ee7af97a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 3}, "id": "48f657ee-de4f-477c-aa99-ed88ee7af97a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json deleted file mode 100644 index f0bb273db18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote XSL Script Execution via COM", "query": "sequence with maxspan=1m\n [library where host.os.type == \"windows\" and dll.name : \"msxml3.dll\" and\n process.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\")] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\") and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWoW64\\\\WerFault.exe\",\n \"?:\\\\windows\\\\splwow64.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*exe\")] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "48f657ee-de4f-477c-aa99-ed88ee7af97a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 1}, "id": "48f657ee-de4f-477c-aa99-ed88ee7af97a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json b/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json deleted file mode 100644 index 9a0667ce2f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/48f657ee-de4f-477c-aa99-ed88ee7af97a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a hosted XSL script using the Microsoft.XMLDOM COM interface via Microsoft Office processes. This behavior may indicate adversarial activity to execute malicious JScript or VBScript on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote XSL Script Execution via COM", "query": "sequence with maxspan=1m\n [library where host.os.type == \"windows\" and dll.name : \"msxml3.dll\" and\n process.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\")] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\", \"mspub.exe\") and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWoW64\\\\WerFault.exe\",\n \"?:\\\\windows\\\\splwow64.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*exe\")] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "48f657ee-de4f-477c-aa99-ed88ee7af97a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 2}, "id": "48f657ee-de4f-477c-aa99-ed88ee7af97a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json deleted file mode 100644 index 3766315c0b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Multiple Hosts Using Same Agent", "query": "event.agent_id_status:* and not tags:forwarded\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}, {"ecs": true, "name": "tags", "type": "keyword"}], "risk_score": 73, "rule_id": "493834ca-f861-414c-8602-150d5505b777", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "threshold": {"cardinality": [{"field": "host.id", "value": 2}], "field": ["agent.id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 102}, "id": "493834ca-f861-414c-8602-150d5505b777", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json deleted file mode 100644 index 064fe445dea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Multiple Hosts Using Same Agent", "query": "event.agent_id_status:*\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}], "risk_score": 73, "rule_id": "493834ca-f861-414c-8602-150d5505b777", "severity": "high", "tags": ["Elastic", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "threshold": {"cardinality": [{"field": "host.id", "value": 2}], "field": ["agent.id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 100}, "id": "493834ca-f861-414c-8602-150d5505b777_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json b/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json deleted file mode 100644 index 69bedfc14f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/493834ca-f861-414c-8602-150d5505b777_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual activity to evade detection.", "false_positives": ["This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the necessary field, resulting in false positives."], "from": "now-9m", "index": ["logs-*", "metrics-*", "traces-*"], "language": "kuery", "license": "Elastic License v2", "name": "Agent Spoofing - Multiple Hosts Using Same Agent", "query": "event.agent_id_status:*\n", "required_fields": [{"ecs": true, "name": "event.agent_id_status", "type": "keyword"}], "risk_score": 73, "rule_id": "493834ca-f861-414c-8602-150d5505b777", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "threshold": {"cardinality": [{"field": "host.id", "value": 2}], "field": ["agent.id"], "value": 2}, "timestamp_override": "event.ingested", "type": "threshold", "version": 101}, "id": "493834ca-f861-414c-8602-150d5505b777_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json deleted file mode 100644 index adac0207bad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\n'0'\\n\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"usermod\" and process.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json deleted file mode 100644 index 119a7b861c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json deleted file mode 100644 index 01abad1b665..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json deleted file mode 100644 index ceaf2c063ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json deleted file mode 100644 index e83c9937c73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json deleted file mode 100644 index 70e86fbda22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.name == \"usermod\" and\nprocess.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json deleted file mode 100644 index 9ce1bb41725..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE '0'\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"usermod\" and process.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_7.json b/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_7.json deleted file mode 100644 index b3e57aeb588..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/494ebba4-ecb7-4be4-8c6f-654c686549ad_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to create a new backdoor user by setting the user's UID to 0. Attackers may alter a user's UID to 0 to establish persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Backdoor User Account Creation", "note": "## Triage and analysis\n\n### Investigating Potential Linux Backdoor User Account Creation\n\nThe `usermod` command is used to modify user account attributes and settings in Linux-based operating systems.\n\nAttackers may create new accounts with a UID of 0 to maintain root access to target systems without leveraging the root user account.\n\nThis rule identifies the usage of the `usermod` command to set a user's UID to 0, indicating that the user becomes a root account. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n- Investigate the user account that got assigned a uid of 0, and analyze its corresponding attributes.\n - !{osquery{\"label\":\"Osquery - Retrieve User Accounts with a UID of 0\",\"query\":\"SELECT description, gid, gid_signed, shell, uid, uid_signed, username FROM users WHERE username != 'root' AND uid LIKE\\n'0'\\n\"}}\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"usermod\" and process.args : \"-u\" and process.args : \"0\" and process.args : \"-o\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "494ebba4-ecb7-4be4-8c6f-654c686549ad", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "494ebba4-ecb7-4be4-8c6f-654c686549ad_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json deleted file mode 100644 index 4b1df8e0b9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.old_value", "type": "keyword"}], "risk_score": 47, "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json deleted file mode 100644 index 3bf72d451e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.old_value", "type": "keyword"}], "risk_score": 47, "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Impair Defenses"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json deleted file mode 100644 index d5608ae84f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.old_value", "type": "keyword"}], "risk_score": 47, "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Impair Defenses", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json deleted file mode 100644 index c66bc1c23dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/495e5f2e-2480-11ed-bea8-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators may be aware of malicious applications within the Google marketplace and block these applications for user security purposes. An adversary, with administrative privileges, may remove this application from the explicit block list to allow distribution of the application amongst users. This may also indicate the unauthorized use of an application that had been previously blocked before by a user with admin privileges.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Removed from Blocklist in Google Workspace", "note": "## Triage and analysis\n\n### Investigating Application Removed from Blocklist in Google Workspace\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Individual users with the appropriate permissions can install applications in their Google Workspace domain. Administrators have additional permissions that allow them to install applications for an entire Google Workspace domain. Consent screens typically display permissions and privileges the user needs to install an application. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any Marketplace product that originates from a source that isn't Google.\n\nThis rule identifies a Marketplace blocklist update that consists of a Google Workspace account with administrative privileges manually removing a previously blocked application.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation` tool with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- After identifying the involved user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.type:\"change\" and\n event.action:\"CHANGE_APPLICATION_SETTING\" and\n google_workspace.admin.application.name:\"Google Workspace Marketplace\" and\n google_workspace.admin.old_value: *allowed*false* and google_workspace.admin.new_value: *allowed*true*\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.old_value", "type": "keyword"}], "risk_score": 47, "rule_id": "495e5f2e-2480-11ed-bea8-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "495e5f2e-2480-11ed-bea8-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259.json deleted file mode 100644 index 00d4dbe1b56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name :(\"PsList.exe\", \"qprocess.exe\") or \n (process.name : \"powershell.exe\" and process.args : (\"*get-process*\", \"*Win32_Process*\")) or \n (process.name : \"wmic.exe\" and process.args : (\"process\", \"*Win32_Process*\")) or\n (process.name : \"tasklist.exe\" and not process.args : (\"pid eq*\")) or\n (process.name : \"query.exe\" and process.args : \"process\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json deleted file mode 100644 index 85fab72e074..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name == \"reg.exe\" and process.args : \"query\" or\n (process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n (process.args: (\"*Get-ChildItem*\", \"*Get-Item*\", \"*Get-ItemProperty*\") and\n process.args : (\n \"*HKLM*\", \"*HKCU*\", \"*HKEY_LOCAL_MACHINE*\", \"*HKEY_CURRENT_USER*\", \"Registry::\"\n )))\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json deleted file mode 100644 index 2aed49b919f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name :(\"PsList.exe\", \"qprocess.exe\") or \n (process.name : \"powershell.exe\" and process.args : (\"*get-process*\", \"*Win32_Process*\")) or \n (process.name : \"wmic.exe\" and process.args : (\"process\", \"*Win32_Process*\")) or\n (process.name : \"tasklist.exe\" and not process.args : (\"pid eq*\")) or\n (process.name : \"query.exe\" and process.args : \"process\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json deleted file mode 100644 index 4ed9814bc67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name :(\"PsList.exe\", \"qprocess.exe\") or \n (process.name : \"powershell.exe\" and process.args : (\"*get-process*\", \"*Win32_Process*\")) or \n (process.name : \"wmic.exe\" and process.args : (\"process\", \"*Win32_Process*\")) or\n (process.name : \"tasklist.exe\" and not process.args : (\"pid eq*\")) or\n (process.name : \"query.exe\" and process.args : \"process\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_4.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_4.json deleted file mode 100644 index cfa7a8d8ce9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name :(\"PsList.exe\", \"qprocess.exe\") or \n (process.name : \"powershell.exe\" and process.args : (\"*get-process*\", \"*Win32_Process*\")) or \n (process.name : \"wmic.exe\" and process.args : (\"process\", \"*Win32_Process*\")) or\n (process.name : \"tasklist.exe\" and not process.args : (\"pid eq*\")) or\n (process.name : \"query.exe\" and process.args : \"process\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_5.json b/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_5.json deleted file mode 100644 index f448bb9f4df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4982ac3e-d0ee-4818-b95d-d9522d689259_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate running processes. Adversaries may enumerate processes to identify installed applications and security solutions.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Discovery Using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name :(\"PsList.exe\", \"qprocess.exe\") or \n (process.name : \"powershell.exe\" and process.args : (\"*get-process*\", \"*Win32_Process*\")) or \n (process.name : \"wmic.exe\" and process.args : (\"process\", \"*Win32_Process*\")) or\n (process.name : \"tasklist.exe\" and not process.args : (\"pid eq*\")) or\n (process.name : \"query.exe\" and process.args : \"process\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "4982ac3e-d0ee-4818-b95d-d9522d689259", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "4982ac3e-d0ee-4818-b95d-d9522d689259_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json deleted file mode 100644 index 6a85b7024e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "(event.dataset: (network_traffic.tls OR network_traffic.http) OR\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json deleted file mode 100644 index fcbeb0254a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp\nAND destination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json deleted file mode 100644 index 62e487680b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json deleted file mode 100644 index 1d3d0b7d5c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "(event.dataset: (network_traffic.tls or network_traffic.http) or\n (event.category: (network or network_traffic) and type: (tls or http) and network.transport: tcp)) and\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json deleted file mode 100644 index 9052808716a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "(event.dataset: (network_traffic.tls OR network_traffic.http) or\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json b/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json deleted file mode 100644 index 1a33c1ed1b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a4e23cf-78a2-449c-bac3-701924c269d3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a known command and control pattern in network events. The FIN7 threat group is known to use this command and control technique, while maintaining persistence in their target's network.", "false_positives": ["This rule could identify benign domains that are formatted similarly to FIN7's command and control algorithm. Alerts should be investigated by an analyst to assess the validity of the individual observations."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Possible FIN7 DGA Command and Control Behavior", "note": "## Triage and analysis\n\nIn the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.", "query": "(event.dataset: (network_traffic.tls OR network_traffic.http) OR\n (event.category: (network OR network_traffic) AND type: (tls OR http) AND network.transport: tcp)) AND\ndestination.domain:/[a-zA-Z]{4,5}\\.(pw|us|club|info|site|top)/ AND NOT destination.domain:zoom.us\n", "references": ["https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html"], "related_integrations": [], "risk_score": 73, "rule_id": "4a4e23cf-78a2-449c-bac3-701924c269d3", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "4a4e23cf-78a2-449c-bac3-701924c269d3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b.json deleted file mode 100644 index 2af63edaa73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Unauthorized Access via Wildcard Injection Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json deleted file mode 100644 index 83a4c78f3f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Unauthorized Access via Wildcard Injection Detected", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json deleted file mode 100644 index 06c33d601f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Unauthorized Access via Wildcard Injection Detected", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json deleted file mode 100644 index 051f909c203..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Unauthorized Access via Wildcard Injection Detected", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json b/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json deleted file mode 100644 index f8e5e7991eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the \"chown\" and \"chmod\" commands with command line flags that could indicate a wildcard injection attack. Linux wildcard injection is a type of security vulnerability where attackers manipulate commands or input containing wildcards (e.g., *, ?, []) to execute unintended operations or access sensitive data by tricking the system into interpreting the wildcard characters in unexpected ways.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Unauthorized Access via Wildcard Injection Detected", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name in (\"chown\", \"chmod\") and process.args == \"-R\" and process.args : \"--reference=*\"\n", "references": ["https://www.exploit-db.com/papers/33930"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4a99ac6f-9a54-4ba5-a64f-6eb65695841b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c.json b/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c.json deleted file mode 100644 index b9ea6133d08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.", "from": "now-119m", "index": ["apm-*-transaction*", "traces-apm*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Cross Site Scripting (XSS)", "query": "any where processor.name == \"transaction\" and\nurl.fragment : (\"\", \"\", \"*onerror=*\", \"*javascript*alert*\", \"*eval*(*)*\", \"*onclick=*\",\n\"*alert(document.cookie)*\", \"*alert(document.domain)*\",\"*onresize=*\",\"*onload=*\",\"*onmouseover=*\")\n", "references": ["https://github.com/payloadbox/xss-payload-list"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": false, "name": "processor.name", "type": "unknown"}, {"ecs": true, "name": "url.fragment", "type": "keyword"}], "risk_score": 21, "rule_id": "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c", "severity": "low", "tags": ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json b/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json deleted file mode 100644 index 4372a542e8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side script. This detection rule identifies the potential malicious executions of such browser-side scripts.", "from": "now-119m", "index": ["apm-*-transaction*", "traces-apm*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Cross Site Scripting (XSS)", "query": "any where processor.name == \"transaction\" and\nurl.fragment : (\"\", \"\", \"*onerror=*\", \"*javascript*alert*\", \"*eval*(*)*\", \"*onclick=*\",\n\"*alert(document.cookie)*\", \"*alert(document.domain)*\",\"*onresize=*\",\"*onload=*\",\"*onmouseover=*\")\n", "references": ["https://github.com/payloadbox/xss-payload-list"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": false, "name": "processor.name", "type": "unknown"}, {"ecs": true, "name": "url.fragment", "type": "keyword"}], "risk_score": 21, "rule_id": "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c", "severity": "low", "tags": ["Data Source: APM", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json deleted file mode 100644 index 5de6d664641..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json deleted file mode 100644 index 68252e44d1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json deleted file mode 100644 index cd5517fc9b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json deleted file mode 100644 index c5e8749e1e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json deleted file mode 100644 index 16425cdad83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_108.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_108.json deleted file mode 100644 index a1ab4ab8333..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json deleted file mode 100644 index 28e6b8c3673..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json deleted file mode 100644 index 5b20bbcd915..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_111.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_111.json deleted file mode 100644 index 294af35b56f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_311.json b/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_311.json deleted file mode 100644 index 1f1d1d306f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b438734-3793-4fda-bd42-ceeada0be8f9_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Firewall Rules via Netsh", "note": "## Triage and analysis\n\n### Investigating Disable Windows Firewall Rules via Netsh\n\nThe Windows Defender Firewall is a native component which provides host-based, two-way network traffic filtering for a device, and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `netsh.exe` utility.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"netsh.exe\" and\n (\n (process.args : \"disable\" and process.args : \"firewall\" and process.args : \"set\") or\n (process.args : \"advfirewall\" and process.args : \"off\" and process.args : \"state\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4b438734-3793-4fda-bd42-ceeada0be8f9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "4b438734-3793-4fda-bd42-ceeada0be8f9_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512.json b/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512.json deleted file mode 100644 index 741b5d71dff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.", "enabled": true, "from": "now-10m", "index": ["logs-cloud_defend.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Container Workload Protection", "query": "event.kind:alert and event.module:cloud_defend\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "4b4e9c99-27ea-4621-95c8-82341bc6e512", "rule_name_override": "message", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container"], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "4b4e9c99-27ea-4621-95c8-82341bc6e512", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_1.json b/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_1.json deleted file mode 100644 index c1747177533..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.", "enabled": true, "from": "now-10m", "index": ["logs-cloud_defend.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Container Workload Protection", "query": "event.kind:alert and event.module:cloud_defend\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "4b4e9c99-27ea-4621-95c8-82341bc6e512", "severity": "medium", "tags": ["Elastic", "Container Workload Protection", "Kubernetes"], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "4b4e9c99-27ea-4621-95c8-82341bc6e512_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_2.json b/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_2.json deleted file mode 100644 index 2c4135f6b46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.", "enabled": true, "from": "now-10m", "index": ["logs-cloud_defend.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Container Workload Protection", "query": "event.kind:alert and event.module:cloud_defend\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "4b4e9c99-27ea-4621-95c8-82341bc6e512", "rule_name_override": "message", "severity": "medium", "tags": ["Elastic", "Container Workload Protection", "Kubernetes"], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "4b4e9c99-27ea-4621-95c8-82341bc6e512_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_3.json b/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_3.json deleted file mode 100644 index c38638bac92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b4e9c99-27ea-4621-95c8-82341bc6e512_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to immediately begin triaging and investigating these alerts.", "enabled": true, "from": "now-10m", "index": ["logs-cloud_defend.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Container Workload Protection", "query": "event.kind:alert and event.module:cloud_defend\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "4b4e9c99-27ea-4621-95c8-82341bc6e512", "rule_name_override": "message", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container"], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "4b4e9c99-27ea-4621-95c8-82341bc6e512_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37.json deleted file mode 100644 index 5127c48185f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ProxyChains Activity", "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"proxychains\"\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json deleted file mode 100644 index 28325a5b662..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "ProxyChains Activity", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"proxychains\"\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2.json deleted file mode 100644 index d1a6e89eca0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "ProxyChains Activity", "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"proxychains\"\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json b/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json deleted file mode 100644 index 68f20c7beb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the ProxyChains utility. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "ProxyChains Activity", "note": "## Triage and analysis\n\n### Investigating ProxyChains Activity\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for processes spawned through `proxychains` by analyzing `proxychains` process execution.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\"\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4b868f1f-15ff-4ba3-8c11-d5a7a6356d37_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99.json deleted file mode 100644 index f459760d090..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_rare_process_writing_to_external_device", "name": "Unusual Process Writing Data to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 4}, "id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json deleted file mode 100644 index 37cccfb7fde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_rare_process_writing_to_external_device", "name": "Unusual Process Writing Data to an External Device", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 1}, "id": "4b95ecea-7225-4690-9938-2a2c0bad9c99_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_2.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_2.json deleted file mode 100644 index 17f12695391..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_rare_process_writing_to_external_device", "name": "Unusual Process Writing Data to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 2}, "id": "4b95ecea-7225-4690-9938-2a2c0bad9c99_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json b/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json deleted file mode 100644 index 42e678eeeb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4b95ecea-7225-4690-9938-2a2c0bad9c99_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_rare_process_writing_to_external_device", "name": "Unusual Process Writing Data to an External Device", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "4b95ecea-7225-4690-9938-2a2c0bad9c99", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1052", "name": "Exfiltration Over Physical Medium", "reference": "https://attack.mitre.org/techniques/T1052/"}]}], "type": "machine_learning", "version": 3}, "id": "4b95ecea-7225-4690-9938-2a2c0bad9c99_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json deleted file mode 100644 index 27f760da858..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json deleted file mode 100644 index 9c11739d386..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json deleted file mode 100644 index efe0309b50c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json deleted file mode 100644 index 3d40fb1df6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json deleted file mode 100644 index 3f5aabec1d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_107.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_107.json deleted file mode 100644 index 1cbc18907b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json deleted file mode 100644 index 9d77d44ddf6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json deleted file mode 100644 index 9857d587c9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_309.json b/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_309.json deleted file mode 100644 index 1c59e313b97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4bd1c1af-79d4-4d37-9efa-6e0240640242_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes running from an Alternate Data Stream. This is uncommon for legitimate processes and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Execution Path - Alternate Data Stream", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : \"?:\\\\*:*\" and process.args_count == 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}], "risk_score": 47, "rule_id": "4bd1c1af-79d4-4d37-9efa-6e0240640242", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "4bd1c1af-79d4-4d37-9efa-6e0240640242_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json deleted file mode 100644 index e4ae0455c06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_10.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_10.json deleted file mode 100644 index ad368e5f70a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 10}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json deleted file mode 100644 index e526c8db1aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json deleted file mode 100644 index c632c40bffb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json deleted file mode 100644 index cd6f1b743dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json deleted file mode 100644 index 1c5fe40623d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json b/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json deleted file mode 100644 index 496b96f050b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects scripts that contain PowerShell functions, structures, or Windows API functions related to windows share enumeration activities. Attackers, mainly ransomware groups, commonly identify and inspect network shares, looking for critical information for encryption and/or exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Share Enumeration Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Share Enumeration Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to enumerate shares to search for sensitive data like documents, scripts, and other kinds of valuable data for encryption, exfiltration, and lateral movement.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command line logs that indicate that imported functions were run.\n - Evaluate which information was potentially mapped and accessed by the attacker.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"Invoke-ShareFinder\" or\n \"Invoke-ShareFinderThreaded\" or\n (\n \"shi1_netname\" and\n \"shi1_remark\"\n ) or\n (\n \"NetShareEnum\" and\n \"NetApiBufferFree\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://www.advintel.io/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "4c59cff1-b78a-41b8-a9f1-4231984d1fb6_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json deleted file mode 100644 index d444f3930d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"kexec\" and process.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json deleted file mode 100644 index 6126cdfdd02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json deleted file mode 100644 index 653199a4545..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json deleted file mode 100644 index 5b1c87a7c1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json deleted file mode 100644 index 9ae9dc32d17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json deleted file mode 100644 index 6cb3103a637..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"kexec\" and \nprocess.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json b/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json deleted file mode 100644 index 0ed4d9f7488..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Load or Unload via Kexec Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"kexec\" and process.args in (\"--exec\", \"-e\", \"--load\", \"-l\", \"--unload\", \"-u\")\n", "references": ["https://www.crowdstrike.com/blog/venom-vulnerability-details/", "https://www.makeuseof.com/what-is-venom-vulnerability/", "https://madaidans-insecurities.github.io/guides/linux-hardening.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1601", "name": "Modify System Image", "reference": "https://attack.mitre.org/techniques/T1601/", "subtechnique": [{"id": "T1601.001", "name": "Patch System Image", "reference": "https://attack.mitre.org/techniques/T1601/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json deleted file mode 100644 index 8241346ef2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 207}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json deleted file mode 100644 index 3cb853dee58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "type": "threshold", "version": 102}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json deleted file mode 100644 index a31bb12b4e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "type": "threshold", "version": 103}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json deleted file mode 100644 index 7487ef0bb05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "type": "threshold", "version": 104}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json deleted file mode 100644 index 35ac59ea0fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "type": "threshold", "version": 205}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_206.json b/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_206.json deleted file mode 100644 index 729b4f2a522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4d50a94f-2844-43fa-8395-6afbd5e1c5ef_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Brute Force of Root User Identity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["cloud.account.id"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 206}, "id": "4d50a94f-2844-43fa-8395-6afbd5e1c5ef_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json deleted file mode 100644 index f87b7306146..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Gatekeeper", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", "references": ["https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json deleted file mode 100644 index 964912ab317..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Gatekeeper", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", "references": ["https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json deleted file mode 100644 index f00f467feb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Gatekeeper", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", "references": ["https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json deleted file mode 100644 index bb944c93e0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Gatekeeper", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", "references": ["https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json b/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json deleted file mode 100644 index bc0b7a232bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Disable Gatekeeper", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(spctl and \"--master-disable\")\n", "references": ["https://support.apple.com/en-us/HT202491", "https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "4da13d6e-904f-4636-81d8-6ab14b4e6ae9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json deleted file mode 100644 index f9504170a83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json deleted file mode 100644 index da99eb24ec0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json deleted file mode 100644 index 08f722c2114..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json deleted file mode 100644 index 31297ba2cec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json deleted file mode 100644 index f8a307f878e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json deleted file mode 100644 index 4df75bccaee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_110.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_110.json deleted file mode 100644 index ae2a449a7b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json deleted file mode 100644 index 4b010584a24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json deleted file mode 100644 index 13a05f5da0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_113.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_113.json deleted file mode 100644 index ecb42a1a27c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_313.json b/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_313.json deleted file mode 100644 index c9dd0f399bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4de76544-f0e5-486a-8f84-eae0b6063cdc_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Ivan Ninichuck", "Austin Songer"], "description": "Identifies attempts to disable EventLog via the logman Windows utility, PowerShell, or auditpol. This is often done by attackers in an attempt to evade detection on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Disable Windows Event and Security Logs Using Built-in Tools", "note": "## Triage and analysis\n\n### Investigating Disable Windows Event and Security Logs Using Built-in Tools\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the usage of different utilities to disable the EventLog service or specific event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n ((process.name:\"logman.exe\" or ?process.pe.original_file_name == \"Logman.exe\") and\n process.args : \"EventLog-*\" and process.args : (\"stop\", \"delete\")) or\n\n ((process.name : (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name in\n (\"pwsh.exe\", \"powershell.exe\", \"powershell_ise.exe\")) and\n\tprocess.args : \"Set-Service\" and process.args: \"EventLog\" and process.args : \"Disabled\") or\n\n ((process.name:\"auditpol.exe\" or ?process.pe.original_file_name == \"AUDITPOL.EXE\") and process.args : \"/success:disable\")\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/logman", "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "4de76544-f0e5-486a-8f84-eae0b6063cdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}, {"id": "T1562.006", "name": "Indicator Blocking", "reference": "https://attack.mitre.org/techniques/T1562/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "4de76544-f0e5-486a-8f84-eae0b6063cdc_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json deleted file mode 100644 index c77b7ebfae0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 11}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json deleted file mode 100644 index aa23199306e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_11.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_11.json deleted file mode 100644 index 085bfde6114..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 11}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json deleted file mode 100644 index 736e54b4f31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json deleted file mode 100644 index 6fbafb74beb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json deleted file mode 100644 index b6499821245..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json deleted file mode 100644 index 13747e13d41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json deleted file mode 100644 index 70647dfb972..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 8}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9.json b/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9.json deleted file mode 100644 index a84929227d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple logon failures followed by a successful one from the same source address. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Multiple Logon Failure Followed by Logon Success", "note": "## Triage and analysis\n\n### Investigating Multiple Logon Failure Followed by Logon Success\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker potentially successfully compromised the account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Related rules\n\n- Multiple Logon Failure from the same Source Address - 48b6edfc-079d-4907-b43c-baffa243270d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=5s\n [authentication where event.action == \"logon-failed\" and\n /* event 4625 need to be logged */\n winlog.logon.type : \"Network\" and user.id != null and \n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and \n not winlog.event_data.TargetUserSid : \"S-1-0-0\" and not user.id : \"S-1-0-0\" and \n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n [authentication where event.action == \"logged-in\" and\n /* event 4624 need to be logged */\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n not user.name : (\"ANONYMOUS LOGON\", \"-\", \"*$\") and not user.domain == \"NT AUTHORITY\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 9}, "id": "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json deleted file mode 100644 index c648268bb65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Spawned from Message-of-the-Day (MOTD)", "note": "## Triage and analysis\n\n### Investigating Process Spawned from Message-of-the-Day (MOTD)\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Message-of-the-Day (MOTD) File Creation - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type == \"start\" and host.os.type == \"linux\" and event.action : (\"exec\", \"exec_event\") and\n process.parent.executable : \"/etc/update-motd.d/*\" and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\")) or\n (process.args : (\n \"./*\", \"/boot/*\", \"/dev/shm/*\", \"/etc/cron.*/*\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\", \"/run/*\", \"/srv/*\",\n \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\", \"/opt/*\"\n ) and process.args_count == 1\n )\n) and \nnot (\n process.parent.args == \"--force\" or\n process.args in (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\") or\n process.parent.name == \"system-crash-notification\"\n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "4ec47004-b34a-42e6-8003-376a123ea447", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json deleted file mode 100644 index e0e67bc593c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json deleted file mode 100644 index 57f9b336f58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json deleted file mode 100644 index 7741bdf643a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.executable : (\"*sh\", \"python*\", \"perl\", \"php*\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json deleted file mode 100644 index 68dcd266cc3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"nc\", \"ncat\", \n\"netcat\", \"socat\", \"lua\", \"java\", \"openssl\", \"ruby\", \"telnet\", \"awk\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json deleted file mode 100644 index 9c028869557..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and \nevent.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and\nprocess.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"nc\", \"ncat\", \n\"netcat\", \"socat\", \"lua\", \"java\", \"openssl\", \"ruby\", \"telnet\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json deleted file mode 100644 index ba8f46860d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json deleted file mode 100644 index 1f73313d27c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (process.parent.args : \"--force\" or process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\"))\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json deleted file mode 100644 index 1126fda0ad7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (\n (process.parent.args : \"--force\") or\n (process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\")) or\n (process.parent.name == \"system-crash-notification\")\n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_9.json b/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_9.json deleted file mode 100644 index 83656ec25af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ec47004-b34a-42e6-8003-376a123ea447_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Spawned from MOTD Detected", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Spawned from MOTD Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Files in these directories will automatically run with root privileges when they are made executable.\n\nThis rule identifies the execution of potentially malicious processes from a MOTD script, which is not likely to occur as default benign behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified from which the suspicious process was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE\\n'/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services, and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Potential Persistence Through MOTD File Creation Detected - 96d11d31-9a79-480f-8401-da28b194608f\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore them to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type == \"start\" and host.os.type == \"linux\" and event.action : (\"exec\", \"exec_event\") and\n process.parent.executable : (\"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\") and (\n (process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.args : (\"-i\", \"-l\")) or (process.parent.name == \"socat\" and process.parent.args : \"*exec*\"))) or\n (process.name : (\"nc\", \"ncat\", \"netcat\", \"nc.openbsd\") and process.args_count >= 3 and \n not process.args : (\"-*z*\", \"-*l*\")) or\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or \n (process.name in (\"openssl\", \"telnet\"))\n) and \nnot (\n (process.parent.args : \"--force\") or\n (process.args : (\"/usr/games/lolcat\", \"/usr/bin/screenfetch\")) or\n (process.parent.name == \"system-crash-notification\")\n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ec47004-b34a-42e6-8003-376a123ea447", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "4ec47004-b34a-42e6-8003-376a123ea447_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json deleted file mode 100644 index 44d3d27a3b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json deleted file mode 100644 index 9116ce31077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\" and\n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\",\n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json deleted file mode 100644 index 0f3dfa927cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\" and\n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\",\n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json deleted file mode 100644 index fb30c6928a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json deleted file mode 100644 index 8051bdc2bb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json deleted file mode 100644 index 86a7e5cd362..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_109.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_109.json deleted file mode 100644 index da7ec4ba880..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json deleted file mode 100644 index 4a2e2207915..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json deleted file mode 100644 index a8c55a23ad0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_112.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_112.json deleted file mode 100644 index 8a9b4e7cebd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_312.json b/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_312.json deleted file mode 100644 index da45217293a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed493fc-d637-4a36-80ff-ac84937e5461_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via MSSQL xp_cmdshell Stored Procedure", "note": "## Triage and analysis\n\n### Investigating Execution via MSSQL xp_cmdshell Stored Procedure\n\nMicrosoft SQL Server (MSSQL) has procedures meant to extend its functionality, the Extended Stored Procedures. These procedures are external functions written in C/C++; some provide interfaces for external programs. This is the case for xp_cmdshell, which spawns a Windows command shell and passes in a string for execution. Attackers can use this to execute commands on the system running the SQL server, commonly to escalate their privileges and establish persistence.\n\nThe xp_cmdshell procedure is disabled by default, but when used, it has the same security context as the MSSQL Server service account, which is often privileged.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately, but it brings inherent risk. The security team must monitor any activity of it. If recurrent tasks are being executed using this mechanism, consider adding exceptions \u2014 preferably with a full command line.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that SQL servers are not directly exposed to the internet. If there is a business justification for such, use an allowlist to allow only connections from known legitimate sources.\n- Disable the xp_cmdshell stored procedure.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"sqlservr.exe\" and \n (\n (process.name : \"cmd.exe\" and \n not process.args : (\"\\\\\\\\*\", \"diskfree\", \"rmdir\", \"mkdir\", \"dir\", \"del\", \"rename\", \"bcp\", \"*XMLNAMESPACES*\", \n \"?:\\\\MSSQL\\\\Backup\\\\Jobs\\\\sql_agent_backup_job.ps1\", \"K:\\\\MSSQL\\\\Backup\\\\msdb\", \"K:\\\\MSSQL\\\\Backup\\\\Logins\")) or \n \n (process.name : \"vpnbridge.exe\" or ?process.pe.original_file_name : \"vpnbridge.exe\") or \n\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") or \n\n (process.name : \"bitsadmin.exe\" or ?process.pe.original_file_name == \"bitsadmin.exe\")\n )\n", "references": ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "4ed493fc-d637-4a36-80ff-ac84937e5461", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "4ed493fc-d637-4a36-80ff-ac84937e5461_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json deleted file mode 100644 index 25f3bf48433..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "any where host.os.type == \"windows\" and \n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and \n (?dll.name : \"scrobj.dll\" or ?file.name : \"scrobj.dll\") and \n process.executable : (\"?:\\\\Windows\\\\System32\\\\*.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\") and \n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\System32\\\\mshta.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\", \n \"?:\\\\Windows\\\\System32\\\\OpenWith.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WMIADAP.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json deleted file mode 100644 index 890897b0693..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 102}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json deleted file mode 100644 index 2b42d615d00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 103}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json deleted file mode 100644 index d4c8f7b1582..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 104}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json deleted file mode 100644 index 8aefc392313..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.code_signature.subject_name in (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\")]\n [library where host.os.type == \"windows\" and event.type == \"start\" and dll.name : \"scrobj.dll\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 105}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_106.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_106.json deleted file mode 100644 index 26f84cc66ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "any where host.os.type == \"windows\" and \n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and \n (?dll.name : \"scrobj.dll\" or ?file.name : \"scrobj.dll\") and \n process.executable : (\"?:\\\\Windows\\\\System32\\\\*.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\") and \n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\System32\\\\mshta.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\", \n \"?:\\\\Windows\\\\System32\\\\OpenWith.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WMIADAP.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json deleted file mode 100644 index a41bb26c42c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "any where host.os.type == \"windows\" and \n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and \n (?dll.name : \"scrobj.dll\" or ?file.name : \"scrobj.dll\") and \n process.executable : (\"?:\\\\Windows\\\\System32\\\\*.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\") and \n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\System32\\\\mshta.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\", \n \"?:\\\\Windows\\\\System32\\\\OpenWith.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WMIADAP.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_108.json b/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_108.json deleted file mode 100644 index 8f30db242e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scrobj.dll loaded into unusual Microsoft processes. This usually means a malicious scriptlet is being executed in the target process.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Script Object Execution", "query": "any where host.os.type == \"windows\" and \n (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and \n (?dll.name : \"scrobj.dll\" or ?file.name : \"scrobj.dll\") and \n process.executable : (\"?:\\\\Windows\\\\System32\\\\*.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\*.exe\") and \n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\cscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cscript.exe\",\n \"?:\\\\Windows\\\\system32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\",\n \"?:\\\\windows\\\\system32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\system32\\\\wscript.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wscript.exe\",\n \"?:\\\\Windows\\\\System32\\\\mshta.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\cmd.exe\", \n \"?:\\\\Windows\\\\System32\\\\OpenWith.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WMIADAP.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json deleted file mode 100644 index 9b1aae7e84d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json deleted file mode 100644 index 0510a3ec218..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json deleted file mode 100644 index d3adba173d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json deleted file mode 100644 index 70e08dd7f5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json deleted file mode 100644 index 00e3466279a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json deleted file mode 100644 index 63643b94e4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_207.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_207.json deleted file mode 100644 index 2cdef026509..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_209.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_209.json deleted file mode 100644 index f6ba128ab3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies unauthorized access attempts to Okta applications.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Access to an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_309.json b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_309.json new file mode 100644 index 00000000000..964a8b238dc --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/4edd3e1a-3aa0-499b-8147-4d2ea43b1613_309.json @@ -0,0 +1,101 @@ +{ + "attributes": { + "author": [ + "Elastic", + "Austin Songer" + ], + "description": "Identifies unauthorized access attempts to Okta applications.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unauthorized Access to an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:app.generic.unauth_app_access_attempt\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "4edd3e1a-3aa0-499b-8147-4d2ea43b1613_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4.json b/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4.json deleted file mode 100644 index 8b8416865a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.", "false_positives": ["New model deployments.", "Testing updates to compliance policies."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Unusual High Confidence Misconduct Blocks Detected", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.confidence == \"HIGH\" and gen_ai.policy.action == \"BLOCKED\" and gen_ai.compliance.violation_code == \"MISCONDUCT\"\n| stats high_confidence_blocks = count() by user.id\n| where high_confidence_blocks > 5\n| sort high_confidence_blocks desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "4f855297-c8e0-4097-9d97-d653f7e471c4", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "4f855297-c8e0-4097-9d97-d653f7e471c4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_1.json b/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_1.json deleted file mode 100644 index 2b48e1862b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.", "false_positives": ["New model deployments.", "Testing updates to compliance policies."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Unusual High Confidence Misconduct Blocks Detected", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.confidence == \"HIGH\" and gen_ai.policy.action == \"BLOCKED\" and gen_ai.compliance.violation_code == \"MISCONDUCT\"\n| stats high_confidence_blocks = count() by user.id\n| where high_confidence_blocks > 5\n| sort high_confidence_blocks desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "4f855297-c8e0-4097-9d97-d653f7e471c4", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "4f855297-c8e0-4097-9d97-d653f7e471c4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_2.json b/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_2.json deleted file mode 100644 index 10d2ae955de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.", "false_positives": ["New model deployments.", "Testing updates to compliance policies."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Unusual High Confidence Misconduct Blocks Detected", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.confidence == \"HIGH\" and gen_ai.policy.action == \"BLOCKED\" and gen_ai.compliance.violation_code == \"MISCONDUCT\"\n| keep gen_ai.policy.confidence, gen_ai.policy.action, gen_ai.compliance.violation_code, user.id\n| stats high_confidence_blocks = count() by user.id\n| where high_confidence_blocks > 5\n| sort high_confidence_blocks desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "4f855297-c8e0-4097-9d97-d653f7e471c4", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "4f855297-c8e0-4097-9d97-d653f7e471c4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_3.json b/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_3.json deleted file mode 100644 index 78f93a4148b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4f855297-c8e0-4097-9d97-d653f7e471c4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects repeated high-confidence 'BLOCKED' actions coupled with specific violation codes such as 'MISCONDUCT', indicating persistent misuse or attempts to probe the model's ethical boundaries.", "false_positives": ["New model deployments.", "Testing updates to compliance policies."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Unusual High Confidence Misconduct Blocks Detected", "query": "from logs-aws_bedrock.invocation-*\n| MV_EXPAND gen_ai.compliance.violation_code\n| MV_EXPAND gen_ai.policy.confidence\n| where gen_ai.policy.action == \"BLOCKED\" and gen_ai.policy.confidence LIKE \"HIGH\" and gen_ai.compliance.violation_code LIKE \"MISCONDUCT\"\n| keep user.id\n| stats high_confidence_blocks = count() by user.id\n| where high_confidence_blocks > 5\n| sort high_confidence_blocks desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "4f855297-c8e0-4097-9d97-d653f7e471c4", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 3}, "id": "4f855297-c8e0-4097-9d97-d653f7e471c4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json deleted file mode 100644 index 7263771fce7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json deleted file mode 100644 index 6142e6cf03d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json deleted file mode 100644 index 1f9781eaceb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json deleted file mode 100644 index 599fbb4ca2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json deleted file mode 100644 index 35926309204..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json deleted file mode 100644 index e255ea7ccfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json deleted file mode 100644 index 7309b94d1c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json deleted file mode 100644 index ea85f067caf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_110.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_110.json deleted file mode 100644 index 6ff4b114805..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_111.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_111.json deleted file mode 100644 index c8b972ad05c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_311.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_311.json deleted file mode 100644 index a00076135bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_312.json b/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_312.json deleted file mode 100644 index 260884e277b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/4fe9d835-40e1-452d-8230-17c147cafad8_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on the target host. This may indicate a lateral movement attempt.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via TSClient Mountpoint", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"\\\\Device\\\\Mup\\\\tsclient\\\\*.exe\"\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "4fe9d835-40e1-452d-8230-17c147cafad8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "4fe9d835-40e1-452d-8230-17c147cafad8_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd.json deleted file mode 100644 index 51e3771fbb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", "false_positives": ["An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.actor.id", "value": 3}], "field": ["okta.debug_context.debug_data.dt_hash"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json deleted file mode 100644 index c9a9f0f9510..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta user or system events are reported for multiple users with the same device token hash.", "false_positives": ["An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Users with the Same Device Token Hash", "note": "## Setup", "query": "event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "unknown"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.actor.id", "value": 2}], "field": ["okta.debug_context.debug_data.dt_hash"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_105.json new file mode 100644 index 00000000000..db92de16eb9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_105.json @@ -0,0 +1,126 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", + "false_positives": [ + "An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", + "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.dt_hash", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.security_context.is_proxy", + "type": "boolean" + } + ], + "risk_score": 47, + "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "okta.actor.id", + "value": 3 + } + ], + "field": [ + "okta.debug_context.debug_data.dt_hash" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 105 + }, + "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json deleted file mode 100644 index 0931de38c5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", "false_positives": ["An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.actor.id", "value": 3}], "field": ["okta.debug_context.debug_data.dt_hash"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_3.json deleted file mode 100644 index 225e0693e97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", "false_positives": ["An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.actor.id", "value": 3}], "field": ["okta.debug_context.debug_data.dt_hash"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_5.json deleted file mode 100644 index e9bd42f34d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/50887ba8-7ff7-11ee-a038-f661ea17fbcd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy.", "false_positives": ["An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.", "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy\n\nThis rule detects when Okta user authentication events are reported for multiple users with the same device token hash behind a proxy. This may indicate that a shared device between users, or that a user is using a proxy to access multiple accounts for password spraying.\n\n#### Possible investigation steps:\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n - Since the device is behind a proxy, the `okta.client.ip` field will not be useful for determining the actual device IP address.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "event.dataset:okta.system\n and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:*\n and okta.event_type:user.authentication* and okta.security_context.is_proxy:true\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.actor.id", "value": 3}], "field": ["okta.debug_context.debug_data.dt_hash"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "50887ba8-7ff7-11ee-a038-f661ea17fbcd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169.json deleted file mode 100644 index 65b98f7990f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json deleted file mode 100644 index b9b134fce74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-119m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json deleted file mode 100644 index e8c6099ee37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-119m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json deleted file mode 100644 index 09223c3fe12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_4.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_4.json deleted file mode 100644 index 13affff51d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_5.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_5.json deleted file mode 100644 index 9cd1832c3b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_6.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_6.json deleted file mode 100644 index 5c0c5c043a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_7.json b/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_7.json deleted file mode 100644 index 21e18246a5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51176ed2-2d90-49f2-9f3d-17196428b169_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the execution of commands used to discover information about the system, which attackers may use after compromising a system to gain situational awareness.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Information Discovery", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name : \"cmd.exe\" and process.args : \"ver*\" and not\n process.parent.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Keybase\\\\upd.exe\",\n \"?:\\\\Users\\\\*\\\\python*.exe\"\n )\n ) or \n process.name : (\"systeminfo.exe\", \"hostname.exe\") or \n (process.name : \"wmic.exe\" and process.args : \"os\" and process.args : \"get\")\n) and not\nprocess.parent.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\ProgramData\\\\*\"\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "51176ed2-2d90-49f2-9f3d-17196428b169", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "51176ed2-2d90-49f2-9f3d-17196428b169_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97.json b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97.json deleted file mode 100644 index 3e62abf3f3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Hidden Files and Directories via Hidden Flag", "query": "file where event.type == \"creation\" and process.name == \"chflags\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5124e65f-df97-4471-8dcb-8e3953b3ea97", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5124e65f-df97-4471-8dcb-8e3953b3ea97", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json deleted file mode 100644 index 6123bbc9f86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Hidden Files and Directories via Hidden Flag", "query": "file where event.type : \"creation\" and process.name : \"chflags\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5124e65f-df97-4471-8dcb-8e3953b3ea97", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5124e65f-df97-4471-8dcb-8e3953b3ea97_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json b/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json deleted file mode 100644 index 1a14be02130..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5124e65f-df97-4471-8dcb-8e3953b3ea97_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify activity related where adversaries can add the 'hidden' flag to files to hide them from the user in an attempt to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Hidden Files and Directories via Hidden Flag", "query": "file where event.type == \"creation\" and process.name == \"chflags\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5124e65f-df97-4471-8dcb-8e3953b3ea97", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5124e65f-df97-4471-8dcb-8e3953b3ea97_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json deleted file mode 100644 index 297d1dcf0e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json deleted file mode 100644 index 7fd1bef3222..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json deleted file mode 100644 index 3391ccd883d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json deleted file mode 100644 index fedd01382f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json deleted file mode 100644 index 370faa49b20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "note": "", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json deleted file mode 100644 index f253b69d763..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json deleted file mode 100644 index aaf00f86997..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json deleted file mode 100644 index 65cd8e46bee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_209.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_209.json deleted file mode 100644 index 0baba484467..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json deleted file mode 100644 index ce8a99ed025..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_311.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_311.json deleted file mode 100644 index 74373d2f112..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and\n/* uncomment once stable length(bytes_written_string) > 0 and */\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_312.json b/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_312.json deleted file mode 100644 index 77df104cb98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/513f0ffd-b317-4b9c-9494-92ce861f22c7_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to maintain persistence by creating registry keys using AppCert DLLs. AppCert DLLs are loaded by every process using the common API functions to create processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppCert DLL", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\",\n \"MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Session Manager\\\\AppCertDLLs\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "513f0ffd-b317-4b9c-9494-92ce861f22c7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.009", "name": "AppCert DLLs", "reference": "https://attack.mitre.org/techniques/T1546/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "513f0ffd-b317-4b9c-9494-92ce861f22c7_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json deleted file mode 100644 index 1cdad6b536f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", "false_positives": ["Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.Enabled", "type": "unknown"}], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "514121ce-c7b6-474a-8237-68ff71672379", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json deleted file mode 100644 index 956818e6dc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", "false_positives": ["Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.Enabled", "type": "unknown"}], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Data Protection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "514121ce-c7b6-474a-8237-68ff71672379_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json deleted file mode 100644 index f97d6894a90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", "false_positives": ["Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.Enabled", "type": "unknown"}], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "514121ce-c7b6-474a-8237-68ff71672379_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json deleted file mode 100644 index 56708f56b91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", "false_positives": ["Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.Enabled", "type": "unknown"}], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "514121ce-c7b6-474a-8237-68ff71672379_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json b/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json deleted file mode 100644 index 7d244509238..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/514121ce-c7b6-474a-8237-68ff71672379_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a DomainKeys Identified Mail (DKIM) signing configuration is disabled in Microsoft 365. With DKIM in Microsoft 365, messages that are sent from Exchange Online will be cryptographically signed. This will allow the receiving email system to validate that the messages were generated by a server that the organization authorized and were not spoofed.", "false_positives": ["Disabling a DKIM configuration may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DKIM Signing Configuration Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Set-DkimSigningConfig\" and o365.audit.Parameters.Enabled:False and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.Enabled", "type": "unknown"}], "risk_score": 47, "rule_id": "514121ce-c7b6-474a-8237-68ff71672379", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "514121ce-c7b6-474a-8237-68ff71672379_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json deleted file mode 100644 index ca01acaebe0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", "false_positives": ["Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/export"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "51859fa0-d86b-4214-bf48-ebb30ed91305", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json b/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json deleted file mode 100644 index 805d7a9536b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51859fa0-d86b-4214-bf48-ebb30ed91305_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Logging sink deletion in Google Cloud Platform (GCP). Every time a log entry arrives, Logging compares the log entry to the sinks in that resource. Each sink whose filter matches the log entry writes a copy of the log entry to the sink's export destination. An adversary may delete a Logging sink to evade detection.", "false_positives": ["Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Sink Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteSink and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/export"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "51859fa0-d86b-4214-bf48-ebb30ed91305", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "51859fa0-d86b-4214-bf48-ebb30ed91305_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f.json b/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f.json deleted file mode 100644 index 13e2785e6e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Service DACL Modification via sc.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or ?process.pe.original_file_name : \"sc.exe\") and\n process.args : \"sdset\" and process.args : \"*D;*\" and\n process.args : (\"*;IU*\", \"*;SU*\", \"*;BA*\", \"*;SY*\", \"*;WD*\")\n", "references": ["https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "5188c68e-d3de-4e96-994d-9e242269446f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5188c68e-d3de-4e96-994d-9e242269446f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_103.json b/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_103.json deleted file mode 100644 index 21f4e83c67d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Service DACL Modification via sc.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or ?process.pe.original_file_name : \"sc.exe\") and\n process.args : \"sdset\" and process.args : \"*D;*\" and\n process.args : (\"*;IU*\", \"*;SU*\", \"*;BA*\", \"*;SY*\", \"*;WD*\")\n", "references": ["https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "5188c68e-d3de-4e96-994d-9e242269446f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5188c68e-d3de-4e96-994d-9e242269446f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_2.json b/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_2.json deleted file mode 100644 index c1fcb8ff578..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Service DACL Modification via sc.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or ?process.pe.original_file_name : \"sc.exe\") and\n process.args : \"sdset\" and process.args : \"*D;*\" and\n process.args : (\"*;IU*\", \"*;SU*\", \"*;BA*\", \"*;SY*\", \"*;WD*\")\n", "references": ["https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "5188c68e-d3de-4e96-994d-9e242269446f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5188c68e-d3de-4e96-994d-9e242269446f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_203.json b/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_203.json deleted file mode 100644 index d5e698aa60a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5188c68e-d3de-4e96-994d-9e242269446f_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies DACL modifications to deny access to a service, making it unstoppable, or hide it from system and users.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Service DACL Modification via sc.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or ?process.pe.original_file_name : \"sc.exe\") and\n process.args : \"sdset\" and process.args : \"*D;*\" and\n process.args : (\"*;IU*\", \"*;SU*\", \"*;BA*\", \"*;SY*\", \"*;WD*\")\n", "references": ["https://blogs.jpcert.or.jp/en/2024/07/mirrorface-attack-against-japanese-organisations.html", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "5188c68e-d3de-4e96-994d-9e242269446f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 203}, "id": "5188c68e-d3de-4e96-994d-9e242269446f_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a.json b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a.json deleted file mode 100644 index ba939b380e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Out-Of-Tree Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"loading out-of-tree module taints kernel.\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "51a09737-80f7-4551-a3be-dac8ef5d181a", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "51a09737-80f7-4551-a3be-dac8ef5d181a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json b/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json deleted file mode 100644 index 5747ac36745..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51a09737-80f7-4551-a3be-dac8ef5d181a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors the syslog log file for messages related to instances of a out-of-tree kernel module load, indicating the taining of the kernel. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Tainted Out-Of-Tree Kernel Module Load", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and \nmessage:\"loading out-of-tree module taints kernel.\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "51a09737-80f7-4551-a3be-dac8ef5d181a", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "51a09737-80f7-4551-a3be-dac8ef5d181a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json deleted file mode 100644 index affcf2744b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "type": "eql", "version": 108}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json deleted file mode 100644 index b1b623f0f7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 103}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json deleted file mode 100644 index 207bd25eab0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 104}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json deleted file mode 100644 index 4a8197c1f1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 105}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json deleted file mode 100644 index f1ce1f49a7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "type": "eql", "version": 106}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json deleted file mode 100644 index 66e40fb2ed5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "type": "eql", "version": 107}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_108.json b/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_108.json deleted file mode 100644 index 642cdb63399..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/51ce96fb-9e52-4dad-b0ba-99b54440fc9a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the MMC20 Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with MMC", "query": "sequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mmc.exe\" and source.port >= 49152 and\n destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"mmc.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "type": "eql", "version": 108}, "id": "51ce96fb-9e52-4dad-b0ba-99b54440fc9a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json deleted file mode 100644 index c19c02e550d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json deleted file mode 100644 index edf21b2cfd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 1}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json deleted file mode 100644 index 383edd9cd25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "note": "### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 2}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json deleted file mode 100644 index a106db6e861..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "\nThis rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 3}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json deleted file mode 100644 index a7b43c7eb1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json deleted file mode 100644 index 7bbc3072b47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json b/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json deleted file mode 100644 index 009aeccc14b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An RDP (Remote Desktop Protocol) brute force attack involves an attacker repeatedly attempting various username and password combinations to gain unauthorized access to a remote computer via RDP, and if successful, the potential impact can include unauthorized control over the compromised system, data theft, or the ability to launch further attacks within the network, jeopardizing the security and confidentiality of the targeted system and potentially compromising the entire network infrastructure. This rule identifies multiple consecutive authentication failures targeting a specific user account within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux RDP Brute Force Attack Detected", "query": "sequence by host.id, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"failure\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal : \"*rdp*\" and event.outcome == \"success\"] | tail 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json deleted file mode 100644 index 4df7a435f1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", "false_positives": ["The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json deleted file mode 100644 index 16db24e39e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", "false_positives": ["The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json deleted file mode 100644 index 64a4bdca6c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", "false_positives": ["The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json deleted file mode 100644 index 6c9683b171b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", "false_positives": ["The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json b/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json deleted file mode 100644 index 083b331f467..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/523116c0-d89d-4d7c-82c2-39e6845a78ef_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.", "false_positives": ["The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS GuardDuty Detector Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:guardduty.amazonaws.com and event.action:DeleteDetector and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "523116c0-d89d-4d7c-82c2-39e6845a78ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "523116c0-d89d-4d7c-82c2-39e6845a78ef_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json deleted file mode 100644 index 9cda4534238..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json deleted file mode 100644 index e9c16a2cbeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\")) or\n (process.parent.name in (\"nawk\", \"mawk\", \"awk\", \"gawk\") and process.parent.args : \"BEGIN {system(*)}\")\n )\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json deleted file mode 100644 index 0a898c26039..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\"))\n )\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json deleted file mode 100644 index 0ca337f8c0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Linux binary(s) abuse to breakout of restricted shells or environments by spawning an interactive system shell. The linux utility(s) activity of spawning shell is not a standard use of the binary for a user or system administrator. It may indicates an attempt to improve the capabilities or stability of an adversary access.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n (\n /* launch shells from unusual process */\n (process.name == \"capsh\" and process.args == \"--\") or\n\n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"sh\", \"dash\",\"ash\") and\n (process.parent.name in (\"byebug\",\"git\",\"ftp\",\"strace\",\"nawk\", \"mawk\", \"awk\", \"gawk\", \"tar\", \"zip\")) or\n\n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n ) or\n\n /* shells specified in args */\n (process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") and\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n )\n ) or\n (process.name == \"busybox\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\") )or\n (process.name == \"env\" and process.args_count == 2 and process.args in (\"/bin/sh\", \"/bin/bash\", \"/bin/dash\", \"/bin/ash\", \"sh\", \"bash\", \"dash\", \"ash\")) or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args in (\":!/bin/bash\", \":!/bin/sh\", \":!bash\", \":!sh\")) or\n (process.parent.name in (\"c89\",\"c99\", \"gcc\") and process.parent.args in (\"sh,-s\", \"bash,-s\", \"dash,-s\", \"ash,-s\", \"/bin/sh,-s\", \"/bin/bash,-s\", \"/bin/dash,-s\", \"/bin/ash,-s\") and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args in (\"spawn /bin/sh;interact\", \"spawn /bin/bash;interact\", \"spawn /bin/dash;interact\", \"spawn sh;interact\", \"spawn bash;interact\", \"spawn dash;interact\")) or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args in (\"\\\\!*sh\", \"\\\\!*bash\", \"\\\\!*dash\", \"\\\\!*/bin/sh\", \"\\\\!*/bin/bash\", \"\\\\!*/bin/dash\")) or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args in (\"ProxyCommand=;sh 0<&2 1>&2\", \"ProxyCommand=;bash 0<&2 1>&2\", \"ProxyCommand=;dash 0<&2 1>&2\", \"ProxyCommand=;/bin/sh 0<&2 1>&2\", \"ProxyCommand=;/bin/bash 0<&2 1>&2\", \"ProxyCommand=;/bin/dash 0<&2 1>&2\"))\n )\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json deleted file mode 100644 index 68e569f9173..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json deleted file mode 100644 index bae31357dcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"*awk\", \"git\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \"-exec\" and process.parent.args == \";\" and process.parent.args == \"-p\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\")) or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json deleted file mode 100644 index cb08d47216e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "The session view analysis for the command alerted is avalible in versions 8.2 and above.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json deleted file mode 100644 index 9ac2f8f6965..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to Manage \u2192 Policies, and edit one or more of your Elastic Defend integration policies.\n- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.\n- Check the box for Process events, and turn on the Include session data toggle.\n- If you want to include file and network alerts in Session View, check the boxes for Network and File events.\n- If you want to enable terminal output capture, turn on the Capture terminal output toggle.\nFor more information about the additional fields collected when this setting is enabled and\nthe usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name : \"*sh\" and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "This rule requires data coming in from Elastic Defend.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json deleted file mode 100644 index 63e90be6c08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to Manage \u2192 Policies, and edit one or more of your Elastic Defend integration policies.\n- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.\n- Check the box for Process events, and turn on the Include session data toggle.\n- If you want to include file and network alerts in Session View, check the boxes for Network and File events.\n- If you want to enable terminal output capture, turn on the Capture terminal output toggle.\nFor more information about the additional fields collected when this setting is enabled and\nthe usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json deleted file mode 100644 index 581386572b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json b/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json deleted file mode 100644 index cdf8e79feaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52376a86-ee86-4967-97ae-1a05f55816f0_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the abuse of a Linux binary to break out of a restricted shell or environment by spawning an interactive system shell. The activity of spawning a shell from a binary is not common behavior for a user or system administrator, and may indicate an attempt to evade detection, increase capabilities or enhance the stability of an adversary.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Restricted Shell Breakout via Linux Binary(s)", "note": "## Triage and analysis\n\n### Investigating Shell Evasion via Linux Utilities\nDetection alerts from this rule indicate that a Linux utility has been abused to breakout of restricted shells or\nenvironments by spawning an interactive system shell.\nHere are some possible avenues of investigation:\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user\n- Examine the contents of session leading to the abuse via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities\n- Examine the execution of commands in the spawned shell.\n - Identify imment threat to the system from the executed commands\n - Take necessary incident response actions to contain any malicious behviour caused via this execution.\n\n### Related rules\n\n- A malicious spawned shell can execute any of the possible MITTRE ATT&CK vectors mainly to impair defences.\n- Hence its adviced to enable defence evasion and privilige escalation rules accordingly in your environment\n\n### Response and remediation\n\nInitiate the incident response process based on the outcome of the triage.\n\n- If the triage releaved suspicious netwrok activity from the malicious spawned shell,\n - Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware execution via the maliciously spawned shell,\n - Search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the triage revelaed defence evasion for imparing defenses\n - Isolate the involved host to prevent further post-compromise behavior.\n - Identified the disabled security guard components on the host and take necessary steps in renebaling the same.\n - If any tools have been disbaled / uninstalled or config tampered work towards reenabling the same.\n- If the triage revelaed addition of persistence mechanism exploit like auto start scripts\n - Isolate further login to the systems that can initae auto start scripts.\n - Identify the auto start scripts and disable and remove the same from the systems\n- If the triage revealed data crawling or data export via remote copy\n - Investigate credential exposure on systems compromised / used / decoded by the attacker during the data crawling\n - Intiate compromised credential deactivation and credential rotation process for all exposed crednetials.\n - Investiagte if any IPR data was accessed during the data crawling and take appropriate actions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n(\n /* launching shell from capsh */\n (process.name == \"capsh\" and process.args == \"--\") or\n \n /* launching shells from unusual parents or parent+arg combos */\n (process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and (\n (process.parent.name : \"*awk\" and process.parent.args : \"BEGIN {system(*)}\") or\n (process.parent.name == \"git\" and process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or \n process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") and not process.name == \"ssh\" ) or\n (process.parent.name : (\"byebug\", \"ftp\", \"strace\", \"zip\", \"tar\") and \n (\n process.parent.args : \"BEGIN {system(*)}\" or\n (process.parent.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\") or process.args : (\"*PAGER*\", \"!*sh\", \"exec *sh\")) or\n (\n (process.parent.args : \"exec=*sh\" or (process.parent.args : \"-I\" and process.parent.args : \"*sh\")) or\n (process.args : \"exec=*sh\" or (process.args : \"-I\" and process.args : \"*sh\"))\n )\n )\n ) or\n \n /* shells specified in parent args */\n /* nice rule is broken in 8.2 */\n (process.parent.args : \"*sh\" and\n (\n (process.parent.name == \"nice\") or\n (process.parent.name == \"cpulimit\" and process.parent.args == \"-f\") or\n (process.parent.name == \"find\" and process.parent.args == \".\" and process.parent.args == \"-exec\" and \n process.parent.args == \";\" and process.parent.args : \"/bin/*sh\") or\n (process.parent.name == \"flock\" and process.parent.args == \"-u\" and process.parent.args == \"/\")\n )\n )\n )) or\n\n /* shells specified in args */\n (process.args : \"*sh\" and (\n (process.parent.name == \"crash\" and process.parent.args == \"-h\") or\n (process.name == \"sensible-pager\" and process.parent.name in (\"apt\", \"apt-get\") and process.parent.args == \"changelog\")\n /* scope to include more sensible-pager invoked shells with different parent process to reduce noise and remove false positives */\n \n )) or\n (process.name == \"busybox\" and event.action == \"exec\" and process.args_count == 2 and process.args : \"*sh\" and not \n process.executable : \"/var/lib/docker/overlay2/*/merged/bin/busybox\" and not (process.parent.args == \"init\" and\n process.parent.args == \"runc\") and not process.parent.args in (\"ls-remote\", \"push\", \"fetch\") and not process.parent.name == \"mkinitramfs\") or\n (process.name == \"env\" and process.args_count == 2 and process.args : \"*sh\") or\n (process.parent.name in (\"vi\", \"vim\") and process.parent.args == \"-c\" and process.parent.args : \":!*sh\") or\n (process.parent.name in (\"c89\", \"c99\", \"gcc\") and process.parent.args : \"*sh,-s\" and process.parent.args == \"-wrapper\") or\n (process.parent.name == \"expect\" and process.parent.args == \"-c\" and process.parent.args : \"spawn *sh;interact\") or\n (process.parent.name == \"mysql\" and process.parent.args == \"-e\" and process.parent.args : \"\\\\!*sh\") or\n (process.parent.name == \"ssh\" and process.parent.args == \"-o\" and process.parent.args : \"ProxyCommand=;*sh 0<&2 1>&2\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/apt/", "https://gtfobins.github.io/gtfobins/apt-get/", "https://gtfobins.github.io/gtfobins/nawk/", "https://gtfobins.github.io/gtfobins/mawk/", "https://gtfobins.github.io/gtfobins/awk/", "https://gtfobins.github.io/gtfobins/gawk/", "https://gtfobins.github.io/gtfobins/busybox/", "https://gtfobins.github.io/gtfobins/c89/", "https://gtfobins.github.io/gtfobins/c99/", "https://gtfobins.github.io/gtfobins/cpulimit/", "https://gtfobins.github.io/gtfobins/crash/", "https://gtfobins.github.io/gtfobins/env/", "https://gtfobins.github.io/gtfobins/expect/", "https://gtfobins.github.io/gtfobins/find/", "https://gtfobins.github.io/gtfobins/flock/", "https://gtfobins.github.io/gtfobins/gcc/", "https://gtfobins.github.io/gtfobins/mysql/", "https://gtfobins.github.io/gtfobins/nice/", "https://gtfobins.github.io/gtfobins/ssh/", "https://gtfobins.github.io/gtfobins/vi/", "https://gtfobins.github.io/gtfobins/vim/", "https://gtfobins.github.io/gtfobins/capsh/", "https://gtfobins.github.io/gtfobins/byebug/", "https://gtfobins.github.io/gtfobins/git/", "https://gtfobins.github.io/gtfobins/ftp/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52376a86-ee86-4967-97ae-1a05f55816f0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "52376a86-ee86-4967-97ae-1a05f55816f0_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84.json b/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84.json deleted file mode 100644 index 9143ab24f32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5297b7f1-bccd-4611-93fa-ea342a01ff84.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of DotNet ClickOnce installer via Dfsvc.exe trampoline. Adversaries may take advantage of ClickOnce to proxy execution of malicious payloads via trusted Microsoft processes.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution via Microsoft DotNet ClickOnce Host", "query": "sequence by user.id with maxspan=5s\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"rundll32.exe\" and process.command_line : (\"*dfshim*ShOpenVerbApplication*\", \"*dfshim*#*\")]\n [network where host.os.type == \"windows\" and process.name : \"dfsvc.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5297b7f1-bccd-4611-93fa-ea342a01ff84", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 1}, "id": "5297b7f1-bccd-4611-93fa-ea342a01ff84", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json deleted file mode 100644 index fa122dd3226..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 109}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json deleted file mode 100644 index e7464b19f45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 105}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json deleted file mode 100644 index 1ebd2cafb69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 106}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json deleted file mode 100644 index f9df9e409f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 107}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json deleted file mode 100644 index 88d36b73c48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 108}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_109.json b/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_109.json deleted file mode 100644 index 269e5e4b512..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52aaab7b-b51c-441a-89ce-4387b3aea886_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Network Connection via RunDLL32\n\nRunDLL32 is a built-in Windows utility and also a vital component used by the operating system itself. The functionality provided by RunDLL32 to execute Dynamic Link Libraries (DLLs) is widely abused by attackers, because it makes it hard to differentiate malicious activity from normal operations.\n\nThis rule looks for external network connections established using RunDLL32 when the utility is being executed with no arguments, which can potentially indicate command and control activity.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that RunDLL32 is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Identify the target computer and its role in the IT environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"rundll32.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"rundll32.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml", "https://redcanary.com/threat-detection-report/techniques/rundll32/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "52aaab7b-b51c-441a-89ce-4387b3aea886", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 109}, "id": "52aaab7b-b51c-441a-89ce-4387b3aea886_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json deleted file mode 100644 index dd557fbf5d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_activity"], "name": "Unusual Linux Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "52afbdc5-db15-485e-bc24-f5707f820c4b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json deleted file mode 100644 index b7ff838a247..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_activity"], "name": "Unusual Linux Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json deleted file mode 100644 index 6416e112d9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_activity"], "name": "Unusual Linux Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_103.json b/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_103.json deleted file mode 100644 index 436dc84272b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/52afbdc5-db15-485e-bc24-f5707f820c4b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Linux processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_network_activity"], "name": "Unusual Linux Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business or maintenance process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "52afbdc5-db15-485e-bc24-f5707f820c4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "52afbdc5-db15-485e-bc24-f5707f820c4b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json deleted file mode 100644 index b47c77c245e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CronTab Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", "references": ["https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "530178da-92ea-43ce-94c2-8877a826783d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json deleted file mode 100644 index 0b2894216e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CronTab Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", "references": ["https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "530178da-92ea-43ce-94c2-8877a826783d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json deleted file mode 100644 index 0fa94983db3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CronTab Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", "references": ["https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "530178da-92ea-43ce-94c2-8877a826783d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json deleted file mode 100644 index 894d813617b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CronTab Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", "references": ["https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "530178da-92ea-43ce-94c2-8877a826783d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json b/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json deleted file mode 100644 index cf761178475..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/530178da-92ea-43ce-94c2-8877a826783d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CronTab Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and process.name != null and\n file.path : \"/private/var/at/tabs/*\" and not process.executable == \"/usr/bin/crontab\"\n", "references": ["https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf", "https://theevilbit.github.io/beyond/beyond_0004/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "530178da-92ea-43ce-94c2-8877a826783d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "530178da-92ea-43ce-94c2-8877a826783d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json deleted file mode 100644 index e56b33135b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-20d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\n) and\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\nnot /etc/cron.hourly/BitdefenderRedline) and\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\n or steam* or terraform*\n) and\nnot destination.ip:(\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\n or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json deleted file mode 100644 index ce83535e15f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-2d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["destination.ip", "process.executable"], "query": "host.os.type:linux and event.category:network and \nevent.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable : ( \n (/etc/crontab or \n /etc/rc.local or \n /boot/* or \n /dev/shm/* or \n /etc/cron.*/* or \n /etc/init.d/* or \n /etc/rc*.d/* or \n /etc/update-motd.d/* or \n /home/*/.* or \n /run/* or \n /srv/* or \n /tmp/* or \n /usr/lib/update-notifier/* or \n /var/tmp/*) and \n not (/usr/bin/apt or \n /usr/bin/curl or \n /usr/bin/dnf or \n /usr/bin/dockerd or \n /usr/bin/dpkg or \n /usr/bin/rpm or \n /usr/bin/wget or \n /usr/bin/yum) \n ) \nand source.ip : ( \n 10.0.0.0/8 or \n 127.0.0.0/8 or \n 172.16.0.0/12 or \n 192.168.0.0/16) and \n not destination.ip : ( \n 10.0.0.0/8 or \n 100.64.0.0/10 or \n 127.0.0.0/8 or \n 169.254.0.0/16 or \n 172.16.0.0/12 or \n 192.0.0.0/24 or \n 192.0.0.0/29 or \n 192.0.0.10/32 or \n 192.0.0.170/32 or \n 192.0.0.171/32 or \n 192.0.0.8/32 or \n 192.0.0.9/32 or \n 192.0.2.0/24 or \n 192.168.0.0/16 or \n 192.175.48.0/24 or \n 192.31.196.0/24 or \n 192.52.193.0/24 or \n 192.88.99.0/24 or \n 198.18.0.0/15 or \n 198.51.100.0/24 or \n 203.0.113.0/24 or \n 224.0.0.0/4 or \n 240.0.0.0/4 or \n \"::1\" or \n \"FE80::/10\" or \n \"FF00::/8\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_10.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_10.json deleted file mode 100644 index 4938cc08960..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-20d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and\nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/lib/update-notifier/* or /var/log/* or /var/tmp/*\n) and\nnot (/tmp/newroot/* or /tmp/snap.rootfs*) and\nnot /etc/cron.hourly/BitdefenderRedline) and\nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and\nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or git-remote-https or java or kite-update or kited or node\n or rpm or saml2aws or selenium-manager or solana-validator or wget or yum or ansible* or aws* or php* or pip* or python*\n or steam* or terraform*\n) and\nnot destination.ip:(\n 0.0.0.0 or 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or\n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or 192.168.0.0/16 or\n 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or 198.51.100.0/24 or 203.0.113.0/24\n or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json deleted file mode 100644 index 73b9cd3b725..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-7d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["destination.ip", "process.executable"], "query": "host.os.type:linux and event.category:network and \nevent.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable : ( \n (/etc/crontab or \n /etc/rc.local or \n /boot/* or \n /dev/shm/* or \n /etc/cron.*/* or \n /etc/init.d/* or \n /etc/rc*.d/* or \n /etc/update-motd.d/* or \n /home/*/.* or \n /run/* or \n /srv/* or \n /tmp/* or \n /usr/lib/update-notifier/* or \n /var/tmp/*) and \n not (/usr/bin/apt or \n /usr/bin/curl or \n /usr/bin/dnf or \n /usr/bin/dockerd or \n /usr/bin/dpkg or \n /usr/bin/rpm or \n /usr/bin/wget or \n /usr/bin/yum) \n ) \nand source.ip : ( \n 10.0.0.0/8 or \n 127.0.0.0/8 or \n 172.16.0.0/12 or \n 192.168.0.0/16) and \n not destination.ip : ( \n 10.0.0.0/8 or \n 100.64.0.0/10 or \n 127.0.0.0/8 or \n 169.254.0.0/16 or \n 172.16.0.0/12 or \n 192.0.0.0/24 or \n 192.0.0.0/29 or \n 192.0.0.10/32 or \n 192.0.0.170/32 or \n 192.0.0.171/32 or \n 192.0.0.8/32 or \n 192.0.0.9/32 or \n 192.0.2.0/24 or \n 192.168.0.0/16 or \n 192.175.48.0/24 or \n 192.31.196.0/24 or \n 192.52.193.0/24 or \n 192.88.99.0/24 or \n 198.18.0.0/15 or \n 198.51.100.0/24 or \n 203.0.113.0/24 or \n 224.0.0.0/4 or \n 240.0.0.0/4 or \n \"::1\" or \n \"FE80::/10\" or \n \"FF00::/8\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json deleted file mode 100644 index 0132a4e8cdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-7d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["destination.ip", "process.executable"], "query": "host.os.type:linux and event.category:network and \nevent.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable : ( \n (/etc/crontab or \n /etc/rc.local or \n /boot/* or \n /dev/shm/* or \n /etc/cron.*/* or \n /etc/init.d/* or \n /etc/rc*.d/* or \n /etc/update-motd.d/* or \n /home/*/.* or \n /run/* or \n /srv/* or \n /tmp/* or \n /usr/lib/update-notifier/* or \n /var/tmp/*) and \n not (/usr/bin/apt or \n /usr/bin/curl or \n /usr/bin/dnf or \n /usr/bin/dockerd or \n /usr/bin/dpkg or \n /usr/bin/rpm or \n /usr/bin/wget or \n /usr/bin/yum) \n ) \nand source.ip : ( \n 10.0.0.0/8 or \n 127.0.0.0/8 or \n 172.16.0.0/12 or \n 192.168.0.0/16) and \n not destination.ip : ( \n 10.0.0.0/8 or \n 100.64.0.0/10 or \n 127.0.0.0/8 or \n 169.254.0.0/16 or \n 172.16.0.0/12 or \n 192.0.0.0/24 or \n 192.0.0.0/29 or \n 192.0.0.10/32 or \n 192.0.0.170/32 or \n 192.0.0.171/32 or \n 192.0.0.8/32 or \n 192.0.0.9/32 or \n 192.0.2.0/24 or \n 192.168.0.0/16 or \n 192.175.48.0/24 or \n 192.31.196.0/24 or \n 192.52.193.0/24 or \n 192.88.99.0/24 or \n 198.18.0.0/15 or \n 198.51.100.0/24 or \n 203.0.113.0/24 or \n 224.0.0.0/4 or \n 240.0.0.0/4 or \n \"::1\" or \n \"FE80::/10\" or \n \"FF00::/8\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json deleted file mode 100644 index 49f3f82eaef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "destination.ip", "process.executable"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json deleted file mode 100644 index 199262ccd1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "destination.ip", "process.executable"], "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_6.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_6.json deleted file mode 100644 index d28c0d48a06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "destination.ip", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_7.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_7.json deleted file mode 100644 index 6d92466d954..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "destination.ip", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" or 0.0.0.0\n) and\nnot destination.port:(22 or 80 or 443)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json deleted file mode 100644 index 8201c77b712..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory to a previously unknown destination ip. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "destination.ip", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" or 0.0.0.0\n) and\nnot destination.port:(22 or 80 or 443)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_9.json b/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_9.json deleted file mode 100644 index d0e2b780add..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53617418-17b4-4e9c-8a2c-8deb8086ca4b_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-59m", "history_window_start": "now-14d", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "new_terms_fields": ["host.id", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Suspicious Network Activity to the Internet by Previously Unknown Executable\n\nAfter being installed, malware will often call out to its command and control server to receive further instructions by its operators.\n\nThis rule leverages the new terms rule type to detect previously unknown processes, initiating network connections to external IP-addresses. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate malicious behavior. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential malicious processes, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Network Activity Detected via cat - afd04601-12fc-4149-9b78-9c3f8fe45d39\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or ipv4_connection_attempt_event) and \nprocess.executable:(\n (/etc/crontab or /etc/rc.local or ./* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or \n /etc/update-motd.d/* or /home/*/.* or /run/* or /srv/* or /tmp/* or /usr/lib/update-notifier/* or /var/tmp/* or\n /var/log/*\n ) and not (/tmp/newroot/* or /tmp/snap.rootfs*)\n ) and \nsource.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and \nnot process.name:(\n apt or chrome or curl or dnf or dockerd or dpkg or firefox-bin or java or kite-update or kited or node or rpm or\n saml2aws or wget or yum or ansible* or aws* or php* or pip* or python* or steam* or terraform*\n) and \nnot destination.ip:(\n 10.0.0.0/8 or 100.64.0.0/10 or 127.0.0.0/8 or 169.254.0.0/16 or 172.16.0.0/12 or 192.0.0.0/24 or 192.0.0.0/29 or \n 192.0.0.10/32 or 192.0.0.170/32 or 192.0.0.171/32 or 192.0.0.8/32 or 192.0.0.9/32 or 192.0.2.0/24 or \n 192.168.0.0/16 or 192.175.48.0/24 or 192.31.196.0/24 or 192.52.193.0/24 or 192.88.99.0/24 or 198.18.0.0/15 or \n 198.51.100.0/24 or 203.0.113.0/24 or 224.0.0.0/4 or 240.0.0.0/4 or \"::1\" or \"FE80::/10\" or \"FF00::/8\" or 0.0.0.0\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n- Filebeat\n- Packetbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n### Packetbeat Setup\nPacketbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Packetbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).\n- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).\n- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).\n- For complete \u201cSetup and Run Packetbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "53617418-17b4-4e9c-8a2c-8deb8086ca4b_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json deleted file mode 100644 index 6dabe805bd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", "false_positives": ["File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json deleted file mode 100644 index fe17f6e8a86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", "false_positives": ["File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json deleted file mode 100644 index a10d4170dae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", "false_positives": ["File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json deleted file mode 100644 index 1413196b92f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", "false_positives": ["File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json b/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json deleted file mode 100644 index c5e05ddf050..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/536997f7-ae73-447d-a12d-bff1e8f5f0a0_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System.", "false_positives": ["File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EFS File System or Mount Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and\nevent.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/efs/latest/ug/API_DeleteFileSystem.html", "https://docs.aws.amazon.com/efs/latest/ug/API_DeleteMountTarget.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "536997f7-ae73-447d-a12d-bff1e8f5f0a0_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json deleted file mode 100644 index e1dbd7cf89a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", "false_positives": ["Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Diagnostic Settings Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json b/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json deleted file mode 100644 index 160f2ae7cd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.", "false_positives": ["Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Diagnostic Settings Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6.json deleted file mode 100644 index 4448245f1bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "query": "beacon_stats.is_beaconing: true and\nnot process.name: (\"WaAppAgent.exe\" or \"metricbeat.exe\" or \"packetbeat.exe\" or \"WindowsAzureGuestAgent.exe\" or \"HealthService.exe\" or \"Widgets.exe\" or \"lsass.exe\" or \"msedgewebview2.exe\" or \n \"MsMpEng.exe\" or \"OUTLOOK.EXE\" or \"msteams.exe\" or \"FileSyncHelper.exe\" or \"SearchProtocolHost.exe\" or \"Creative Cloud.exe\" or \"ms-teams.exe\" or \"ms-teamsupdate.exe\" or \n \"curl.exe\" or \"rundll32.exe\" or \"MsSense.exe\" or \"wermgr.exe\" or \"java\" or \"olk.exe\" or \"iexplore.exe\" or \"NetworkManager\" or \"packetbeat\" or \"Ssms.exe\" or \"NisSrv.exe\" or \n \"gamingservices.exe\" or \"appidcertstorecheck.exe\" or \"POWERPNT.EXE\" or \"miiserver.exe\" or \"Grammarly.Desktop.exe\" or \"SnagitEditor.exe\" or \"CRWindowsClientService.exe\" or\n \"agentbeat\" or \"dnf\" or \"yum\" or \"apt\"\n )\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json deleted file mode 100644 index 5d8867a1137..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "note": "", "query": "beacon_stats.is_beaconing: true\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "The Beaconing integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_2.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_2.json deleted file mode 100644 index 5412902b5fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "query": "beacon_stats.is_beaconing: true\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. \n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "type": "query", "version": 2}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_3.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_3.json deleted file mode 100644 index c669a0462c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "query": "beacon_stats.is_beaconing: true\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json deleted file mode 100644 index 2cf3799f7b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "query": "beacon_stats.is_beaconing: true and\nnot process.name: (\"WaAppAgent.exe\" or \"metricbeat.exe\" or \"packetbeat.exe\" or \"WindowsAzureGuestAgent.exe\" or \"HealthService.exe\" or \"Widgets.exe\" or \"lsass.exe\" or \"msedgewebview2.exe\" or \"MsMpEng.exe\" or \"OUTLOOK.EXE\" or \"msteams.exe\" or \"FileSyncHelper.exe\" or \"SearchProtocolHost.exe\" or \"Creative Cloud.exe\" or \"ms-teams.exe\" or \"ms-teamsupdate.exe\" or \"curl.exe\" or \"rundll32.exe\" or \"MsSense.exe\" or \"wermgr.exe\" or \"java\" or \"olk.exe\" or \"iexplore.exe\" or \"NetworkManager\" or \"packetbeat\" or \"Ssms.exe\" or \"NisSrv.exe\" or \"gamingservices.exe\" or \"appidcertstorecheck.exe\" or \"POWERPNT.EXE\" or \"miiserver.exe\" or \"Grammarly.Desktop.exe\" or \"SnagitEditor.exe\" or \"CRWindowsClientService.exe\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Under Settings, click \"Install Network Beaconing Identification assets\" and follow the prompts to install the assets.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_5.json b/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_5.json deleted file mode 100644 index 14da3f82b04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5397080f-34e5-449b-8e9c-4c8083d7ccc6_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A statistical model has identified command-and-control (C2) beaconing activity. Beaconing can help attackers maintain stealthy communication with their C2 servers, receive instructions and payloads, exfiltrate data and maintain persistence in a network.", "from": "now-1h", "index": ["ml_beaconing.all"], "language": "kuery", "license": "Elastic License v2", "name": "Statistical Model Detected C2 Beaconing Activity", "query": "beacon_stats.is_beaconing: true and\nnot process.name: (\"WaAppAgent.exe\" or \"metricbeat.exe\" or \"packetbeat.exe\" or \"WindowsAzureGuestAgent.exe\" or \"HealthService.exe\" or \"Widgets.exe\" or \"lsass.exe\" or \"msedgewebview2.exe\" or \"MsMpEng.exe\" or \"OUTLOOK.EXE\" or \"msteams.exe\" or \"FileSyncHelper.exe\" or \"SearchProtocolHost.exe\" or \"Creative Cloud.exe\" or \"ms-teams.exe\" or \"ms-teamsupdate.exe\" or \"curl.exe\" or \"rundll32.exe\" or \"MsSense.exe\" or \"wermgr.exe\" or \"java\" or \"olk.exe\" or \"iexplore.exe\" or \"NetworkManager\" or \"packetbeat\" or \"Ssms.exe\" or \"NisSrv.exe\" or \"gamingservices.exe\" or \"appidcertstorecheck.exe\" or \"POWERPNT.EXE\" or \"miiserver.exe\" or \"Grammarly.Desktop.exe\" or \"SnagitEditor.exe\" or \"CRWindowsClientService.exe\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/beaconing", "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic"], "related_integrations": [{"package": "beaconing", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "beacon_stats.is_beaconing", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6", "setup": "## Setup\n\nThe rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations.\n\n### Network Beaconing Identification Setup\nThe Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs.\n\n#### Prerequisite Requirements:\n- Fleet is required for Network Beaconing Identification.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Network Beaconing Identification integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Network Beaconing Identification and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n", "severity": "low", "tags": ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/", "subtechnique": [{"id": "T1102.002", "name": "Bidirectional Communication", "reference": "https://attack.mitre.org/techniques/T1102/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "5397080f-34e5-449b-8e9c-4c8083d7ccc6_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json deleted file mode 100644 index 1747870657c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json deleted file mode 100644 index bcabede44bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json deleted file mode 100644 index 3b499a75b21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json deleted file mode 100644 index 6225eb2c5b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json deleted file mode 100644 index 66578d48446..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json deleted file mode 100644 index d4e4e4e19ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json deleted file mode 100644 index a3982635268..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json deleted file mode 100644 index 78baae38875..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_111.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_111.json deleted file mode 100644 index 39105b5ec9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_311.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_311.json deleted file mode 100644 index a91df4388e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_312.json b/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_312.json deleted file mode 100644 index d8b0df6cce5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53a26770-9cbd-40c5-8b57-61d01a325e14_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PDF Reader Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious PDF Reader Child Process\n\nPDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation.\n\nThis rule looks for commonly abused built-in utilities spawned by a PDF reader process, which is likely a malicious behavior.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve PDF documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"AcroRd32.exe\",\n \"Acrobat.exe\",\n \"FoxitPhantomPDF.exe\",\n \"FoxitReader.exe\") and\n process.name : (\"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\",\n \"whoami.exe\", \"bginfo.exe\", \"cdb.exe\", \"cmstp.exe\", \"csi.exe\", \"dnx.exe\", \"fsi.exe\", \"ieexec.exe\",\n \"iexpress.exe\", \"installutil.exe\", \"Microsoft.Workflow.Compiler.exe\", \"msbuild.exe\", \"mshta.exe\",\n \"msxsl.exe\", \"odbcconf.exe\", \"rcsi.exe\", \"regsvr32.exe\", \"xwizard.exe\", \"atbroker.exe\",\n \"forfiles.exe\", \"schtasks.exe\", \"regasm.exe\", \"regsvcs.exe\", \"cmd.exe\", \"cscript.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"wmic.exe\", \"wscript.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"ftp.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53a26770-9cbd-40c5-8b57-61d01a325e14", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "53a26770-9cbd-40c5-8b57-61d01a325e14_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b.json deleted file mode 100644 index 85d01a08714..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "53dedd83-1be7-430f-8026-363256395c8b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json deleted file mode 100644 index 36b92d19ca9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "53dedd83-1be7-430f-8026-363256395c8b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json deleted file mode 100644 index 1a7996733ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "53dedd83-1be7-430f-8026-363256395c8b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_3.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_3.json deleted file mode 100644 index b0856bf4871..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "53dedd83-1be7-430f-8026-363256395c8b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_4.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_4.json deleted file mode 100644 index d02c79af95d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "53dedd83-1be7-430f-8026-363256395c8b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_5.json b/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_5.json deleted file mode 100644 index 656f2dab046..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/53dedd83-1be7-430f-8026-363256395c8b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may abuse cmd.exe commands to reassemble binary fragments into a malicious payload.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Binary Content Copy via Cmd.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and (\n (process.args : \"type\" and process.args : (\">\", \">>\")) or\n (process.args : \"copy\" and process.args : \"/b\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "53dedd83-1be7-430f-8026-363256395c8b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "53dedd83-1be7-430f-8026-363256395c8b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json deleted file mode 100644 index 785ba608603..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not (process.name : (\"TiWorker.exe\", \"poqexec.exe\") and registry.value : \"SetupExecute\" and\n registry.data.strings : (\n \"C:\\\\windows\\\\System32\\\\poqexec.exe /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\",\n \"C:\\\\Windows\\\\System32\\\\poqexec.exe /skip_critical_poq /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\"\n )\n ) and\n not (process.name : \"svchost.exe\" and registry.value : \"SCRNSAVE.EXE\" and\n registry.data.strings : (\n \"%windir%\\\\system32\\\\rundll32.exe user32.dll,LockWorkStation\",\n \"scrnsave.scr\",\n \"%windir%\\\\system32\\\\Ribbons.scr\"\n )\n )\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json deleted file mode 100644 index a6bc89ca6c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json deleted file mode 100644 index 243c9f5182c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json deleted file mode 100644 index 159136db6a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json deleted file mode 100644 index fad4de4112e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and\n /* uncomment once stable length(registry.data.strings) > 0 and */\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json deleted file mode 100644 index dcfaefda2d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json deleted file mode 100644 index 57ec5194587..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_108.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_108.json deleted file mode 100644 index 0928ff94b3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\")\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_109.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_109.json deleted file mode 100644 index 13e6d4129d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not (process.name : (\"TiWorker.exe\", \"poqexec.exe\") and registry.value : \"SetupExecute\" and\n registry.data.strings : (\n \"C:\\\\windows\\\\System32\\\\poqexec.exe /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\",\n \"C:\\\\Windows\\\\System32\\\\poqexec.exe /skip_critical_poq /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\"\n )\n ) and\n not (process.name : \"svchost.exe\" and registry.value : \"SCRNSAVE.EXE\" and\n registry.data.strings : (\n \"%windir%\\\\system32\\\\rundll32.exe user32.dll,LockWorkStation\",\n \"scrnsave.scr\",\n \"%windir%\\\\system32\\\\Ribbons.scr\"\n )\n )\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_110.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_110.json deleted file mode 100644 index 2fd68f5c842..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not (process.name : (\"TiWorker.exe\", \"poqexec.exe\") and registry.value : \"SetupExecute\" and\n registry.data.strings : (\n \"C:\\\\windows\\\\System32\\\\poqexec.exe /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\",\n \"C:\\\\Windows\\\\System32\\\\poqexec.exe /skip_critical_poq /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\"\n )\n ) and\n not (process.name : \"svchost.exe\" and registry.value : \"SCRNSAVE.EXE\" and\n registry.data.strings : (\n \"%windir%\\\\system32\\\\rundll32.exe user32.dll,LockWorkStation\",\n \"scrnsave.scr\",\n \"%windir%\\\\system32\\\\Ribbons.scr\"\n )\n )\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_210.json b/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_210.json deleted file mode 100644 index 6544a580bec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54902e45-3467-49a4-8abc-529f2c8cfb80_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to registry persistence keys that are not commonly used or modified by legitimate programs. This could be an indication of an adversary's attempt to persist in a stealthy manner.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Uncommon Registry Persistence Change", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Terminal Server\\\\Install\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Runonce\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Run\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\IconServiceLib\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\AppSetup\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Taskman\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\VmApplet\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Active Setup\\\\Installed Components\\\\*\\\\ShellComponent\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnConnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows CE Services\\\\AutoStartOnDisconnect\\\\MicrosoftActiveSync\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Control Panel\\\\Desktop\\\\scrnsave.exe\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\VerifierDlls\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\GpExtensions\\\\*\\\\DllName\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\SafeBoot\\\\AlternateShell\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\Wds\\\\rdpwd\\\\StartupPrograms\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\InitialProgram\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\BootExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\SetupExecute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\Execute\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Session Manager\\\\S0InitialCommand\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\ServiceControlManagerExtension\",\n \"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\BootVerificationProgram\\\\ImagePath\",\n \"HKLM\\\\SYSTEM\\\\Setup\\\\CmdLine\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\") and\n\n not registry.data.strings : (\"C:\\\\Windows\\\\system32\\\\userinit.exe\", \"cmd.exe\", \"C:\\\\Program Files (x86)\\\\*.exe\",\n \"C:\\\\Program Files\\\\*.exe\") and\n not (process.name : \"rundll32.exe\" and registry.path : \"*\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\") and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"C:\\\\Program Files\\\\*.exe\",\n \"C:\\\\Program Files (x86)\\\\*.exe\") and\n not (process.name : (\"TiWorker.exe\", \"poqexec.exe\") and registry.value : \"SetupExecute\" and\n registry.data.strings : (\n \"C:\\\\windows\\\\System32\\\\poqexec.exe /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\",\n \"C:\\\\Windows\\\\System32\\\\poqexec.exe /skip_critical_poq /display_progress \\\\SystemRoot\\\\WinSxS\\\\pending.xml\"\n )\n ) and\n not (process.name : \"svchost.exe\" and registry.value : \"SCRNSAVE.EXE\" and\n registry.data.strings : (\n \"%windir%\\\\system32\\\\rundll32.exe user32.dll,LockWorkStation\",\n \"scrnsave.scr\",\n \"%windir%\\\\system32\\\\Ribbons.scr\"\n )\n )\n", "references": ["https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "54902e45-3467-49a4-8abc-529f2c8cfb80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.002", "name": "Screensaver", "reference": "https://attack.mitre.org/techniques/T1546/002/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 210}, "id": "54902e45-3467-49a4-8abc-529f2c8cfb80_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json deleted file mode 100644 index 1d117648e3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json deleted file mode 100644 index 05a19fee91a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_109.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_109.json deleted file mode 100644 index 022e1474895..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json deleted file mode 100644 index afaaf6c880e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json deleted file mode 100644 index 6f109ff01ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text : \"New-MailboxExportRequest\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json deleted file mode 100644 index 76b70de0263..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (file.path : (*Microsoft* and *Exchange* and *RemotePowerShell* or *AppData* and *Local*) and\n file.name:(*.psd1 or *.psm1))\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json deleted file mode 100644 index 7d0b4c8f53b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (\n file.path : (\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\n ) and file.name:(*.psd1 or *.psm1)\n )\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json deleted file mode 100644 index a6c3e2145d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (\n file.path : (\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\*\n ) and file.name:(*.psd1 or *.psm1)\n )\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_7.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_7.json deleted file mode 100644 index e34ed7144aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (\n file.path : (\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1* or\n ?\\:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1*\n ) and file.name:(*.psd1 or *.psm1)\n )\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json b/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json deleted file mode 100644 index 848f8d04e57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54a81f68-5f2a-421e-8eed-f888278bb712_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Exchange Mailbox Export via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exchange Mailbox Export via PowerShell\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : \"New-MailboxExportRequest\" and\n not (\n file.path : (\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Exchange\\\\\\\\RemotePowerShell\\\\\\\\* or\n ?\\:\\\\\\\\Users\\\\\\\\*\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1* or\n ?\\:\\\\\\\\Windows\\\\\\\\TEMP\\\\\\\\tmp_????????.???\\\\\\\\tmp_????????.???.ps?1*\n ) and file.name:(*.psd1 or *.psm1)\n )\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "54a81f68-5f2a-421e-8eed-f888278bb712", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "54a81f68-5f2a-421e-8eed-f888278bb712_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json deleted file mode 100644 index a9e49c25e34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.data.strings : \"?*\" and registry.value : \"ProviderPath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json deleted file mode 100644 index 2d21cf29d75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json deleted file mode 100644 index 5710d0b813d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json deleted file mode 100644 index c27f8452dd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not ( user.id : \"S-1-5-18\" and\n registry.data.strings in\n (\"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\")\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json deleted file mode 100644 index 0d8567f7f0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_107.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_107.json deleted file mode 100644 index 9d1e837630a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json deleted file mode 100644 index d3b39d64ecc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json deleted file mode 100644 index 3c8a95f9abc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings : \"?*\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_110.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_110.json deleted file mode 100644 index 98d5a5a655d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.data.strings : \"?*\" and registry.value : \"ProviderPath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_111.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_111.json deleted file mode 100644 index 7184f45ee37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.data.strings : \"?*\" and registry.value : \"ProviderPath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_212.json b/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_212.json deleted file mode 100644 index 4168fd50aa9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/54c3d186-0461-4dc3-9b33-2dc5c7473936_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in clear text during user logon.", "false_positives": ["Authorized third party network logon providers."], "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Logon Provider Registry Modification", "note": "## Triage and analysis\n\n### Investigating Network Logon Provider Registry Modification\n\nNetwork logon providers are components in Windows responsible for handling the authentication process during a network logon.\n\nThis rule identifies the modification of the network logon provider registry. Adversaries may register a rogue network logon provider module for persistence and/or credential access via intercepting the authentication credentials in plain text during user logon.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the `registry.data.strings` field to identify the DLL registered.\n- Identify the process responsible for the registry operation and the file creation and investigate their process execution chains (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Retrieve the file and examine if it is signed with valid digital signatures from vendors that are supposed to implement this kind of software and approved to use in the environment. Check for prevalence in the environment and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- False Positives can include legitimate software installations or updates that modify the network logon provider registry. These modifications may be necessary for the proper functioning of the software and are not indicative of malicious activity.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.data.strings : \"?*\" and registry.value : \"ProviderPath\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\NetworkProvider\\\\ProviderPath\"\n ) and\n /* Excluding default NetworkProviders RDPNP, LanmanWorkstation and webclient. */\n not (\n user.id : \"S-1-5-18\" and\n registry.data.strings : (\n \"%SystemRoot%\\\\System32\\\\ntlanman.dll\",\n \"%SystemRoot%\\\\System32\\\\drprov.dll\",\n \"%SystemRoot%\\\\System32\\\\davclnt.dll\",\n \"%SystemRoot%\\\\System32\\\\vmhgfs.dll\",\n \"?:\\\\Program Files (x86)\\\\Citrix\\\\ICA Client\\\\x64\\\\pnsson.dll\",\n \"?:\\\\Program Files\\\\Dell\\\\SARemediation\\\\agent\\\\DellMgmtNP.dll\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Connect\\\\\\\\epcgina.dll\"\n )\n )\n", "references": ["https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/windows/win32/api/npapi/nf-npapi-nplogonnotify"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "54c3d186-0461-4dc3-9b33-2dc5c7473936", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "54c3d186-0461-4dc3-9b33-2dc5c7473936_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json deleted file mode 100644 index a3873aee715..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "configuration where host.os.type == \"windows\" and\n event.action == \"service-installed\" and\n (winlog.event_data.ClientProcessId == \"0\" or winlog.event_data.ParentProcessId == \"0\") and\n not winlog.event_data.ServiceFileName : (\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\*-CsInstallerService.exe\",\n \"\\\"%windir%\\\\AdminArsenal\\\\PDQInventory-Scanner\\\\service-1\\\\PDQInventory-Scanner-1.exe\\\" \"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json deleted file mode 100644 index 63e24f77dcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "note": "", "query": "event.action:\"service-installed\" and host.os.type:windows and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json deleted file mode 100644 index 0453e5d4e6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "note": "", "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json deleted file mode 100644 index c7445b6fe7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "note": "", "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "The 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json deleted file mode 100644 index 935d6a47d86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\")\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_107.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_107.json deleted file mode 100644 index 67127838b5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\") and\n not winlog.event_data.ServiceFileName : (\n \"C:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\" or\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\17706-CsInstallerService.exe\"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json deleted file mode 100644 index 6fe96b7ba99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "event.action:\"service-installed\" and\n (winlog.event_data.ClientProcessId:\"0\" or winlog.event_data.ParentProcessId:\"0\") and\n not winlog.event_data.ServiceFileName : (\n \"C:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\" or\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\17706-CsInstallerService.exe\"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_109.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_109.json deleted file mode 100644 index cab816a9888..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "configuration where host.os.type == \"windows\" and\n event.action == \"service-installed\" and\n (winlog.event_data.ClientProcessId == \"0\" or winlog.event_data.ParentProcessId == \"0\") and\n not winlog.event_data.ServiceFileName : (\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\*-CsInstallerService.exe\",\n \"\\\"%windir%\\\\AdminArsenal\\\\PDQInventory-Scanner\\\\service-1\\\\PDQInventory-Scanner-1.exe\\\" \"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_110.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_110.json deleted file mode 100644 index 8e950f88cd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "configuration where host.os.type == \"windows\" and\n event.action == \"service-installed\" and\n (winlog.event_data.ClientProcessId == \"0\" or winlog.event_data.ParentProcessId == \"0\") and\n not winlog.event_data.ServiceFileName : (\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\*-CsInstallerService.exe\",\n \"\\\"%windir%\\\\AdminArsenal\\\\PDQInventory-Scanner\\\\service-1\\\\PDQInventory-Scanner-1.exe\\\" \"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_111.json b/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_111.json deleted file mode 100644 index c1efc327c22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55c2bf58-2a39-4c58-a384-c8b1978153c2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Windows service by an unusual client process. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Service Installed via an Unusual Client", "query": "configuration where host.os.type == \"windows\" and\n event.action == \"service-installed\" and\n (winlog.event_data.ClientProcessId == \"0\" or winlog.event_data.ParentProcessId == \"0\") and\n not winlog.event_data.ServiceFileName : (\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"%SystemRoot%\\\\system32\\\\Drivers\\\\Crowdstrike\\\\*-CsInstallerService.exe\",\n \"\\\"%windir%\\\\AdminArsenal\\\\PDQInventory-Scanner\\\\service-1\\\\PDQInventory-Scanner-1.exe\\\" \"\n )\n", "references": ["https://www.x86matthew.com/view_post?id=create_svc_rpc", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4697", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0100_windows_audit_security_system_extension.md", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ParentProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 73, "rule_id": "55c2bf58-2a39-4c58-a384-c8b1978153c2", "setup": "## Setup\n\nThe 'Audit Security System Extension' logging policy must be configured for (Success)\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nSystem >\nAudit Security System Extension (Success)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "55c2bf58-2a39-4c58-a384-c8b1978153c2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json deleted file mode 100644 index abdbabdf503..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 109}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json deleted file mode 100644 index 51a138a7b0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}], "type": "eql", "version": 104}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json deleted file mode 100644 index 22e102a7c1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}], "type": "eql", "version": 105}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json deleted file mode 100644 index 465f6d39ead..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}], "type": "eql", "version": 106}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json deleted file mode 100644 index 6ce439756b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 107}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json deleted file mode 100644 index 8d5f7fca9ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 108}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_109.json b/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_109.json deleted file mode 100644 index 3828f819ef6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55d551c6-333b-4665-ab7e-5d14a59715ce_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement.", "false_positives": ["PsExec is a dual-use tool that can be used for benign or malicious activity. It's important to baseline your environment to determine the amount of noise to expect from this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "PsExec Network Connection", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. Microsoft develops it as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies PsExec execution by looking for the creation of `PsExec.exe`, the default name for the utility, followed by a network connection done by the process.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"PsExec.exe\" and event.type == \"start\" and\n\n /* This flag suppresses the display of the license dialog and may\n indicate that psexec executed for the first time in the machine */\n process.args : \"-accepteula\" and\n\n not process.executable : (\"?:\\\\ProgramData\\\\Docusnap\\\\Discovery\\\\discovery\\\\plugins\\\\17\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Docusnap 11\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Bin\\\\psexec.exe\",\n \"?:\\\\Program Files\\\\Docusnap X\\\\Tools\\\\dsDNS.exe\") and\n not process.parent.executable : \"?:\\\\Program Files (x86)\\\\Cynet\\\\Cynet Scanner\\\\CynetScanner.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"PsExec.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "55d551c6-333b-4665-ab7e-5d14a59715ce", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 109}, "id": "55d551c6-333b-4665-ab7e-5d14a59715ce_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0.json b/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0.json deleted file mode 100644 index 4d9c82184dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Installer with Suspicious Properties", "query": "sequence with maxspan=1m\n [registry where host.os.type == \"windows\" and event.type == \"change\" and process.name : \"msiexec.exe\" and\n (\n (registry.value : \"InstallSource\" and\n registry.data.strings : (\"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*.zip\\\\*\",\n \"?:\\\\Users\\\\*\\\\*.7z\\\\*\",\n \"?:\\\\Users\\\\*\\\\*.rar\\\\*\")) or\n\n (registry.value : (\"DisplayName\", \"ProductName\") and registry.data.strings : \"SetupTest\")\n )]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and\n not process.name : \"msiexec.exe\" and\n not (process.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\", \"?:\\\\Program Files\\\\*.exe\") and process.code_signature.trusted == true)]\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "55f07d1b-25bc-4a0f-aa0c-05323c1319d0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 2}, "id": "55f07d1b-25bc-4a0f-aa0c-05323c1319d0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json b/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json deleted file mode 100644 index 9468529da8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of an installer from an archive or with suspicious properties. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files in an attempt to bypass application whitelisting.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows Installer with Suspicious Properties", "query": "sequence with maxspan=1m\n [registry where host.os.type == \"windows\" and process.name : \"msiexec.exe\" and\n (\n (registry.value : \"InstallSource\" and\n registry.data.strings : (\"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*.zip\\\\*\",\n \"?:\\\\Users\\\\*\\\\*.7z\\\\*\",\n \"?:\\\\Users\\\\*\\\\*.rar\\\\*\")) or\n\n (registry.value : (\"DisplayName\", \"ProductName\") and registry.data.strings : \"SetupTest\")\n )]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"msiexec.exe\" and\n not process.name : \"msiexec.exe\" and\n not (process.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\", \"?:\\\\Program Files\\\\*.exe\") and process.code_signature.trusted == true)]\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 21, "rule_id": "55f07d1b-25bc-4a0f-aa0c-05323c1319d0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 1}, "id": "55f07d1b-25bc-4a0f-aa0c-05323c1319d0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9.json deleted file mode 100644 index 737aaa19139..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 5}, "id": "56004189-4e69-4a39-b4a9-195329d226e9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json deleted file mode 100644 index de71ef4a7ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 1}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_2.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_2.json deleted file mode 100644 index b9aa135bacd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 2}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json deleted file mode 100644 index 052b717c061..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 3}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json deleted file mode 100644 index 99089db944d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: If the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and check whether any ProblemChild predictions have been generated.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 4}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_5.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_5.json deleted file mode 100644 index c7dbc5cd5b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 5}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_6.json b/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_6.json deleted file mode 100644 index 314fe48cdb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56004189-4e69-4a39-b4a9-195329d226e9_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_host", "name": "Unusual Process Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "56004189-4e69-4a39-b4a9-195329d226e9", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "machine_learning", "version": 6}, "id": "56004189-4e69-4a39-b4a9-195329d226e9_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd.json deleted file mode 100644 index b9e3726395e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", "false_positives": ["A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management."], "from": "now-12h", "index": ["filebeat-*", "logs-okta*", ".alerts-security.*", "logs-endpoint.events.*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "signal.rule.threat.tactic.name", "type": "unknown"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", "severity": "high", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 1}, "id": "5610b192-7f18-11ee-825b-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json deleted file mode 100644 index 34badaba527..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", "false_positives": ["A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management."], "from": "now-12h", "index": ["filebeat-*", "logs-okta*", ".alerts-security.*", "logs-endpoint.events.*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "signal.rule.threat.tactic.name", "type": "unknown"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", "severity": "high", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 1}, "id": "5610b192-7f18-11ee-825b-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_104.json new file mode 100644 index 00000000000..191f3252ec7 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_104.json @@ -0,0 +1,110 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", + "false_positives": [ + "A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management." + ], + "from": "now-12h", + "index": [ + "filebeat-*", + "logs-okta*", + ".alerts-security.*", + "logs-endpoint.events.*" + ], + "interval": "6h", + "language": "eql", + "license": "Elastic License v2", + "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", + "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", + "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "signal.rule.threat.tactic.name", + "type": "unknown" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", + "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", + "severity": "high", + "tags": [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Data Source: Elastic Defend", + "Rule Type: Higher-Order Rule", + "Domain: Endpoint", + "Domain: Cloud" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 104 + }, + "id": "5610b192-7f18-11ee-825b-f661ea17fbcd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_2.json deleted file mode 100644 index 0f1353455cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", "false_positives": ["A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management."], "from": "now-12h", "index": ["filebeat-*", "logs-okta*", ".alerts-security.*", "logs-endpoint.events.*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "signal.rule.threat.tactic.name", "type": "unknown"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", "severity": "high", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 2}, "id": "5610b192-7f18-11ee-825b-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_4.json deleted file mode 100644 index 9195e1991d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5610b192-7f18-11ee-825b-f661ea17fbcd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.", "false_positives": ["A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management."], "from": "now-12h", "index": ["filebeat-*", "logs-okta*", ".alerts-security.*", "logs-endpoint.events.*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "note": "## Triage and analysis\n\n### Investigating Stolen Credentials Used to Login to Okta Account After MFA Reset\n\nThis rule detects a sequence of suspicious activities on Windows hosts indicative of credential compromise, followed by efforts to undermine multi-factor authentication (MFA) and single sign-on (SSO) mechanisms for an Okta user account.\n\nTypically, adversaries initially extract credentials from targeted endpoints through various means. Subsequently, leveraging social engineering, they may seek to reset the MFA credentials associated with an Okta account, especially in scenarios where Active Directory (AD) services are integrated with Okta. Successfully resetting MFA allows the unauthorized use of stolen credentials to gain access to the compromised Okta account. The attacker can then register their own device for MFA, paving the way for unfettered access to the user's Okta account and any associated SaaS applications. This is particularly alarming if the compromised account has administrative rights, as it could lead to widespread access to organizational resources and configurations.\n\n#### Possible investigation steps:\n- Identify the user account associated with the Okta login attempt by examining the `user.name` field.\n- Identify the endpoint for the Credential Access alert for this user by examining the `host.name` and `host.id` fields from the alert document.\n- Cross-examine the Okta user and endpoint user to confirm that they are the same person.\n- Reach out to the user to confirm if they have intentionally reset their MFA credentials recently or asked for help in doing so.\n- If the user is unaware of the MFA reset, incident response may be required immediately to prevent further compromise.\n\n### False positive analysis:\n- A Windows administrator may have triggered a low-fidelity credential access alert during a legitimate administrative action. Following this, the administrator may have reset the MFA credentials for themselves and then logged into the Okta console for AD directory services integration management.\n\n### Response and remediation:\n- If confirmed that the user did not intentionally have their MFA factor reset, deactivate the user account.\n- After deactivation, reset the user's password and MFA factor to regain control of the account.\n - Ensure that all user sessions are stopped during this process.\n- Immediately reset the user's AD password as well if Okta does not sync back to AD.\n- Forensic analysis on the user's endpoint may be required to determine the root cause of the compromise and identify the scope of the compromise.\n- Review Okta system logs to identify any other suspicious activity associated with the user account, such as creation of a backup account.\n- With the device ID captured from the MFA factor reset, search across all Okta logs for any other activity associated with the device ID.\n\n## Setup", "query": "sequence by user.name with maxspan=12h\n [any where host.os.type == \"windows\" and signal.rule.threat.tactic.name == \"Credential Access\"]\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.update\"]\n [any where event.dataset == \"okta.system\" and okta.event_type: (\"user.session.start\", \"user.authentication*\")]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "signal.rule.threat.tactic.name", "type": "unknown"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5610b192-7f18-11ee-825b-f661ea17fbcd", "setup": "The Okta and Elastic Defend fleet integration structured data is required to be compatible with this rule. Directory services integration in Okta with AD synced is also required for this rule to be effective as it relies on triaging `user.name` from Okta and Elastic Defend events.", "severity": "high", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Data Source: Elastic Defend", "Rule Type: Higher-Order Rule", "Domain: Endpoint", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 4}, "id": "5610b192-7f18-11ee-825b-f661ea17fbcd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json deleted file mode 100644 index 51f35c16d41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json deleted file mode 100644 index a24048457dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json deleted file mode 100644 index 70ab3f5e29b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json deleted file mode 100644 index d8767b4ddf6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_105.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_105.json deleted file mode 100644 index 7d48a254baa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_106.json b/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_106.json deleted file mode 100644 index f0dcaf35d34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56557cde-d923-4b88-adee-c61b3f3b5dc3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source.", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)", "query": "event.provider:\"Microsoft-Windows-Audit-CVE\" and message:\"[CVE-2020-0601]\" and host.os.type:windows\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 21, "rule_id": "56557cde-d923-4b88-adee-c61b3f3b5dc3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.002", "name": "Code Signing", "reference": "https://attack.mitre.org/techniques/T1553/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "56557cde-d923-4b88-adee-c61b3f3b5dc3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json deleted file mode 100644 index a4f15b22cef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\")) and\n not process.Ext.effective_parent.executable : (\"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\" or\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService\" or\n \"/opt/jc/bin/jumpcloud-agent\" or\n \"/Library/Addigy/go-agent\")\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json deleted file mode 100644 index 712133511fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json deleted file mode 100644 index 689f2f97ffa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json deleted file mode 100644 index 093932f8b0f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json deleted file mode 100644 index eed5713fc8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json b/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json deleted file mode 100644 index 6a93ddc1eaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565c2b44-7a21-4818-955f-8d4737967d2e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Admin Group Account Addition", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:(dscl or dseditgroup) and process.args:((\"/Groups/admin\" or admin) and (\"-a\" or \"-append\"))\n", "references": ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "565c2b44-7a21-4818-955f-8d4737967d2e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "565c2b44-7a21-4818-955f-8d4737967d2e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json deleted file mode 100644 index 275e1d1d6cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json deleted file mode 100644 index 5c37a795555..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json deleted file mode 100644 index f924deda8df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json deleted file mode 100644 index ecf0f57f7eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json deleted file mode 100644 index 9abe7c72cd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json b/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json deleted file mode 100644 index 23070a0e735..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/565d6ca5-75ba-4c82-9b13-add25353471c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dumping of Keychain Content via Security Command", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.args : \"dump-keychain\" and process.args : \"-d\"\n", "references": ["https://ss64.com/osx/security.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "565d6ca5-75ba-4c82-9b13-add25353471c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "565d6ca5-75ba-4c82-9b13-add25353471c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json deleted file mode 100644 index b3d8b3bb85d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", "false_positives": ["Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Bucket Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json b/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json deleted file mode 100644 index 8a3caa8675d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Logging bucket deletion in Google Cloud Platform (GCP). Log buckets are containers that store and organize log data. A deleted bucket stays in a pending state for 7 days, and Logging continues to route logs to the bucket during that time. To stop routing logs to a deleted bucket, you can delete the log sinks that have the bucket as their destination, or modify the filter for the sinks to stop it from routing logs to the deleted bucket. An adversary may delete a log bucket to evade detection.", "false_positives": ["Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Logging Bucket Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.logging.v*.ConfigServiceV*.DeleteBucket and event.outcome:success\n", "references": ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5663b693-0dea-4f2e-8275-f1ae5ff2de8e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json deleted file mode 100644 index cf664cea835..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 211}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json deleted file mode 100644 index 08b506affe6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json deleted file mode 100644 index fc9e2bdc97d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json deleted file mode 100644 index 446b057b93b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json deleted file mode 100644 index deb7f127d03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json deleted file mode 100644 index f685475144e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json deleted file mode 100644 index ff96dd41252..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\MaaS360\\\\\\\\Cloud?Extender\\\\\\\\AR\\\\\\\\Scripts\\\\\\\\ASModuleCommon.ps1*\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json deleted file mode 100644 index d486aca4bef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 210}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_211.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_211.json deleted file mode 100644 index dfa05c6ba5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 211}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_212.json b/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_212.json deleted file mode 100644 index 595987b07d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of PSReflect in PowerShell scripts. Attackers leverage PSReflect as a library that enables PowerShell to access win32 API functions.", "false_positives": ["Legitimate PowerShell scripts that make use of PSReflect to access the win32 API"], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\MaaS360\\\\Cloud Extender\\\\AR\\\\Scripts\\\\ASModuleCommon.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell PSReflect Script", "note": "## Triage and analysis\n\n### Investigating PowerShell PSReflect Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nPSReflect is a library that enables PowerShell to access win32 API functions in an uncomplicated way. It also helps to create enums and structs easily\u2014all without touching the disk.\n\nAlthough this is an interesting project for every developer and admin out there, it is mainly used in the red team and malware tooling for its capabilities.\n\nDetecting the core implementation of PSReflect means detecting most of the tooling that uses Windows API through PowerShell, enabling defenders to discover tools being dropped in the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics. The script content that may be split into multiple script blocks (you can use the field `powershell.file.script_block_id` for filtering).\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text:(\n \"New-InMemoryModule\" or\n \"Add-Win32Type\" or\n psenum or\n DefineDynamicAssembly or\n DefineDynamicModule or\n \"Reflection.TypeAttributes\" or\n \"Reflection.Emit.OpCodes\" or\n \"Reflection.Emit.CustomAttributeBuilder\" or\n \"Runtime.InteropServices.DllImportAttribute\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/mattifestation/PSReflect/blob/master/PSReflect.psm1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 212}, "id": "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404.json deleted file mode 100644 index abbe573602c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.process-*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "new_terms_fields": ["host.id", "process.executable", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.parent.executable:\"C:\\\\Windows\\\\System32\\\\services.exe\" and \n(process.code_signature.exists:false or process.code_signature.trusted:false) and\nnot process.code_signature.status : (errorCode_endpoint* or \"errorChaining\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json deleted file mode 100644 index e923122301d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n( \n (\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\services.exe\" and\n (process.code_signature.exists == false or process.code_signature.trusted == false)\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json deleted file mode 100644 index 07dd3815581..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "new_terms_fields": ["host.id", "process.executable", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.parent.executable:\"C:\\\\Windows\\\\System32\\\\services.exe\" and \n(process.code_signature.exists:false or process.code_signature.trusted:false)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 102}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json deleted file mode 100644 index 7456b0dcfb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "new_terms_fields": ["host.id", "process.executable", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.parent.executable:\"C:\\\\Windows\\\\System32\\\\services.exe\" and \n(process.code_signature.exists:false or process.code_signature.trusted:false)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json deleted file mode 100644 index bdf19e6368d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "new_terms_fields": ["host.id", "process.executable", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.parent.executable:\"C:\\\\Windows\\\\System32\\\\services.exe\" and \n(process.code_signature.exists:false or process.code_signature.trusted:false) and\nnot process.code_signature.status : (errorCode_endpoint* or \"errorChaining\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json b/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json deleted file mode 100644 index cd9b3d41170..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of unsigned executables via service control manager (SCM). Adversaries may abuse SCM to execute malware or escalate privileges.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution of an Unsigned Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n( \n (\n process.parent.executable : \"C:\\\\Windows\\\\System32\\\\services.exe\" and\n (process.code_signature.exists == false or process.code_signature.trusted == false)\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "56fdfcf1-ca7c-4fd9-951d-e215ee26e404_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json deleted file mode 100644 index fa864831cc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json deleted file mode 100644 index bfae7599adf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json deleted file mode 100644 index 1ea653644dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json deleted file mode 100644 index 1bd7b6eb8ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json b/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json deleted file mode 100644 index e9e8658fa00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5700cb81-df44-46aa-a5d7-337798f53eb8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of VNC traffic from the Internet. VNC is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["VNC connections may be received directly to Linux cloud server instances but such connections are usually made only by engineers. VNC is less common than SSH or RDP but may be required by some work-flows such as remote access and support for specialized software products or servers. Such work-flows are usually known and not unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "VNC (Virtual Network Computing) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and destination.port >= 5800 and destination.port <= 5810 and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "5700cb81-df44-46aa-a5d7-337798f53eb8", "severity": "high", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5700cb81-df44-46aa-a5d7-337798f53eb8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json deleted file mode 100644 index b4af5942b09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json deleted file mode 100644 index 2703feb6bdb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", "severity": "high", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "query", "version": 100}, "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json deleted file mode 100644 index e4d7fd79d3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "query", "version": 101}, "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_102.json b/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_102.json deleted file mode 100644 index 2ef8a977049..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/571afc56-5ed9-465d-a2a9-045f099f6e7e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "571afc56-5ed9-465d-a2a9-045f099f6e7e", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "571afc56-5ed9-465d-a2a9-045f099f6e7e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json deleted file mode 100644 index a6faa859167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", "false_positives": ["Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Virtual Network Device Modified or Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json b/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json deleted file mode 100644 index 3de846f7004..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router.", "false_positives": ["Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Virtual Network Device Modified or Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE\" or\n\"MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION\" or \"MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE\" or\n\"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE\" or \"MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALHUBS/DELETE\" or \"MICROSOFT.NETWORK/VIRTUALHUBS/WRITE\" or\n\"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE\" or \"MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE\") and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "573f6e7a-7acf-4bcd-ad42-c4969124d3c0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json deleted file mode 100644 index cfd12e47468..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json deleted file mode 100644 index d08d569dbdf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json deleted file mode 100644 index 62c0d3bcafd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json deleted file mode 100644 index 2f85ffecccf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json deleted file mode 100644 index baae76f4e74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_109.json b/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_109.json deleted file mode 100644 index 09981a78b36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/577ec21e-56fe-4065-91d8-45eb8224fe77_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.", "false_positives": ["PowerShell scripts that use this capability for troubleshooting."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell MiniDump Script", "note": "## Triage and analysis\n\n### Investigating PowerShell MiniDump Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse Process Memory Dump capabilities to extract credentials from LSASS or to obtain other privileged information stored in the process memory.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check if the imported function was executed and which process it targeted.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to dump process memory, making false positives unlikely.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1", "https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-ProcessMiniDump.ps1", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "577ec21e-56fe-4065-91d8-45eb8224fe77", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "577ec21e-56fe-4065-91d8-45eb8224fe77_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704.json deleted file mode 100644 index 9ebd7695107..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json deleted file mode 100644 index 2f59aaca9b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json deleted file mode 100644 index f2a5ab9e62a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_3.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_3.json deleted file mode 100644 index c97ec9a19b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.file-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_4.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_4.json deleted file mode 100644 index f331f7bb8cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_5.json b/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_5.json deleted file mode 100644 index 8a26480c929..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bccf1d-daf5-4e1a-9049-ff79b5254704_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies files written to the root of the Recycle Bin folder instead of subdirectories. Adversaries may place files in the root of the Recycle Bin in preparation for exfiltration or to evade defenses.", "from": "now-119m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File Staged in Root Folder of Recycle Bin", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.path : \"?:\\\\$RECYCLE.BIN\\\\*\" and\n not file.path : \"?:\\\\$RECYCLE.BIN\\\\*\\\\*\" and\n not file.name : \"desktop.ini\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "57bccf1d-daf5-4e1a-9049-ff79b5254704", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "57bccf1d-daf5-4e1a-9049-ff79b5254704_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492.json b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492.json deleted file mode 100644 index a7805408e24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS Global Query Block List Modified or Disabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n(\n (registry.value : \"EnableGlobalQueryBlockList\" and registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.value : \"GlobalQueryBlockList\" and not registry.data.strings : \"wpad\")\n)\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "57bfa0a9-37c0-44d6-b724-54bf16787492", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "57bfa0a9-37c0-44d6-b724-54bf16787492", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json deleted file mode 100644 index 61dbf8ec773..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS Global Query Block List Modified or Disabled", "query": "registry where host.os.type == \"windows\" and event.type : \"change\" and\n(\n (registry.value : \"EnableGlobalQueryBlockList\" and registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.value : \"GlobalQueryBlockList\" and not registry.data.strings : \"wpad\")\n)\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "57bfa0a9-37c0-44d6-b724-54bf16787492", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "57bfa0a9-37c0-44d6-b724-54bf16787492_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_2.json b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_2.json deleted file mode 100644 index 7400f29c27c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS Global Query Block List Modified or Disabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n(\n (registry.value : \"EnableGlobalQueryBlockList\" and registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.value : \"GlobalQueryBlockList\" and not registry.data.strings : \"wpad\")\n)\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "57bfa0a9-37c0-44d6-b724-54bf16787492", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "57bfa0a9-37c0-44d6-b724-54bf16787492_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_3.json b/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_3.json deleted file mode 100644 index 80ecdf866bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/57bfa0a9-37c0-44d6-b724-54bf16787492_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS Global Query Block List Modified or Disabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n(\n (registry.value : \"EnableGlobalQueryBlockList\" and registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.value : \"GlobalQueryBlockList\" and not registry.data.strings : \"wpad\")\n)\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing", "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "57bfa0a9-37c0-44d6-b724-54bf16787492", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "57bfa0a9-37c0-44d6-b724-54bf16787492_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json deleted file mode 100644 index d1edbf3cb3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "581add16-df76-42bb-af8e-c979bfb39a59", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json deleted file mode 100644 index c2043d51926..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json deleted file mode 100644 index 1cfb53a13a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json deleted file mode 100644 index 5b6302f4502..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json deleted file mode 100644 index 736405c97d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json deleted file mode 100644 index f822c5d7090..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_109.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_109.json deleted file mode 100644 index 6732345ceea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json deleted file mode 100644 index 9ec343d300b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json deleted file mode 100644 index 8eee2a9902b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_112.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_112.json deleted file mode 100644 index d364146f07a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_113.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_113.json deleted file mode 100644 index 04dc18d3372..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_313.json b/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_313.json deleted file mode 100644 index fc2ea4df340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/581add16-df76-42bb-af8e-c979bfb39a59_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Deleting Backup Catalogs with Wbadmin", "note": "## Triage and analysis\n\n### Investigating Deleting Backup Catalogs with Wbadmin\n\nWindows Server Backup stores the details about your backups (what volumes are backed up and where the backups are located) in a file called a backup catalog, which ransomware victims can use to recover corrupted backup files. Deleting these files is a common step in threat actor playbooks.\n\nThis rule identifies the deletion of the backup catalog using the `wbadmin.exe` utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- Administrators can use this command to delete corrupted catalogs, but overall the activity is unlikely to be legitimate.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name == \"WBADMIN.EXE\") and\n process.args : \"catalog\" and process.args : \"delete\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "581add16-df76-42bb-af8e-c979bfb39a59", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "581add16-df76-42bb-af8e-c979bfb39a59_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json deleted file mode 100644 index 2b76874cc82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json deleted file mode 100644 index 516a182f43c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json deleted file mode 100644 index 69a1c8a9540..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not (process.name : \"svchost.exe\" and user.domain == \"NT AUTHORITY\") and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json deleted file mode 100644 index 93db00da7c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json deleted file mode 100644 index e3cdce79ae9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json deleted file mode 100644 index 2e27e412aa6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json deleted file mode 100644 index 96b5fba8eee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json deleted file mode 100644 index 70f43591529..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json deleted file mode 100644 index 8cade5277bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and \n event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_112.json b/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_112.json deleted file mode 100644 index 9c74c6d0990..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58aa72ca-d968-4f34-b9f7-bea51d75eb50_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to enable Remote Desktop Protocol (RDP) access. This could be indicative of adversary lateral movement preparation.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "RDP Enabled via Registry", "note": "## Triage and analysis\n\n### Investigating RDP Enabled via Registry\n\nMicrosoft Remote Desktop Protocol (RDP) is a proprietary Microsoft protocol that enables remote connections to other computers, typically over TCP port 3389.\n\nAttackers can use RDP to conduct their actions interactively. Ransomware operators frequently use RDP to access victim servers, often using privileged accounts.\n\nThis rule detects modification of the fDenyTSConnections registry key to the value `0`, which specifies that remote desktop connections are enabled. Attackers can abuse remote registry, use psexec, etc., to enable RDP and move laterally.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user to check if they are aware of the operation.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense to enable RDP to this host, given its role in the environment.\n- Check if the host is directly exposed to the internet.\n- Check whether privileged accounts accessed the host shortly after the modification.\n- Review network events within a short timespan of this alert for incoming RDP connection attempts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user should be performing this kind of activity, whether they are aware of it, whether RDP should be open, and whether the action exposes the environment to unnecessary risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If RDP is needed, make sure to secure it using firewall rules:\n - Allowlist RDP traffic to specific trusted hosts.\n - Restrict RDP logins to authorized non-administrator accounts, where possible.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\fDenyTSConnections\" and\n registry.data.strings : (\"0\", \"0x00000000\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\SystemPropertiesRemote.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesComputerName.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemPropertiesAdvanced.exe\", \n \"?:\\\\Windows\\\\System32\\\\SystemSettingsAdminFlows.exe\", \n \"?:\\\\Windows\\\\WinSxS\\\\*\\\\TiWorker.exe\", \n \"?:\\\\Windows\\\\system32\\\\svchost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "58aa72ca-d968-4f34-b9f7-bea51d75eb50_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json deleted file mode 100644 index 543dd4ae1e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", "index": ["filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", "references": ["https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "zoom.meeting.password", "type": "keyword"}], "risk_score": 47, "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", "setup": "## Setup\n\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json deleted file mode 100644 index 587c6855a1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", "index": ["filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", "note": "", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", "references": ["https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "zoom.meeting.password", "type": "keyword"}], "risk_score": 47, "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Application", "Communication", "Zoom", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json deleted file mode 100644 index 11f7e30045d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", "index": ["filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", "note": "", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", "references": ["https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "zoom.meeting.password", "type": "keyword"}], "risk_score": 47, "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", "setup": "The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json b/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json deleted file mode 100644 index 48f38b94bfe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58ac2aa5-6718-427c-a845-5f3ac5af00ba_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies Zoom meetings that are created without a passcode. Meetings without a passcode are susceptible to Zoombombing. Zoombombing is carried out by taking advantage of Zoom sessions that are not protected with a passcode. Zoombombing refers to the unwanted, disruptive intrusion, generally by Internet trolls and hackers, into a video conference call. In a typical Zoombombing incident, a teleconferencing session is hijacked by the insertion of material that is lewd, obscene, racist, or antisemitic in nature, typically resulting of the shutdown of the session.", "index": ["filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Zoom Meeting with no Passcode", "query": "event.type:creation and event.module:zoom and event.dataset:zoom.webhook and\n event.action:meeting.created and not zoom.meeting.password:*\n", "references": ["https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic"], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "zoom.meeting.password", "type": "keyword"}], "risk_score": 47, "rule_id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba", "setup": "\nThe Zoom Filebeat module or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Zoom", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "58ac2aa5-6718-427c-a845-5f3ac5af00ba_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json deleted file mode 100644 index da2a79c4f34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and \n (file.Ext.header_bytes : \"4d5a*\" or file.extension : (\"exe\", \"scr\", \"pif\", \"com\", \"dll\"))] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 108}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json deleted file mode 100644 index 7b088ffb617..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 104}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json deleted file mode 100644 index f527737d843..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 105}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json deleted file mode 100644 index 3a78cb43b76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : (\"exe\", \"dll\", \"bat\", \"cmd\")] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 106}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json deleted file mode 100644 index 38bd11b573b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and \n (file.Ext.header_bytes : \"4d5a*\" or file.extension : (\"exe\", \"scr\", \"pif\", \"com\", \"dll\"))] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 107}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_108.json b/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_108.json deleted file mode 100644 index e0846431cce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58bc134c-e8d2-4291-a552-b4b3e537c60b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or change of a Windows executable file over network shares. Adversaries may transfer tools or other files between systems in a compromised environment.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Lateral Tool Transfer via SMB Share", "note": "## Triage and analysis\n\n### Investigating Potential Lateral Tool Transfer via SMB Share\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. Attackers can also leverage file shares that employees frequently access to host malicious files to gain a foothold in other machines.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the created file and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=30s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.pid == 4 and destination.port == 445 and\n network.direction : (\"incoming\", \"ingress\") and\n network.transport == \"tcp\" and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n /* add more executable extensions here if they are not noisy in your environment */\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and \n (file.Ext.header_bytes : \"4d5a*\" or file.extension : (\"exe\", \"scr\", \"pif\", \"com\", \"dll\"))] by process.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "58bc134c-e8d2-4291-a552-b4b3e537c60b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}, {"id": "T1570", "name": "Lateral Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1570/"}]}], "type": "eql", "version": 108}, "id": "58bc134c-e8d2-4291-a552-b4b3e537c60b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json deleted file mode 100644 index 342162c6c7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json deleted file mode 100644 index feb0acc151a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json deleted file mode 100644 index 50036cd1673..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json deleted file mode 100644 index 3cba73281ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json deleted file mode 100644 index 3cfbb123dd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "/* This rule is compatible with both Sysmon and Elastic Endpoint */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json deleted file mode 100644 index 097f08fa192..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json deleted file mode 100644 index 49968aecbb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json b/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json deleted file mode 100644 index a89642fa7c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/58c6d58b-a0d3-412d-b3b8-0981a9400607_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential exploitation of InstallerTakeOver (CVE-2021-41379) default PoC execution. Successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via InstallerFileTakeOver", "note": "## Triage and analysis\n\n### Investigating Potential Privilege Escalation via InstallerFileTakeOver\n\nInstallerFileTakeOver is a weaponized escalation of privilege proof of concept (EoP PoC) to the CVE-2021-41379 vulnerability. Upon successful exploitation, an unprivileged user will escalate privileges to SYSTEM/NT AUTHORITY.\n\nThis rule detects the default execution of the PoC, which overwrites the `elevation_service.exe` DACL and copies itself to the location to escalate privileges. An attacker is able to still take over any file that is not in use (locked), which is outside the scope of this rule.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Look for additional processes spawned by the process, command lines, and network communications.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- Verify whether a digital signature exists in the executable, and if it is valid.\n\n### Related rules\n\n- Suspicious DLL Loaded for Persistence or Privilege Escalation - bfeaf89b-a2a7-48a3-817f-e41829dc61ee\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name : \"System\" and\n (\n (process.name : \"elevation_service.exe\" and\n not process.pe.original_file_name == \"elevation_service.exe\") or\n \n (process.name : \"elevation_service.exe\" and\n not process.code_signature.trusted == true) or\n\n (process.parent.name : \"elevation_service.exe\" and\n process.name : (\"rundll32.exe\", \"cmd.exe\", \"powershell.exe\"))\n ) and\n not\n (\n process.name : \"elevation_service.exe\" and process.code_signature.trusted == true and\n process.pe.original_file_name == null\n )\n", "references": ["https://github.com/klinix5/InstallerFileTakeOver"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "58c6d58b-a0d3-412d-b3b8-0981a9400607", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "58c6d58b-a0d3-412d-b3b8-0981a9400607_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63.json deleted file mode 100644 index 5c4e2438729..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File or Directory Deletion Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n(\n (process.name: \"rundll32.exe\" and process.args: \"*InetCpl.cpl,Clear*\") or \n (process.name: \"reg.exe\" and process.args:\"delete\") or \n (\n process.name: \"cmd.exe\" and process.args: (\"*rmdir*\", \"*rm *\", \"rm\") and\n not process.args : (\n \"*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\DockerDesktop\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\Report.*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\*.PackageExtraction\"\n )\n ) or\n (process.name: \"powershell.exe\" and process.args: (\"*rmdir\", \"rm\", \"rd\", \"*Remove-Item*\", \"del\", \"*]::Delete(*\"))\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5919988c-29e1-4908-83aa-1f087a838f63", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5919988c-29e1-4908-83aa-1f087a838f63", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json deleted file mode 100644 index f4c08173186..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File or Directory Deletion Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n(\n (process.name: \"rundll32.exe\" and process.args: \"*InetCpl.cpl,Clear*\") or \n (process.name: \"reg.exe\" and process.args:\"delete\") or \n (\n process.name: \"cmd.exe\" and process.args: (\"*rmdir*\", \"*rm *\", \"rm\") and\n not process.args : (\"*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\", \"*\\\\AppData\\\\Local\\\\Temp\\\\DockerDesktop\\\\*\")\n ) or\n (process.name: \"powershell.exe\" and process.args: (\"*rmdir\", \"rm\", \"rd\", \"*Remove-Item*\", \"del\", \"*]::Delete(*\"))\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5919988c-29e1-4908-83aa-1f087a838f63", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5919988c-29e1-4908-83aa-1f087a838f63_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json b/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json deleted file mode 100644 index 6deca827ff7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5919988c-29e1-4908-83aa-1f087a838f63_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to delete files and directories. Adversaries may delete files and directories on a host system, such as logs, browser history, or malware.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File or Directory Deletion Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n(\n (process.name: \"rundll32.exe\" and process.args: \"*InetCpl.cpl,Clear*\") or \n (process.name: \"reg.exe\" and process.args:\"delete\") or \n (\n process.name: \"cmd.exe\" and process.args: (\"*rmdir*\", \"*rm *\", \"rm\") and\n not process.args : (\n \"*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\DockerDesktop\\\\*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\Report.*\",\n \"*\\\\AppData\\\\Local\\\\Temp\\\\*.PackageExtraction\"\n )\n ) or\n (process.name: \"powershell.exe\" and process.args: (\"*rmdir\", \"rm\", \"rd\", \"*Remove-Item*\", \"del\", \"*]::Delete(*\"))\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5919988c-29e1-4908-83aa-1f087a838f63", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5919988c-29e1-4908-83aa-1f087a838f63_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json deleted file mode 100644 index bde5c0a2be1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", "false_positives": ["Legitimate files reported by the users"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": ["https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "rule.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "5930658c-2107-4afc-91af-e0e55b7f7184", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json deleted file mode 100644 index 0a8ea8dfbd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", "false_positives": ["Legitimate files reported by the users"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": ["https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "rule.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "5930658c-2107-4afc-91af-e0e55b7f7184_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json deleted file mode 100644 index da6f9ae5e73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", "false_positives": ["Legitimate files reported by the users"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": ["https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "rule.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5930658c-2107-4afc-91af-e0e55b7f7184_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json deleted file mode 100644 index ad253062fda..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", "false_positives": ["Legitimate files reported by the users"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": ["https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "rule.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5930658c-2107-4afc-91af-e0e55b7f7184_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json b/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json deleted file mode 100644 index 43daf1cb20a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5930658c-2107-4afc-91af-e0e55b7f7184_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of emails reported as Phishing or Malware by Users. Security Awareness training is essential to stay ahead of scammers and threat actors, as security products can be bypassed, and the user can still receive a malicious message. Educating users to report suspicious messages can help identify gaps in security controls and prevent malware infections and Business Email Compromise attacks.", "false_positives": ["Legitimate files reported by the users"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Email Reported by User as Malware or Phish", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.action:AlertTriggered and rule.name:\"Email reported by user as malware or phish\"\n", "references": ["https://support.microsoft.com/en-us/office/use-the-report-message-add-in-b5caa9f1-cdf3-4443-af8c-ff724ea719d2?ui=en-us&rs=en-us&ad=us"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "rule.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5930658c-2107-4afc-91af-e0e55b7f7184", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "5930658c-2107-4afc-91af-e0e55b7f7184_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json deleted file mode 100644 index c019bd3b522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", "false_positives": ["Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json deleted file mode 100644 index 5607450c8a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", "false_positives": ["Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json deleted file mode 100644 index 8f8392ecd80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", "false_positives": ["Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json deleted file mode 100644 index bc320c8f3a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", "false_positives": ["Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json b/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json deleted file mode 100644 index f639899a200..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.", "false_positives": ["Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json deleted file mode 100644 index f2eb69a1a3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_user_discovery"], "name": "Unusual Linux User Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "machine_learning", "version": 105}, "id": "59756272-1998-4b8c-be14-e287035c4d10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json deleted file mode 100644 index b3259836ef7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_user_discovery"], "name": "Unusual Linux System Owner or User Discovery Activity", "risk_score": 21, "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "machine_learning", "version": 101}, "id": "59756272-1998-4b8c-be14-e287035c4d10_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json deleted file mode 100644 index 4a12ce302df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_user_discovery"], "name": "Unusual Linux User Discovery Activity", "risk_score": 21, "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "machine_learning", "version": 102}, "id": "59756272-1998-4b8c-be14-e287035c4d10_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json deleted file mode 100644 index e174b311a78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_user_discovery"], "name": "Unusual Linux User Discovery Activity", "risk_score": 21, "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "machine_learning", "version": 103}, "id": "59756272-1998-4b8c-be14-e287035c4d10_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json b/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json deleted file mode 100644 index 173a35aad88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/59756272-1998-4b8c-be14-e287035c4d10_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system user or owner discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system owner or user discovery in order to identify currently active or primary users of a system. This may be a precursor to additional discovery, credential dumping or privilege elevation activity.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_user_discovery"], "name": "Unusual Linux User Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "59756272-1998-4b8c-be14-e287035c4d10", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "machine_learning", "version": 104}, "id": "59756272-1998-4b8c-be14-e287035c4d10_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json deleted file mode 100644 index 95a2098503e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json deleted file mode 100644 index 38479324fd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json deleted file mode 100644 index 95291e3830b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json deleted file mode 100644 index fc3269c1fc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json deleted file mode 100644 index 57ad6af7917..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json deleted file mode 100644 index cdcbdc54b9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json deleted file mode 100644 index 0d2fcd736be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json b/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json deleted file mode 100644 index 6341faee7e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a14d01d-7ac8-4545-914c-b687c2cf66b3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) via DLL side-loading. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Privileged IFileOperation COM Interface", "query": "file where host.os.type == \"windows\" and event.type : \"change\" and process.name : \"dllhost.exe\" and\n /* Known modules names side loaded into process running with high or system integrity level for UAC Bypass, update here for new modules */\n file.name : (\"wow64log.dll\", \"comctl32.dll\", \"DismCore.dll\", \"OskSupport.dll\", \"duser.dll\", \"Accessibility.ni.dll\") and\n /* has no impact on rule logic just to avoid OS install related FPs */\n not file.path : (\"C:\\\\Windows\\\\SoftwareDistribution\\\\*\", \"C:\\\\Windows\\\\WinSxS\\\\*\")\n", "references": ["https://github.com/hfiref0x/UACME", "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5a14d01d-7ac8-4545-914c-b687c2cf66b3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json deleted file mode 100644 index 2a75dad81b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and \n not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n and not process.parent.args in (\n \"/usr/share/java/jenkins.war\", \"/etc/remote-iot/services/remoteiot.jar\",\n \"/usr/lib64/NetExtender.jar\", \"/usr/lib/jenkins/jenkins.war\"\n )] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 8}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json deleted file mode 100644 index 31898887567..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n[ network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.executable : \"*sh\" ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json deleted file mode 100644 index ab43b954a34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n[ network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.executable : \"*sh\" ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json deleted file mode 100644 index 4c476fe561a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n[ network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ] by process.entity_id\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.executable : \"*sh\" ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json deleted file mode 100644 index 22244f4e415..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 4}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json deleted file mode 100644 index 2d99d6e62fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_6.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_6.json deleted file mode 100644 index 0b421808749..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and process.parent.executable : (\n \"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\"\n ) and process.parent.args : \"-jar\" and process.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n ) and not process.args : (\n \"-xe\", \"/tmp/jenkins*.sh\", \"*/var/lib/jenkins/workspace/*\", \"vmstat*\", \"asterisk*\", \"mpstat*\", \"/usr/bin/ps*\", \"umask\", \"*yum*\", \"uptime -s\",\n \"df -h . | awk '{print $2}'\", \"free | awk \\\"/Mem:/\\\" | awk '{print $2}'\"\n )\n ] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 6}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_7.json b/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_7.json deleted file mode 100644 index 50fcf34564b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5a3d5447-31c9-409a-aed1-72f9921594fd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies the execution of a Linux shell process from a Java JAR application post an incoming network connection. This behavior may indicate reverse shell activity via a Java application.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Java", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"linux\" and event.action in (\"connection_accepted\", \"connection_attempted\") and \n process.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and \n not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.parent.executable : (\"/usr/bin/java\", \"/bin/java\", \"/usr/lib/jvm/*\", \"/usr/java/*\") and\n process.parent.args : \"-jar\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n and not process.parent.args in (\n \"/usr/share/java/jenkins.war\", \"/etc/remote-iot/services/remoteiot.jar\",\n \"/usr/lib64/NetExtender.jar\", \"/usr/lib/jenkins/jenkins.war\"\n )] by process.parent.entity_id\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5a3d5447-31c9-409a-aed1-72f9921594fd", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 7}, "id": "5a3d5447-31c9-409a-aed1-72f9921594fd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d.json b/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d.json deleted file mode 100644 index 51667fa788c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Chroot Container Escape via Mount", "query": "sequence by host.id, process.parent.entity_id with maxspan=5m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"mount\" and process.args : \"/dev/sd*\" and process.args_count >= 3 and\n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"chroot\"]\n", "references": ["https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae02ebc-a5de-4eac-afe6-c88de696477d", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "type": "eql", "version": 2}, "id": "5ae02ebc-a5de-4eac-afe6-c88de696477d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_1.json b/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_1.json deleted file mode 100644 index b6bedd9e565..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae02ebc-a5de-4eac-afe6-c88de696477d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the execution of a file system mount followed by a chroot execution. Given enough permissions, a user within a container is capable of mounting the root file system of the host, and leveraging chroot to escape its containarized environment. This behavior pattern is very uncommon and should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Chroot Container Escape via Mount", "query": "sequence by host.id, process.parent.entity_id with maxspan=5m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name == \"mount\" and process.args : \"/dev/sd*\" and process.args_count >= 3 and\n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name == \"chroot\"]\n", "references": ["https://book.hacktricks.xyz/v/portugues-ht/linux-hardening/privilege-escalation/escaping-from-limited-bash"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae02ebc-a5de-4eac-afe6-c88de696477d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "type": "eql", "version": 1}, "id": "5ae02ebc-a5de-4eac-afe6-c88de696477d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json deleted file mode 100644 index 42115318565..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects use of the systemsetup command to enable remote SSH Login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": ["https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json deleted file mode 100644 index eb157594e72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects use of the systemsetup command to enable remote SSH Login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": ["https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json deleted file mode 100644 index 07563bbabea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects use of the systemsetup command to enable remote SSH Login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": ["https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json deleted file mode 100644 index 4bba4cfdbf9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects use of the systemsetup command to enable remote SSH Login.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": ["https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json b/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json deleted file mode 100644 index 59a528b8117..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects use of the systemsetup command to enable remote SSH Login.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Remote SSH Login Enabled via systemsetup Command", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:systemsetup and\n process.args:(\"-setremotelogin\" and on) and\n not process.parent.executable : /usr/local/jamf/bin/jamf\n", "references": ["https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf", "https://ss64.com/osx/systemsetup.html", "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json deleted file mode 100644 index e766a7ec2f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json deleted file mode 100644 index 41e024067ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json deleted file mode 100644 index d5879805c19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\nVerify process details such as command line and hash to confirm this activity legitimacy.", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json deleted file mode 100644 index cb3f716e058..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json deleted file mode 100644 index 0aeb58fc9dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json deleted file mode 100644 index 38130f55400..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json deleted file mode 100644 index d53f4fd2d54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json b/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json deleted file mode 100644 index d6363a47e09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5aee924b-6ceb-4633-980e-1bde8cdb40c5_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file name patterns generated by the use of Sysinternals SDelete utility to securely delete a file via multiple file overwrite and rename operations.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Secure File Deletion via SDelete Utility", "note": "## Triage and analysis\n\n### Investigating Potential Secure File Deletion via SDelete Utility\n\nSDelete is a tool primarily used for securely deleting data from storage devices, making it unrecoverable. Microsoft develops it as part of the Sysinternals Suite. Although commonly used to delete data securely, attackers can abuse it to delete forensic indicators and remove files as a post-action to a destructive action such as ransomware or data theft to hinder recovery efforts.\n\nThis rule identifies file name patterns generated by the use of SDelete utility to securely delete a file via multiple file overwrite and rename operations.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line and identify the files deleted, their importance and whether they could be the target of antiforensics activity.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and there are justifications for the execution.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If important data was encrypted, deleted, or modified, activate your data recovery plan.\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"change\" and file.name : \"*AAA.AAA\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Impact", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5aee924b-6ceb-4633-980e-1bde8cdb40c5_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json deleted file mode 100644 index 0ffd466bd9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json deleted file mode 100644 index 287510ad97f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json deleted file mode 100644 index 7997bb11d1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json deleted file mode 100644 index 3df9601ab49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json deleted file mode 100644 index 083c2ed3244..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json b/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json deleted file mode 100644 index 9d01e9a2ee7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b03c9fb-9945-4d2f-9568-fd690fee3fba_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:(\"/sys/class/dmi/id/bios_version\" or\n \"/sys/class/dmi/id/product_name\" or\n \"/sys/class/dmi/id/chassis_vendor\" or\n \"/proc/scsi/scsi\" or\n \"/proc/ide/hd0/model\") and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "5b03c9fb-9945-4d2f-9568-fd690fee3fba_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5.json deleted file mode 100644 index 28393ecf032..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json deleted file mode 100644 index de4f00679f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json deleted file mode 100644 index c5d8f3154d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json deleted file mode 100644 index d02f7db16b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json deleted file mode 100644 index 43cf28decfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json b/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json deleted file mode 100644 index 9bbb9dd1539..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b06a27f-ad72-4499-91db-0c69667bffa5_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the \"find\" command in conjunction with SUID and SGUID permission arguments. SUID (Set User ID) and SGID (Set Group ID) are special permissions in Linux that allow a program to execute with the privileges of the file owner or group, respectively, rather than the privileges of the user running the program. In case an attacker is able to enumerate and find a binary that is misconfigured, they might be able to leverage this misconfiguration to escalate privileges by exploiting vulnerabilities or built-in features in the privileged program.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "SUID/SGUID Enumeration Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \nprocess.name == \"find\" and process.args : \"-perm\" and process.args : (\n \"/6000\", \"-6000\", \"/4000\", \"-4000\", \"/2000\", \"-2000\", \"/u=s\", \"-u=s\", \"/g=s\", \"-g=s\", \"/u=s,g=s\", \"/g=s,u=s\"\n) and not (\n user.Ext.real.id == \"0\" or group.Ext.real.id == \"0\" or process.args_count >= 12 or \n (process.args : \"/usr/bin/pkexec\" and process.args : \"-xdev\" and process.args_count == 7)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "5b06a27f-ad72-4499-91db-0c69667bffa5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5b06a27f-ad72-4499-91db-0c69667bffa5_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde.json deleted file mode 100644 index 343f8d61307..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json deleted file mode 100644 index dc777864af6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json deleted file mode 100644 index ca17efe301d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json deleted file mode 100644 index c1e96c9934f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json deleted file mode 100644 index dd0e27d8d14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json deleted file mode 100644 index 42616e29f2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/ \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_6.json b/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_6.json deleted file mode 100644 index f1eb5e7567a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b18eef4-842c-4b47-970f-f08d24004bde_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of the which command with an unusual amount of process arguments. Attackers may leverage the which command to enumerate the system for useful installed utilities that may be used after compromising a system to escalate privileges or move latteraly across the network.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious which Enumeration", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"which\" and process.args_count >= 10 and not process.parent.name == \"jem\" and \nnot process.args == \"--tty-only\"\n\n/* potential tuning if rule would turn out to be noisy\nand process.args in (\"nmap\", \"nc\", \"ncat\", \"netcat\", nc.traditional\", \"gcc\", \"g++\", \"socat\") and \nprocess.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n*/\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b18eef4-842c-4b47-970f-f08d24004bde", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5b18eef4-842c-4b47-970f-f08d24004bde_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376.json deleted file mode 100644 index 4ad09a2eebb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Browser Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\dynatrace\\\\synthetic\\\\Chrome-bin\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Dynatrace LLC\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\", \"Amazon.com Services LLC\", \"Code Systems Corporation\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Opera Norway AS\", \"Opera Software AS\") and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\",\n \"PIRIFORM SOFTWARE LIMITED\",\n \"NortonLifeLock Inc.\",\n \"Opera Norway AS\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json deleted file mode 100644 index 9f0d414f587..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Browser Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n )\n and not process.hash.sha256 : \"6538d54a236349f880d6793d219f558764629efc85d4d08b56b94717c01fb25a\"\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\", \"crashreporter.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : \"Opera Norway AS\" and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json deleted file mode 100644 index d8cacc9923f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Browser Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : \"Opera Norway AS\" and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json deleted file mode 100644 index 31e7be7fb9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Browser Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\dynatrace\\\\synthetic\\\\Chrome-bin\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Dynatrace LLC\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\", \"Amazon.com Services LLC\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Opera Norway AS\", \"Opera Software AS\") and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\",\n \"PIRIFORM SOFTWARE LIMITED\",\n \"NortonLifeLock Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_4.json b/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_4.json deleted file mode 100644 index 1be43ab200a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5b9eb30f-87d6-45f4-9289-2bf2024f0376_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of browser processes, such as unsigned or signed with unusual certificates, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Browser Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Chrome Related Processes */\n (process.name : (\n \"chrome.exe\", \"GoogleUpdate.exe\", \"GoogleCrashHandler64.exe\", \"GoogleCrashHandler.exe\",\n \"GoogleUpdateComRegisterShell64.exe\", \"GoogleUpdateSetup.exe\", \"GoogleUpdateOnDemand.exe\",\n \"chrome_proxy.exe\", \"remote_assistance_host.exe\", \"remoting_native_messaging_host.exe\",\n \"GoogleUpdateBroker.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\servers\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\HP\\\\Sure Click\\\\*\\\\servers\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Bromium, Inc.\") and process.code_signature.trusted == true\n ) and not\n (\n process.executable : (\n \"?:\\\\Program Files\\\\dynatrace\\\\synthetic\\\\Chrome-bin\\\\chrome.exe\"\n ) and\n process.code_signature.subject_name : (\"Dynatrace LLC\") and process.code_signature.trusted == true\n ) and\n not (\n process.executable : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\ms-playwright\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\synthetics-recorder\\\\resources\\\\local-browsers\\\\chromium-*\\\\chrome-win\\\\chrome.exe\",\n \"*\\\\node_modules\\\\puppeteer\\\\.local-chromium\\\\win64-*\\\\chrome-win\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Invicti Professional Edition\\\\chromium\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\End2End, Inc\\\\ARMS Html Engine\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*BurpSuitePro\\\\burpbrowser\\\\*\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*BurpSuite\\\\burpbrowser\\\\*\\\\chrome.exe\"\n ) and process.args: (\n \"--enable-features=NetworkService,NetworkServiceInProcess\",\n \"--type=crashpad-handler\", \"--enable-automation\", \"--disable-xss-auditor\"\n )\n )\n ) or\n\n /* MS Edge Related Processes */\n (process.name : (\n \"msedge.exe\", \"MicrosoftEdgeUpdate.exe\", \"identity_helper.exe\", \"msedgewebview2.exe\",\n \"MicrosoftEdgeWebview2Setup.exe\", \"MicrosoftEdge_X*.exe\", \"msedge_proxy.exe\",\n \"MicrosoftEdgeUpdateCore.exe\", \"MicrosoftEdgeUpdateBroker.exe\", \"MicrosoftEdgeUpdateSetup_X*.exe\",\n \"MicrosoftEdgeUpdateComRegisterShell64.exe\", \"msedgerecovery.exe\", \"MicrosoftEdgeUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"msedgewebview2.exe\" and\n process.code_signature.subject_name : (\"Bromium, Inc.\", \"Amazon.com Services LLC\", \"Code Systems Corporation\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Brave Related Processes */\n (process.name : (\n \"brave.exe\", \"BraveUpdate.exe\", \"BraveCrashHandler64.exe\", \"BraveCrashHandler.exe\",\n \"BraveUpdateOnDemand.exe\", \"brave_vpn_helper.exe\", \"BraveUpdateSetup*.exe\",\n \"BraveUpdateComRegisterShell64.exe\"\n ) and not\n (process.code_signature.subject_name : \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Firefox Related Processes */\n (process.name : (\n \"firefox.exe\", \"pingsender.exe\", \"default-browser-agent.exe\", \"maintenanceservice.exe\",\n \"plugin-container.exe\", \"maintenanceservice_tmp.exe\", \"maintenanceservice_installer.exe\",\n \"minidump-analyzer.exe\"\n ) and not\n (process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true)\n and not\n (\n process.name : \"default-browser-agent.exe\" and\n process.code_signature.subject_name : (\"WATERFOX LIMITED\") and process.code_signature.trusted == true\n )\n ) or\n\n /* Island Related Processes */\n (process.name : (\n \"Island.exe\", \"IslandUpdate.exe\", \"IslandCrashHandler.exe\", \"IslandCrashHandler64.exe\",\n \"IslandUpdateBroker.exe\", \"IslandUpdateOnDemand.exe\", \"IslandUpdateComRegisterShell64.exe\",\n \"IslandUpdateSetup.exe\"\n ) and not\n (process.code_signature.subject_name : \"Island Technology Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Opera Related Processes */\n (process.name : (\n \"opera.exe\", \"opera_*.exe\", \"browser_assistant.exe\"\n ) and not\n (process.code_signature.subject_name : (\"Opera Norway AS\", \"Opera Software AS\") and process.code_signature.trusted == true)\n ) or\n\n /* Whale Related Processes */\n (process.name : (\n \"whale.exe\", \"whale_update.exe\", \"wusvc.exe\"\n ) and not\n (process.code_signature.subject_name : \"NAVER Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Chromium-based Browsers processes */\n (process.name : (\n \"chrmstp.exe\", \"notification_helper.exe\", \"elevation_service.exe\"\n ) and not\n (process.code_signature.subject_name : (\n \"Island Technology Inc.\",\n \"Citrix Systems, Inc.\",\n \"Brave Software, Inc.\",\n \"Google LLC\",\n \"Google Inc\",\n \"Microsoft Corporation\",\n \"NAVER Corp.\",\n \"AVG Technologies USA, LLC\",\n \"Avast Software s.r.o.\",\n \"PIRIFORM SOFTWARE LIMITED\",\n \"NortonLifeLock Inc.\",\n \"Opera Norway AS\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5b9eb30f-87d6-45f4-9289-2bf2024f0376_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json deleted file mode 100644 index 52f07213fd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "filters": [{"meta": {"negate": false}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "new_terms_fields": ["host.id", "file.path"], "query": "event.category : \"file\" and host.os.type : \"windows\" and event.type : \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\"\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 109}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json deleted file mode 100644 index e8a355c5469..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json deleted file mode 100644 index 67ef5950cb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json deleted file mode 100644 index 1a53e9da2b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json deleted file mode 100644 index b8e29b6ee8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path :\n (\"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\")\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_106.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_106.json deleted file mode 100644 index fd83ad41c11..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path : (\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll\"\n )\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json deleted file mode 100644 index 8074977a25c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path : (\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll\"\n )\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json deleted file mode 100644 index 9732399a594..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\" and\n file.path : (\"?:\\\\Windows\\\\System32\\\\*\", \"?:\\\\Windows\\\\SysWOW64\\\\*\") and\n not file.path : (\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\sysWOW64\\\\x5lrs.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\PrintConfig.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll\",\n \"?:\\\\WINDOWS\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll\"\n )\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_109.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_109.json deleted file mode 100644 index 6f358b527fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "filters": [{"meta": {"negate": false}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "new_terms_fields": ["host.id", "file.path"], "query": "event.category : \"file\" and host.os.type : \"windows\" and event.type : \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\"\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 109}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_112.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_112.json deleted file mode 100644 index 0b0e5c1ce8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "filters": [{"meta": {"negate": false}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "new_terms_fields": ["host.id", "file.path"], "query": "event.category : \"file\" and host.os.type : \"windows\" and event.type : \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\"\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 112}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_214.json b/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_214.json deleted file mode 100644 index aac85f65c50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_214.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted system is patched.", "filters": [{"meta": {"negate": false}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\PrintConfig.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\Sys?????\\\\x5lrs.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\DRIVERS\\\\W32X86\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\PRTPROCS\\\\x64\\\\*.dll"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\spool\\\\{????????-????-????-????-????????????}\\\\*.dll"}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PrintSpooler Service Executable File Creation", "new_terms_fields": ["host.id", "file.path"], "query": "event.category : \"file\" and host.os.type : \"windows\" and event.type : \"creation\" and\n process.name : \"spoolsv.exe\" and file.extension : \"dll\"\n", "references": ["https://voidsec.com/cve-2020-1337-printdemon-is-dead-long-live-printdemon/", "https://www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 214}, "id": "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8_214", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json deleted file mode 100644 index 596e7264bee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", "false_positives": ["WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json deleted file mode 100644 index 2a8148a775d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", "false_positives": ["WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json deleted file mode 100644 index 7bc5f3142d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", "false_positives": ["WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json deleted file mode 100644 index c14350bb043..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", "false_positives": ["WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json b/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json deleted file mode 100644 index 78fce08d023..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5beaebc1-cc13-4bfc-9949-776f9e0dc318_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group.", "false_positives": ["WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Rule or Rule Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(waf.amazonaws.com or waf-regional.amazonaws.com or wafv2.amazonaws.com) and event.action:(DeleteRule or DeleteRuleGroup) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "5beaebc1-cc13-4bfc-9949-776f9e0dc318_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1.json b/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1.json deleted file mode 100644 index 4ac9a839cf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users may manipulate identified capabilities to gain root privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Capability Enumeration", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"getcap\" and process.args == \"-r\" and process.args == \"/\" and process.args_count == 3 and\nuser.id != \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_1.json b/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_1.json deleted file mode 100644 index 680dc770044..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c351f54-4187-4ad8-abc8-29b0cfbef8b1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies recursive process capability enumeration of the entire filesystem through the getcap command. Malicious users may manipulate identified capabilities to gain root privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Capability Enumeration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\nprocess.name == \"getcap\" and process.args == \"-r\" and process.args == \"/\" and process.args_count == 3 and\nuser.id != \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5c351f54-4187-4ad8-abc8-29b0cfbef8b1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055.json b/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055.json deleted file mode 100644 index db7f8b941c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Veeam Credential Access Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"[dbo].[Credentials]\" and\n (\"Veeam\" or \"VeeamBackup\")\n ) or\n \"ProtectedStorage]::GetLocalString\"\n )\n", "references": ["https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "5c602cba-ae00-4488-845d-24de2b6d8055", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "5c602cba-ae00-4488-845d-24de2b6d8055", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json b/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json deleted file mode 100644 index 4d501860ae9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Veeam Credential Access Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"[dbo].[Credentials]\" and\n (\"Veeam\" or \"VeeamBackup\")\n ) or\n \"ProtectedStorage]::GetLocalString\"\n )\n", "references": ["https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "5c602cba-ae00-4488-845d-24de2b6d8055", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "5c602cba-ae00-4488-845d-24de2b6d8055_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_2.json b/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_2.json deleted file mode 100644 index 2c37d4b3504..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c602cba-ae00-4488-845d-24de2b6d8055_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies PowerShell scripts that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Veeam Credential Access Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"[dbo].[Credentials]\" and\n (\"Veeam\" or \"VeeamBackup\")\n ) or\n \"ProtectedStorage]::GetLocalString\"\n )\n", "references": ["https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", "https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "5c602cba-ae00-4488-845d-24de2b6d8055", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "5c602cba-ae00-4488-845d-24de2b6d8055_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json deleted file mode 100644 index b18be34b7da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 11}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json deleted file mode 100644 index f5c1936911b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_11.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_11.json deleted file mode 100644 index 789857a3149..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 11}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_12.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_12.json deleted file mode 100644 index 9f76474f677..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 12}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json deleted file mode 100644 index 505446e3f9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "", "query": "event.action:\"Directory Service Access\" and host.os.type:windows and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json deleted file mode 100644 index 65f32763bee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json deleted file mode 100644 index 00529f94872..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json deleted file mode 100644 index 2bb99eda84e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json deleted file mode 100644 index eba7f8b73d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json deleted file mode 100644 index f4adc5d414a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json deleted file mode 100644 index 81c2edf0c07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.action:\"Directory Service Access\" and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json b/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json deleted file mode 100644 index bb5cb917e48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c6f4c58-b381-452a-8976-f1b1c6aa0def_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process for the first time. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "history_window_start": "now-15d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "FirstTime Seen Account Performing DCSync", "new_terms_fields": ["winlog.event_data.SubjectUserName"], "note": "## Triage and analysis\n\n### Investigating FirstTime Seen Account Performing DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys that are used legitimately for creating tickets, but also for forging tickets by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for when a Windows Event ID 4662 (Operation was performed on an Active Directory object) with the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set) is seen in the environment for the first time in the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect; investigate if this is part of a new Azure AD account setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. Investigate if this is part of a new product setup, and ensure it is properly secured. If the activity was expected and there is no other suspicious activity involving the host or user, the analyst can dismiss the alert.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.action:(\"Directory Service Access\" or \"object-operation-performed\") and event.code:\"4662\" and\n winlog.event_data.Properties:(*DS-Replication-Get-Changes* or *DS-Replication-Get-Changes-All* or\n *DS-Replication-Get-Changes-In-Filtered-Set* or *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2* or\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2* or *89e95b76-444d-4c62-991a-0facbeda640c*) and\n not winlog.event_data.SubjectUserName:(*$ or MSOL_*)\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def", "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "5c6f4c58-b381-452a-8976-f1b1c6aa0def_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013.json b/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013.json deleted file mode 100644 index fba5fd134da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c81fc9d-1eae-437f-ba07-268472967013.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors kernel logs for segfault messages. A segfault, or segmentation fault, is an error that occurs when a program tries to access a memory location that it's not allowed to access, typically leading to program termination. A segfault can be an indication of malicious behavior if it results from attempts to exploit buffer overflows or other vulnerabilities in software to execute arbitrary code or disrupt its normal operation.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Segfault Detected", "query": "host.os.type:linux and event.dataset:\"system.syslog\" and process.name:kernel and message:segfault\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "5c81fc9d-1eae-437f-ba07-268472967013", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\n\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "5c81fc9d-1eae-437f-ba07-268472967013", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c.json deleted file mode 100644 index 622acaa6cc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5c895b4f-9133-4e68-9e23-59902175355c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json deleted file mode 100644 index e1533a7bb02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /proc/net/ -p r -k audit_proc\n-w /etc/machine-id -p wa -k machineid\n-w /etc/passwd -p wa -k passwd\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json deleted file mode 100644 index caab9d7a194..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "\nThis rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json deleted file mode 100644 index d056b3b51a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json deleted file mode 100644 index 28686a1c6d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and \n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n[file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and auditd.data.syscall == \"open\" and\n auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json deleted file mode 100644 index 9b653dbf1ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json b/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json deleted file mode 100644 index 67dcdcca345..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c895b4f-9133-4e68-9e23-59902175355c_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies a sample of suspicious Linux system file reads used for system fingerprinting, leveraged by the Metasploit Meterpreter shell to gather information about the target that it is executing its shell on. Detecting this pattern is indicative of a successful meterpreter shell connection.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Meterpreter Reverse Shell", "query": "sample by host.id, process.pid, user.id\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/machine-id\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/etc/passwd\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/ipv6_route\"]\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"open\" and auditd.data.a2 == \"1b6\" and file.path == \"/proc/net/if_inet6\"]\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5c895b4f-9133-4e68-9e23-59902175355c", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -w /proc/net/ -p r -k audit_proc\n -w /etc/machine-id -p wa -k machineid\n -w /etc/passwd -p wa -k passwd\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5c895b4f-9133-4e68-9e23-59902175355c_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json deleted file mode 100644 index 92985aad160..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_process_discovery"], "name": "Unusual Linux Process Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "type": "machine_learning", "version": 104}, "id": "5c983105-4681-46c3-9890-0c66d05e776b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json deleted file mode 100644 index 6dd1d77e07c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_process_discovery"], "name": "Unusual Linux Process Discovery Activity", "risk_score": 21, "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "type": "machine_learning", "version": 101}, "id": "5c983105-4681-46c3-9890-0c66d05e776b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json deleted file mode 100644 index 6d0f761f86d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_process_discovery"], "name": "Unusual Linux Process Discovery Activity", "risk_score": 21, "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "type": "machine_learning", "version": 102}, "id": "5c983105-4681-46c3-9890-0c66d05e776b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json b/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json deleted file mode 100644 index 6c70631782b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c983105-4681-46c3-9890-0c66d05e776b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for commands related to system process discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system process discovery in order to increase their understanding of software applications running on a target host or network. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_process_discovery"], "name": "Unusual Linux Process Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "5c983105-4681-46c3-9890-0c66d05e776b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "type": "machine_learning", "version": 103}, "id": "5c983105-4681-46c3-9890-0c66d05e776b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json deleted file mode 100644 index c708b826b1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.parent.name == \"proot\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json deleted file mode 100644 index e161533682e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json deleted file mode 100644 index 1b88c909ae0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json deleted file mode 100644 index f4ca7c09870..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json deleted file mode 100644 index e46bab49cc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json deleted file mode 100644 index 7d0a83e4fac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where event.action == \"exec\" and process.parent.name ==\"proot\" and host.os.type == \"linux\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json b/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json deleted file mode 100644 index 18d238588e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the PRoot utility, an open-source tool for user-space implementation of chroot, mount --bind, and binfmt_misc. Adversaries can leverage an open-source tool PRoot to expand the scope of their operations to multiple Linux distributions and simplify their necessary efforts. In a normal threat scenario, the scope of an attack is limited by the varying configurations of each Linux distribution. With PRoot, it provides an attacker with a consistent operational environment across different Linux distributions, such as Ubuntu, Fedora, and Alpine. PRoot also provides emulation capabilities that allow for malware built on other architectures, such as ARM, to be run.The post-exploitation technique called bring your own filesystem (BYOF), can be used by the threat actors to execute malicious payload or elevate privileges or perform network scans or orchestrate another attack on the environment. Although PRoot was originally not developed with malicious intent it can be easily tuned to work for one.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via PRoot", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and process.parent.name == \"proot\"\n", "references": ["https://proot-me.github.io/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json deleted file mode 100644 index bc51bbed9a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 108}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json deleted file mode 100644 index 3c3bd8a3963..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 102}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json deleted file mode 100644 index 720c7bbeb1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 103}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json deleted file mode 100644 index 6924682c3f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 104}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json deleted file mode 100644 index 082a7271ddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 105}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json deleted file mode 100644 index 8b6d3c1de7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.ip in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 106}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json deleted file mode 100644 index ee8bcccc360..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 107}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_108.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_108.json deleted file mode 100644 index 0581cc224b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 108}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_109.json b/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_109.json deleted file mode 100644 index bfb198ef96a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd55388-a19c-47c7-8ec4-f41656c2fded_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell process loading the Task Scheduler COM DLL followed by an outbound RPC network connection within a short time period. This may indicate lateral movement or remote discovery via scheduled tasks.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Outbound Scheduled Task Activity via PowerShell", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [network where host.os.type == \"windows\" and process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and destination.port == 135 and not destination.address in (\"127.0.0.1\", \"::1\")]\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd55388-a19c-47c7-8ec4-f41656c2fded", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "type": "eql", "version": 109}, "id": "5cd55388-a19c-47c7-8ec4-f41656c2fded_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json deleted file mode 100644 index 4a609857f37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where winlog.api == \"wineventlog\" and event.action == \"added-member-to-group\" and\n(\n (\n group.name : (\n \"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\",\n \"Print Operators\",\n \"Server Operators\",\n \"Account Operators\"\n )\n ) or\n (\n group.id : (\n \"S-1-5-32-544\",\n \"S-1-5-21-*-544\",\n \"S-1-5-21-*-512\",\n \"S-1-5-21-*-519\",\n \"S-1-5-21-*-551\",\n \"S-1-5-21-*-518\",\n \"S-1-5-21-*-1101\",\n \"S-1-5-21-*-1102\",\n \"S-1-5-21-*-550\",\n \"S-1-5-21-*-549\",\n \"S-1-5-21-*-548\"\n )\n )\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json deleted file mode 100644 index 20cdbfbe5aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "iam where host.os.type == \"windows\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json deleted file mode 100644 index e34c416bfbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json deleted file mode 100644 index 9970ad26db7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json deleted file mode 100644 index 93d13ac45da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json deleted file mode 100644 index cef44c40022..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where winlog.api:\"wineventlog\" and event.action == \"added-member-to-group\" and\n group.name : (\"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json deleted file mode 100644 index 07ea7b70392..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where winlog.api == \"wineventlog\" and event.action == \"added-member-to-group\" and\n(\n (\n group.name : (\n \"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\",\n \"Print Operators\",\n \"Server Operators\",\n \"Account Operators\"\n )\n ) or\n (\n group.id : (\n \"S-1-5-32-544\",\n \"S-1-5-21-*-544\",\n \"S-1-5-21-*-512\",\n \"S-1-5-21-*-519\",\n \"S-1-5-21-*-551\",\n \"S-1-5-21-*-518\",\n \"S-1-5-21-*-1101\",\n \"S-1-5-21-*-1102\",\n \"S-1-5-21-*-550\",\n \"S-1-5-21-*-549\",\n \"S-1-5-21-*-548\"\n )\n )\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_111.json b/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_111.json deleted file mode 100644 index 6a4a1bc3d9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Skoetting"], "description": "Identifies a user being added to a privileged group in Active Directory. Privileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "User Added to Privileged Group", "note": "## Triage and analysis\n\n### Investigating User Added to Privileged Group in Active Directory\n\nPrivileged accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.\n\nAttackers can add users to privileged groups to maintain a level of access if their other privileged accounts are uncovered by the security team. This allows them to keep operating after the security team discovers abused accounts.\n\nThis rule monitors events related to a user being added to a privileged group.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should manage members of this group.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This attack abuses a legitimate Active Directory mechanism, so it is important to determine whether the activity is legitimate, if the administrator is authorized to perform this operation, and if there is a need to grant the account this level of privilege.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the admin is not aware of the operation, activate your Active Directory incident response plan.\n- If the user does not need the administrator privileges, remove the account from the privileged group.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where winlog.api == \"wineventlog\" and event.action == \"added-member-to-group\" and\n(\n (\n group.name : (\n \"Admin*\",\n \"Local Administrators\",\n \"Domain Admins\",\n \"Enterprise Admins\",\n \"Backup Admins\",\n \"Schema Admins\",\n \"DnsAdmins\",\n \"Exchange Organization Administrators\",\n \"Print Operators\",\n \"Server Operators\",\n \"Account Operators\"\n )\n ) or\n (\n group.id : (\n \"S-1-5-32-544\",\n \"S-1-5-21-*-544\",\n \"S-1-5-21-*-512\",\n \"S-1-5-21-*-519\",\n \"S-1-5-21-*-551\",\n \"S-1-5-21-*-518\",\n \"S-1-5-21-*-1101\",\n \"S-1-5-21-*-1102\",\n \"S-1-5-21-*-550\",\n \"S-1-5-21-*-549\",\n \"S-1-5-21-*-548\"\n )\n )\n)\n", "references": ["https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json deleted file mode 100644 index 1412d4d6c85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json deleted file mode 100644 index 1412065adfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json deleted file mode 100644 index df10724e08f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json deleted file mode 100644 index ddccb5a9133..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json deleted file mode 100644 index 9cb7a959d77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_7.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_7.json deleted file mode 100644 index 88cd7c9c7e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json deleted file mode 100644 index 474d80c6f50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json b/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json deleted file mode 100644 index 81b298571b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5cf6397e-eb91-4f31-8951-9f0eaa755a31_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a PowerShell profile. PowerShell profile is a script that is executed when PowerShell starts to customize the user environment, which can be abused by attackers to persist in a environment where PowerShell is common.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via PowerShell profile", "note": "## Triage and analysis\n\n### Investigating Persistence via PowerShell profile\n\nPowerShell profiles are scripts executed when PowerShell starts, customizing the user environment. They are commonly used in Windows environments for legitimate purposes, such as setting variables or loading modules. However, adversaries can abuse PowerShell profiles to establish persistence by inserting malicious code that executes each time PowerShell is launched.\n\nThis rule identifies the creation or modification of a PowerShell profile. It does this by monitoring file events on Windows systems, specifically targeting profile-related file paths and names, such as `profile.ps1` and `Microsoft.Powershell_profile.ps1`. By detecting these activities, security analysts can investigate potential abuse of PowerShell profiles for malicious persistence.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Retrive and inspect the PowerShell profile content; look for suspicious DLL imports, collection or persistence capabilities, suspicious functions, encoded or compressed data, suspicious commands, and other potentially malicious characteristics.\n- Identify the process responsible for the PowerShell profile creation/modification. Use the Elastic Defend events to examine all the activity of the subject process by filtering by the process's `process.entity_id`.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that any suspicious command or function were run.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This is a dual-use mechanism, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the script doesn't contain malicious functions or potential for abuse, no other suspicious activity was identified, and the user has business justifications to use PowerShell.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Consider enabling and collecting PowerShell logs such as transcription, module, and script block logging, to improve visibility into PowerShell activities.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Users\\\\*\\\\Documents\\\\WindowsPowerShell\\\\*\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\PowerShell\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\*\") and\n file.name : (\"profile.ps1\", \"Microsoft.Powershell_profile.ps1\")\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.013", "name": "PowerShell Profile", "reference": "https://attack.mitre.org/techniques/T1546/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "5cf6397e-eb91-4f31-8951-9f0eaa755a31_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json deleted file mode 100644 index 3b79d5dda54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json deleted file mode 100644 index dfaf912bdb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json deleted file mode 100644 index 2f322425d94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json deleted file mode 100644 index 2a707fc1bf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json deleted file mode 100644 index 207f1867ba9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json b/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json deleted file mode 100644 index a99af1a05ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d0265bf-dea9-41a9-92ad-48a8dcd05080_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Login or Logout Hook", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name == \"defaults\" and process.args == \"write\" and process.args : (\"LoginHook\", \"LogoutHook\") and\n not process.args :\n (\n \"Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"Support/JAMF/ManagementFrameworkScripts/loginhook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh\",\n \"/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh\"\n )\n", "references": ["https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf", "https://www.manpagez.com/man/1/defaults/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5d0265bf-dea9-41a9-92ad-48a8dcd05080_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json deleted file mode 100644 index 8a8b6e6e80c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json deleted file mode 100644 index 62a6df52129..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json deleted file mode 100644 index c135d0d59c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json deleted file mode 100644 index de360aa11b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json deleted file mode 100644 index bc11b4fa035..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json deleted file mode 100644 index 4ceb4d64940..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json deleted file mode 100644 index 1d48213ea45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json deleted file mode 100644 index 6e6759a9893..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_109.json b/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_109.json deleted file mode 100644 index f6a646cbd79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d1d6907-0747-4d5d-9b24-e4a18853dc0a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.", "false_positives": ["Legitimate scheduled tasks running third party software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Scheduled Task", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* Schedule service cmdline on Win10+ */\n process.parent.name : \"svchost.exe\" and process.parent.args : \"Schedule\" and\n /* add suspicious programs here */\n process.pe.original_file_name in\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) and\n /* add suspicious paths here */\n process.args : (\n \"C:\\\\Users\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"C:\\\\Windows\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\Windows\\\\Debug\\\\*\",\n \"C:\\\\HP\\\\*\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\*.bat\" and process.working_directory : \"?:\\\\Windows\\\\System32\\\\\") and\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\Windows\\\\system32\\\\calluxxprovider.vbs\") and\n not (process.name : \"powershell.exe\" and process.args : (\"-File\", \"-PSConsoleFile\") and user.id : \"S-1-5-18\") and\n not (process.name : \"msiexec.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "5d1d6907-0747-4d5d-9b24-e4a18853dc0a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8.json b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8.json deleted file mode 100644 index e4992fcdd29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL loaded by DNS Service", "query": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and \n not ?dll.code_signature.trusted == true and\n not file.code_signature.status == \"Valid\"\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://adsecurity.org/?p=4064", "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5d676480-9655-4507-adc6-4eec311efff8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5d676480-9655-4507-adc6-4eec311efff8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json deleted file mode 100644 index 6a611d8f6c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL loaded by DNS Service", "query": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and \n not ?dll.code_signature.trusted == true and\n not file.code_signature.status == \"Valid\"\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://adsecurity.org/?p=4064", "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5d676480-9655-4507-adc6-4eec311efff8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5d676480-9655-4507-adc6-4eec311efff8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_102.json b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_102.json deleted file mode 100644 index c9db726c522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL loaded by DNS Service", "query": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and \n not ?dll.code_signature.trusted == true and\n not file.code_signature.status == \"Valid\"\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://adsecurity.org/?p=4064", "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5d676480-9655-4507-adc6-4eec311efff8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "5d676480-9655-4507-adc6-4eec311efff8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_2.json b/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_2.json deleted file mode 100644 index 7717782ca29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d676480-9655-4507-adc6-4eec311efff8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL loaded by DNS Service", "query": "any where host.os.type == \"windows\" and event.category : (\"library\", \"process\") and\n event.type : (\"start\", \"change\") and event.action : (\"load\", \"Image loaded*\") and\n process.executable : \"?:\\\\windows\\\\system32\\\\dns.exe\" and \n not ?dll.code_signature.trusted == true and\n not file.code_signature.status == \"Valid\"\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/", "https://adsecurity.org/?p=4064", "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "5d676480-9655-4507-adc6-4eec311efff8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5d676480-9655-4507-adc6-4eec311efff8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json deleted file mode 100644 index fb2572b7a07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Automator Workflows Execution", "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 106}, "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json deleted file mode 100644 index 644ade1e78d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Automator Workflows Execution", "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 102}, "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json deleted file mode 100644 index e42bbf8150f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Automator Workflows Execution", "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 103}, "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json deleted file mode 100644 index 1f5490f9ef8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Automator Workflows Execution", "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 104}, "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json b/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json deleted file mode 100644 index 6a34d42fbd2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5d9f8cfc-0d03-443e-a167-2b0597ce0965_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Automator Workflows Execution", "query": "sequence by host.id with maxspan=30s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"automator\"]\n [network where host.os.type == \"macos\" and process.name:\"com.apple.automator.runner\"]\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 105}, "id": "5d9f8cfc-0d03-443e-a167-2b0597ce0965_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json deleted file mode 100644 index 3c840ee4401..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", "false_positives": ["Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace 2SV Policy Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "5e161522-2545-11ed-ac47-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json deleted file mode 100644 index d543dc2b83d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", "false_positives": ["Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace 2SV Policy Disabled", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"2sv_disable\"\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "5e161522-2545-11ed-ac47-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json deleted file mode 100644 index 40a29b26bbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", "false_positives": ["Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace 2SV Policy Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "5e161522-2545-11ed-ac47-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json deleted file mode 100644 index bf2b318ffef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e161522-2545-11ed-ac47-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace admins may setup 2-step verification (2SV) to add an extra layer of security to user accounts by asking users to verify their identity when they use login credentials. Admins have the ability to enforce 2SV from the admin console as well as the methods acceptable for verification and enrollment period. 2SV requires enablement on admin accounts prior to it being enabled for users within organization units. Adversaries may disable 2SV to lower the security requirements to access a valid account.", "false_positives": ["Administrators may remove 2-step verification (2SV) temporarily for testing or during maintenance. If 2SV was previously enabled, it is not common to disable this policy for extended periods of time."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace 2SV Policy Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace 2SV Policy Disabled\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequencies, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication. 2SV allows users to verify their identity using security keys, Google prompt, authentication codes, text messages, and more.\n\n2SV adds an extra authentication layer for Google Workspace users to verify their identity. If 2SV or MFA aren't implemented, users only authenticate with their user name and password credentials. This authentication method has often been compromised and can be susceptible to credential access techniques when weak password policies are used.\n\nThis rule detects when a 2SV policy is disabled in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user account(s) by reviewing `user.name` or `source.user.email` in the alert.\n- Identify what password setting was created or adjusted by reviewing `google_workspace.admin.setting.name`.\n- Review if a password setting was enabled or disabled by reviewing `google_workspace.admin.new_value` and `google_workspace.admin.old_value`.\n- After identifying the involved user account, verify administrative privileges are scoped properly.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method that was used for failed and successful logins.\n\n### False positive analysis\n\n- After finding the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have Google Workspace administrative privileges that allow them to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure its privileges are properly aligned.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.login\" and event.action:\"2sv_disable\"\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "5e161522-2545-11ed-ac47-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "5e161522-2545-11ed-ac47-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json deleted file mode 100644 index a1e7faf47a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", "false_positives": ["Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowGuestUser", "type": "unknown"}], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "5e552599-ddec-4e14-bad1-28aa42404388", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json deleted file mode 100644 index cbc0d4cc14e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", "false_positives": ["Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowGuestUser", "type": "unknown"}], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "5e552599-ddec-4e14-bad1-28aa42404388_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json deleted file mode 100644 index c0afdf94ecd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", "false_positives": ["Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowGuestUser", "type": "unknown"}], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "5e552599-ddec-4e14-bad1-28aa42404388_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json deleted file mode 100644 index 7eb1a08f5a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", "false_positives": ["Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowGuestUser", "type": "unknown"}], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "5e552599-ddec-4e14-bad1-28aa42404388_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json b/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json deleted file mode 100644 index 745d163965d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5e552599-ddec-4e14-bad1-28aa42404388_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when guest access is enabled in Microsoft Teams. Guest access in Teams allows people outside the organization to access teams and channels. An adversary may enable guest access to maintain persistence in an environment.", "false_positives": ["Teams guest access may be enabled by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Guest Access Enabled", "note": "", "query": "event.dataset:o365.audit and event.provider:(SkypeForBusiness or MicrosoftTeams) and\nevent.category:web and event.action:\"Set-CsTeamsClientConfiguration\" and\no365.audit.Parameters.AllowGuestUser:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.AllowGuestUser", "type": "unknown"}], "risk_score": 47, "rule_id": "5e552599-ddec-4e14-bad1-28aa42404388", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "5e552599-ddec-4e14-bad1-28aa42404388_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c.json b/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c.json deleted file mode 100644 index 6e769597b4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.", "false_positives": ["Known or internal account IDs or automation"], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Bucket Enumeration or Brute Force", "note": "## Triage and analysis\n\n### Investigating AWS S3 Bucket Enumeration or Brute Force\n\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \"Access Denied\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\n\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\n\n#### Possible investigation steps\n\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\n\n", "query": "from logs-aws.cloudtrail*\n| where event.provider == \"s3.amazonaws.com\" and aws.cloudtrail.error_code == \"AccessDenied\"\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\n // can modify the failed request count or tweak time window to fit environment\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\n| where failed_requests > 40\n", "references": ["https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1", "https://docs.aws.amazon.com/cli/latest/reference/s3api/"], "risk_score": 21, "rule_id": "5f0234fd-7f21-42af-8391-511d5fd11d5c", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1657", "name": "Financial Theft", "reference": "https://attack.mitre.org/techniques/T1657/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "5f0234fd-7f21-42af-8391-511d5fd11d5c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_1.json b/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_1.json deleted file mode 100644 index 1ffb9076b8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.", "false_positives": ["Known or internal account IDs or automation"], "from": "now-10m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Bucket Enumeration or Brute Force", "note": "## Triage and analysis\n\n### Investigating AWS S3 Bucket Enumeration or Brute Force\n\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \"Access Denied\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\n\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\n\n#### Possible investigation steps\n\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\n\n", "query": "from logs-aws.cloudtrail*\n| where event.provider == \"s3.amazonaws.com\" and aws.cloudtrail.error_code == \"AccessDenied\"\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\n // can modify the failed request count or tweak time window to fit environment\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\n| where failed_requests > 40\n", "references": ["https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1", "https://docs.aws.amazon.com/cli/latest/reference/s3api/"], "risk_score": 21, "rule_id": "5f0234fd-7f21-42af-8391-511d5fd11d5c", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1657", "name": "Financial Theft", "reference": "https://attack.mitre.org/techniques/T1657/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "5f0234fd-7f21-42af-8391-511d5fd11d5c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_2.json b/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_2.json deleted file mode 100644 index 64d95a3dde7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.", "false_positives": ["Known or internal account IDs or automation"], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Bucket Enumeration or Brute Force", "note": "## Triage and analysis\n\n### Investigating AWS S3 Bucket Enumeration or Brute Force\n\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \"Access Denied\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\n\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\n\n#### Possible investigation steps\n\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\n\n", "query": "from logs-aws.cloudtrail*\n| where event.provider == \"s3.amazonaws.com\" and aws.cloudtrail.error_code == \"AccessDenied\"\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\n // can modify the failed request count or tweak time window to fit environment\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\n| where failed_requests > 40\n", "references": ["https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1", "https://docs.aws.amazon.com/cli/latest/reference/s3api/"], "risk_score": 21, "rule_id": "5f0234fd-7f21-42af-8391-511d5fd11d5c", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1657", "name": "Financial Theft", "reference": "https://attack.mitre.org/techniques/T1657/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "5f0234fd-7f21-42af-8391-511d5fd11d5c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_3.json b/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_3.json deleted file mode 100644 index 221ecc8d727..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f0234fd-7f21-42af-8391-511d5fd11d5c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed S3 operations from a single source and account (or anonymous account) within a short timeframe. This activity can be indicative of attempting to cause an increase in billing to an account for excessive random operations, cause resource exhaustion, or enumerating bucket names for discovery.", "false_positives": ["Known or internal account IDs or automation"], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Bucket Enumeration or Brute Force", "note": "## Triage and analysis\n\n### Investigating AWS S3 Bucket Enumeration or Brute Force\n\nAWS S3 buckets can be be brute forced to cause financial impact against the resource owner. What makes this even riskier is that even private, locked down buckets can still trigger a potential cost, even with an \"Access Denied\", while also being accessible from unauthenticated, anonymous accounts. This also appears to work on several or all [operations](https://docs.aws.amazon.com/cli/latest/reference/s3api/) (GET, PUT, list-objects, etc.). Additionally, buckets are trivially discoverable by default as long as the bucket name is known, making it vulnerable to enumeration for discovery.\n\nAttackers may attempt to enumerate names until a valid bucket is discovered and then pivot to cause financial impact, enumerate for more information, or brute force in other ways to attempt to exfil data.\n\n#### Possible investigation steps\n\n- Examine the history of the operation requests from the same `source.address` and `cloud.account.id` to determine if there is other suspicious activity.\n- Review similar requests and look at the `user.agent` info to ascertain the source of the requests (though do not overly rely on this since it is controlled by the requestor).\n- Review other requests to the same `aws.s3.object.key` as well as other `aws.s3.object.key` accessed by the same `cloud.account.id` or `source.address`.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the `source.address` and `cloud.account.id` - there are some valid operations from within AWS directly that can cause failures and false positives. Additionally, failed automation can also caeuse false positives, but should be identifiable by reviewing the `source.address` and `cloud.account.id`.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n- Check for PutBucketPolicy event actions as well to see if they have been tampered with. While we monitor for denied, a single successful action to add a backdoor into the bucket via policy updates (however they got permissions) may be critical to identify during TDIR.\n\n", "query": "from logs-aws.cloudtrail*\n| where event.provider == \"s3.amazonaws.com\" and aws.cloudtrail.error_code == \"AccessDenied\"\n// keep only relevant fields\n| keep tls.client.server_name, source.address, cloud.account.id\n| stats failed_requests = count(*) by tls.client.server_name, source.address, cloud.account.id\n // can modify the failed request count or tweak time window to fit environment\n // can add `not cloud.account.id in (KNOWN)` or specify in exceptions\n| where failed_requests > 40\n", "references": ["https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1", "https://docs.aws.amazon.com/cli/latest/reference/s3api/"], "risk_score": 21, "rule_id": "5f0234fd-7f21-42af-8391-511d5fd11d5c", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1657", "name": "Financial Theft", "reference": "https://attack.mitre.org/techniques/T1657/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 3}, "id": "5f0234fd-7f21-42af-8391-511d5fd11d5c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281.json b/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281.json deleted file mode 100644 index ed8528b349f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Download via a Headless Browser", "note": "## Triage and analysis\n\n### Investigating Potential File Download via a Headless Browser\n\n- Investigate the process execution chain (parent process tree).\n- Investigate the process network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\") and\n (process.args : \"--headless*\" or process.args : \"data:text/html;base64,*\") and\n process.parent.name :\n (\"cmd.exe\", \"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"conhost.exe\", \"msiexec.exe\",\n \"explorer.exe\", \"rundll32.exe\", \"winword.exe\", \"excel.exe\", \"onenote.exe\", \"hh.exe\", \"powerpnt.exe\", \"forfiles.exe\",\n \"pcalua.exe\", \"wmiprvse.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5f2f463e-6997-478c-8405-fb41cc283281", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5f2f463e-6997-478c-8405-fb41cc283281", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_1.json b/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_1.json deleted file mode 100644 index 34643aa8a8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Download via a Headless Browser", "note": "## Triage and analysis\n\n### Investigating Potential File Download via a Headless Browser\n\n- Investigate the process execution chain (parent process tree).\n- Investigate the process network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\") and\n (process.args : \"--headless*\" or process.args : \"data:text/html;base64,*\") and\n process.parent.name :\n (\"cmd.exe\", \"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"conhost.exe\", \"msiexec.exe\",\n \"explorer.exe\", \"rundll32.exe\", \"winword.exe\", \"excel.exe\", \"onenote.exe\", \"hh.exe\", \"powerpnt.exe\", \"forfiles.exe\",\n \"pcalua.exe\", \"wmiprvse.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5f2f463e-6997-478c-8405-fb41cc283281", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5f2f463e-6997-478c-8405-fb41cc283281_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_2.json b/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_2.json deleted file mode 100644 index 7c96020a84d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Download via a Headless Browser", "note": "## Triage and analysis\n\n### Investigating Potential File Download via a Headless Browser\n\n- Investigate the process execution chain (parent process tree).\n- Investigate the process network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\") and\n (process.args : \"--headless*\" or process.args : \"data:text/html;base64,*\") and\n process.parent.name :\n (\"cmd.exe\", \"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"conhost.exe\", \"msiexec.exe\",\n \"explorer.exe\", \"rundll32.exe\", \"winword.exe\", \"excel.exe\", \"onenote.exe\", \"hh.exe\", \"powerpnt.exe\", \"forfiles.exe\",\n \"pcalua.exe\", \"wmiprvse.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5f2f463e-6997-478c-8405-fb41cc283281", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "5f2f463e-6997-478c-8405-fb41cc283281_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_202.json b/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_202.json deleted file mode 100644 index 51fdc41b591..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f2f463e-6997-478c-8405-fb41cc283281_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a browser to download a file from a remote URL and from a suspicious parent process. Adversaries may use browsers to avoid ingress tool transfer restrictions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Download via a Headless Browser", "note": "## Triage and analysis\n\n### Investigating Potential File Download via a Headless Browser\n\n- Investigate the process execution chain (parent process tree).\n- Investigate the process network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\") and\n (process.args : \"--headless*\" or process.args : \"data:text/html;base64,*\") and\n process.parent.name :\n (\"cmd.exe\", \"powershell.exe\", \"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"conhost.exe\", \"msiexec.exe\",\n \"explorer.exe\", \"rundll32.exe\", \"winword.exe\", \"excel.exe\", \"onenote.exe\", \"hh.exe\", \"powerpnt.exe\", \"forfiles.exe\",\n \"pcalua.exe\", \"wmiprvse.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msedge/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "5f2f463e-6997-478c-8405-fb41cc283281", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Windows", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 202}, "id": "5f2f463e-6997-478c-8405-fb41cc283281_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/5f3ab3ce-7b41-4168-a06a-68d2af8ebc88.json b/packages/security_detection_engine/kibana/security_rule/5f3ab3ce-7b41-4168-a06a-68d2af8ebc88.json deleted file mode 100644 index 333325e6ff9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/5f3ab3ce-7b41-4168-a06a-68d2af8ebc88.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a UID change event via `nsenter`. The `nsenter` command is used to enter a namespace, which is a way to isolate processes and resources. Attackers can use `nsenter` to escape from a container to the host, which can lead to privilege escalation and lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Docker Escape via Nsenter", "query": "process where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"uid_change\" and\nprocess.entry_leader.entry_meta.type == \"container\" and process.args == \"nsenter\" and\nprocess.args in (\"-t\", \"--target\") and process.args_count >= 4\n", "references": ["https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}], "risk_score": 47, "rule_id": "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88", "severity": "medium", "tags": ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "5f3ab3ce-7b41-4168-a06a-68d2af8ebc88", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json deleted file mode 100644 index bc3eaf7c6d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", "false_positives": ["Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Command Execution on Virtual Machine", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", "references": ["https://adsecurity.org/?p=4277", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "60884af6-f553-4a6c-af13-300047455491", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "60884af6-f553-4a6c-af13-300047455491", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json b/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json deleted file mode 100644 index 97c73036e0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60884af6-f553-4a6c-af13-300047455491_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage virtual machines, but not access them, nor access the virtual network or storage account they\u2019re connected to. However, commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles may be able to execute commands on a VM as well.", "false_positives": ["Command execution on a virtual machine may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Command execution from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Command Execution on Virtual Machine", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION\" and event.outcome:(Success or success)\n", "references": ["https://adsecurity.org/?p=4277", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#virtual-machine-contributor"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "60884af6-f553-4a6c-af13-300047455491", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "60884af6-f553-4a6c-af13-300047455491_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json deleted file mode 100644 index 727f7cdee35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", "false_positives": ["A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Addition", "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json b/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json deleted file mode 100644 index b66a23fe437..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.", "false_positives": ["A service principal may be created by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Addition", "note": "## Triage and analysis\n\n### Investigating Azure Service Principal Addition\n\nService Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant.\n\nThis rule looks for the addition of service principals. This behavior may enable attackers to impersonate legitimate service principals to camouflage their activities among noisy automations/apps.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\nIf this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal\" and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "60b6b72f-0fbc-47e7-9895-9ba7627a8b50_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json deleted file mode 100644 index bda8b4426a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", "false_positives": ["A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json deleted file mode 100644 index b7df396ff4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", "false_positives": ["A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json deleted file mode 100644 index c803e565ad4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", "false_positives": ["A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json deleted file mode 100644 index 160725b5d4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", "false_positives": ["A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json b/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json deleted file mode 100644 index c2950f3c752..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/60f3adec-1df9-4104-9c75-b97d9f078b25_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Data Loss Prevention (DLP) policy is removed in Microsoft 365. An adversary may remove a DLP policy to evade existing DLP monitoring.", "false_positives": ["A DLP policy may be removed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange DLP Policy Removed", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-DlpPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "60f3adec-1df9-4104-9c75-b97d9f078b25", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "60f3adec-1df9-4104-9c75-b97d9f078b25_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json deleted file mode 100644 index 50cfc3bfb80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 108}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json deleted file mode 100644 index 03d64d1afbb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 104}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json deleted file mode 100644 index d5398a03536..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 105}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json deleted file mode 100644 index 629b1dc6de1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 106}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json deleted file mode 100644 index 4744c6690ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 107}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_108.json b/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_108.json deleted file mode 100644 index bc1af85f3c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/610949a1-312f-4e04-bb55-3a79b8c95267_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Network Connection", "note": "## Triage and analysis\n\n### Investigating Unusual Process Network Connection\n\nThis rule identifies network activity from unexpected system utilities and applications. These applications are commonly abused by attackers to execute code, evade detections, and bypass security protections.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the target host that the process is communicating with.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"Microsoft.Workflow.Compiler.exe\" or\n process.name : \"bginfo.exe\" or\n process.name : \"cdb.exe\" or\n process.name : \"cmstp.exe\" or\n process.name : \"csi.exe\" or\n process.name : \"dnx.exe\" or\n process.name : \"fsi.exe\" or\n process.name : \"ieexec.exe\" or\n process.name : \"iexpress.exe\" or\n process.name : \"odbcconf.exe\" or\n process.name : \"rcsi.exe\" or\n process.name : \"xwizard.exe\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "610949a1-312f-4e04-bb55-3a79b8c95267", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/"}]}], "type": "eql", "version": 108}, "id": "610949a1-312f-4e04-bb55-3a79b8c95267_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603.json b/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603.json deleted file mode 100644 index 5622699f0c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new user was added to a GitHub organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New User Added To GitHub Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.add_member\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "61336fe6-c043-4743-ab6e-41292f439603", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "61336fe6-c043-4743-ab6e-41292f439603", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_1.json b/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_1.json deleted file mode 100644 index 604e0c39cf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new user was added to a GitHub organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "New User Added To GitHub Organization", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.add_member\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "61336fe6-c043-4743-ab6e-41292f439603", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "61336fe6-c043-4743-ab6e-41292f439603_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_103.json b/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_103.json new file mode 100644 index 00000000000..4cf19680013 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/61336fe6-c043-4743-ab6e-41292f439603_103.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "A new user was added to a GitHub organization.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "New User Added To GitHub Organization", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"org.add_member\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "61336fe6-c043-4743-ab6e-41292f439603", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "61336fe6-c043-4743-ab6e-41292f439603_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad.json deleted file mode 100644 index 4a48f8776b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Logon by an Unusual Process", "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "setup": "## Setup\n\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json deleted file mode 100644 index a10a8752c7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Logon by an Unusual Process", "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\Okta\\\\Okta Verify\\\\OktaVerify.exe\", \n \"?:\\\\Program Files (x86)\\\\Okta\\\\Okta Verify\\\\OktaVerify.exe\")\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "setup": "\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json deleted file mode 100644 index 5b2370fdbef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Logon by an Unusual Process", "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "setup": "\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json deleted file mode 100644 index 683d87e517d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Logon by an Unusual Process", "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "setup": "## Setup\n\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_4.json b/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_4.json deleted file mode 100644 index e6989367273..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61766ef9-48a5-4247-ad74-3349de7eb2ad_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies interactive logon attempt with alternate credentials and by an unusual process. Adversaries may create a new token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Logon by an Unusual Process", "query": "authentication where \n host.os.type : \"windows\" and winlog.event_data.LogonProcessName : \"Advapi*\" and \n winlog.logon.type == \"Interactive\" and winlog.event_data.SubjectUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and \n winlog.event_data.TargetUserSid : (\"S-1-5-21*\", \"S-1-12-*\") and process.executable : \"C:\\\\*\" and \n not startswith~(winlog.event_data.SubjectUserSid, winlog.event_data.TargetUserSid) and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\winlogon.exe\", \n \"?:\\\\Windows\\\\System32\\\\wininit.exe\", \n \"?:\\\\Program Files\\\\*.exe\", \n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "references": ["https://attack.mitre.org/techniques/T1134/002/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "61766ef9-48a5-4247-ad74-3349de7eb2ad", "setup": "## Setup\n\nAudit event 4624 is needed to trigger this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.002", "name": "Create Process with Token", "reference": "https://attack.mitre.org/techniques/T1134/002/"}, {"id": "T1134.003", "name": "Make and Impersonate Token", "reference": "https://attack.mitre.org/techniques/T1134/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "61766ef9-48a5-4247-ad74-3349de7eb2ad_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json deleted file mode 100644 index 4a696d6f114..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and\n not powershell.file.script_block_text : (\n (\"DsGetSiteName\" and (\"DiscoverWindowsComputerProperties.ps1\" and \"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\")) or\n (\"# Copyright: (c) 2018, Ansible Project\" and \"#Requires -Module Ansible.ModuleUtils.AddType\" and \"#AnsibleRequires -CSharpUtil Ansible.Basic\") or\n (\"Ansible.Windows.Setup\" and \"Ansible.Windows.Setup\" and \"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\")\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 214}, "id": "61ac3638-40a3-44b2-855a-985636ca985e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json deleted file mode 100644 index 814ad9b2289..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json deleted file mode 100644 index edaed0d0930..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\")\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json deleted file mode 100644 index 2ad62dc3ff9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\")\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json deleted file mode 100644 index 64f583b8b7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json deleted file mode 100644 index 36ddd7db626..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json deleted file mode 100644 index 76b454f7e60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_112.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_112.json deleted file mode 100644 index 3ee803b87ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json deleted file mode 100644 index 0a60a6b175b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n and not file.path : ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 113}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json deleted file mode 100644 index b5493bc0907..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 213}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_214.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_214.json deleted file mode 100644 index 8762edde10a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_214.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and\n not powershell.file.script_block_text : (\n (\"DsGetSiteName\" and (\"DiscoverWindowsComputerProperties.ps1\" and \"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\")) or\n (\"# Copyright: (c) 2018, Ansible Project\" and \"#Requires -Module Ansible.ModuleUtils.AddType\" and \"#AnsibleRequires -CSharpUtil Ansible.Basic\") or\n (\"Ansible.Windows.Setup\" and \"Ansible.Windows.Setup\" and \"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\")\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 214}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_214", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_215.json b/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_215.json deleted file mode 100644 index 137b5f2b75a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61ac3638-40a3-44b2-855a-985636ca985e_215.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.", "false_positives": ["Legitimate PowerShell scripts that make use of these functions."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Discovery Related Windows API Functions", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Discovery Related Windows API Functions\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell to interact with the Win32 API to bypass command line based detections, using libraries like PSReflect or Get-ProcAddress Cmdlet.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Check for additional PowerShell and command-line logs that indicate that imported functions were run.\n\n### False positive analysis\n\n- Discovery activities themselves are not inherently malicious if occurring in isolation, as long as the script does not contain other capabilities, and there are no other alerts related to the user or host; such alerts can be dismissed. However, analysts should keep in mind that this is not a common way of getting information, making it suspicious.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n NetShareEnum or\n NetWkstaUserEnum or\n NetSessionEnum or\n NetLocalGroupEnum or\n NetLocalGroupGetMembers or\n DsGetSiteName or\n DsEnumerateDomainTrusts or\n WTSEnumerateSessionsEx or\n WTSQuerySessionInformation or\n LsaGetLogonSessionData or\n QueryServiceObjectSecurity or\n GetComputerNameEx or\n NetWkstaGetInfo or\n GetUserNameEx or\n NetUserEnum or\n NetUserGetInfo or\n NetGroupEnum or\n NetGroupGetInfo or\n NetGroupGetUsers or\n NetWkstaTransportEnum or\n NetServerGetInfo or\n LsaEnumerateTrustedDomains or\n NetScheduleJobEnum or\n NetUserModalsGet\n ) and\n not powershell.file.script_block_text : (\n (\"DsGetSiteName\" and (\"DiscoverWindowsComputerProperties.ps1\" and \"param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)\")) or\n (\"# Copyright: (c) 2018, Ansible Project\" and \"#Requires -Module Ansible.ModuleUtils.AddType\" and \"#AnsibleRequires -CSharpUtil Ansible.Basic\") or\n (\"Ansible.Windows.Setup\" and \"Ansible.Windows.Setup\" and \"NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);\")\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/9259e5106986847d2bb770c4289c0c0f1adf2344/data/module_source/situational_awareness/network/powerview.ps1#L21413", "https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "61ac3638-40a3-44b2-855a-985636ca985e", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 215}, "id": "61ac3638-40a3-44b2-855a-985636ca985e_215", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json deleted file mode 100644 index 3326fa6d02b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json deleted file mode 100644 index 4434d71a0ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json deleted file mode 100644 index 9ef250aa330..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json deleted file mode 100644 index 36de3e1d299..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json deleted file mode 100644 index 9a51b33b975..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json deleted file mode 100644 index 5f451f291b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json deleted file mode 100644 index ade5f071bd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action == \"Directory Service Changes\" and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111.json deleted file mode 100644 index 7c83f4a3f9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112.json b/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112.json deleted file mode 100644 index 957162d2337..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these groups.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "AdminSDHolder SDProp Exclusion Added", "note": "## Triage and analysis\n\n### Investigating AdminSDHolder SDProp Exclusion Added\n\nThe SDProp process compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, it resets the permissions on the protected accounts and groups to match those defined in the domain AdminSDHolder object.\n\nThe dSHeuristics is a Unicode string attribute, in which each character in the string represents a heuristic that is used to determine the behavior of Active Directory.\n\nAdministrators can use the dSHeuristics attribute to exclude privilege groups from the SDProp process by setting the 16th bit (dwAdminSDExMask) of the string to a certain value, which represents the group(s):\n\n- For example, to exclude the Account Operators group, an administrator would modify the string, so the 16th character is set to 1 (i.e., 0000000001000001).\n\nThe usage of this exclusion can leave the accounts unprotected and facilitate the misconfiguration of privileges for the excluded groups, enabling attackers to add accounts to these groups to maintain long-term persistence with high privileges.\n\nThis rule matches changes of the dsHeuristics object where the 16th bit is set to a value other than zero.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the value assigned to the 16th bit of the string on the `winlog.event_data.AttributeValue` field:\n - Account Operators eq 1\n - Server Operators eq 2\n - Print Operators eq 4\n - Backup Operators eq 8\n The field value can range from 0 to f (15). If more than one group is specified, the values will be summed together; for example, Backup Operators and Print Operators will set the `c` value on the bit.\n\n### False positive analysis\n\n- While this modification can be done legitimately, it is not a best practice. Any potential benign true positive (B-TP) should be mapped and reviewed by the security team for alternatives as this weakens the security of the privileged group.\n\n### Response and remediation\n\n- The change can be reverted by setting the dwAdminSDExMask (16th bit) to 0 in dSHeuristics.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName : \"dSHeuristics\" and\n length(winlog.event_data.AttributeValue) > 15 and\n winlog.event_data.AttributeValue regex~ \"[0-9]{15}([1-9a-f]).*\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dsheuristics_bad", "https://petri.com/active-directory-security-understanding-adminsdholder-object"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd.json deleted file mode 100644 index c60ba86cd2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", "false_positives": ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."], "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Sessions Detected for a Single User", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.004", "name": "Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1550/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.authentication_context.external_session_id", "value": 3}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json deleted file mode 100644 index 4b8f8f4e171..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", "false_positives": ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."], "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Sessions Detected for a Single User", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*) \n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.004", "name": "Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1550/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.authentication_context.external_session_id", "value": 3}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_105.json new file mode 100644 index 00000000000..76c2a9a988a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_105.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", + "false_positives": [ + "A user may have multiple sessions open at the same time, such as on a mobile device and a laptop." + ], + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "60m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Multiple Okta Sessions Detected for a Single User", + "note": "", + "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.authentication_context.external_session_id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Lateral Movement" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0008", + "name": "Lateral Movement", + "reference": "https://attack.mitre.org/tactics/TA0008/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.004", + "name": "Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1550/004/" + } + ] + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "okta.authentication_context.external_session_id", + "value": 3 + } + ], + "field": [ + "okta.actor.id" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 105 + }, + "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_2.json deleted file mode 100644 index ebf6e69207d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", "false_positives": ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."], "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Sessions Detected for a Single User", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.004", "name": "Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1550/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.authentication_context.external_session_id", "value": 3}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_3.json deleted file mode 100644 index 356e9c21f3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", "false_positives": ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."], "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Sessions Detected for a Single User", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.004", "name": "Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1550/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.authentication_context.external_session_id", "value": 3}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_5.json b/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_5.json deleted file mode 100644 index 35f2f369707..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/621e92b6-7e54-11ee-bdc0-f661ea17fbcd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.", "false_positives": ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."], "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Sessions Detected for a Single User", "note": "", "query": "event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}], "risk_score": 47, "rule_id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.004", "name": "Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1550/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.authentication_context.external_session_id", "value": 3}], "field": ["okta.actor.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "621e92b6-7e54-11ee-bdc0-f661ea17fbcd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json deleted file mode 100644 index 7db2385203f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 107}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json deleted file mode 100644 index 9b2ab9b849b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 103}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json deleted file mode 100644 index a47a555fe86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 104}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json deleted file mode 100644 index 47793ed7de1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 105}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json deleted file mode 100644 index cf8250082c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 106}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_107.json b/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_107.json deleted file mode 100644 index 923bb284246..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/622ecb68-fa81-4601-90b5-f8cd661e4520_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Distributed Component Object Model (DCOM) to execute commands from a remote host, which are launched via the HTA Application COM Object. This behavior may indicate an attacker abusing a DCOM application to move laterally while attempting to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement via MSHTA", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"mshta.exe\" and process.args : \"-Embedding\"\n ] by host.id, process.entity_id\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n", "references": ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 73, "rule_id": "622ecb68-fa81-4601-90b5-f8cd661e4520", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 107}, "id": "622ecb68-fa81-4601-90b5-f8cd661e4520_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json deleted file mode 100644 index c066521ab20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json deleted file mode 100644 index b907ada9937..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and host.os.type:windows and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json deleted file mode 100644 index 486233a76b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json deleted file mode 100644 index 5cfd0861df9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json deleted file mode 100644 index 83f6159f493..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_109.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_109.json deleted file mode 100644 index 01361027ac3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_110.json b/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_110.json deleted file mode 100644 index e8f75a673cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62a70f6f-3c37-43df-a556-f64fa475fba2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation and modification of an account with the \"Don't Expire Password\" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.", "false_positives": ["User accounts can be used as service accounts and have their password set never to expire. This is a bad security practice that exposes the account to Credential Access attacks. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Account Configured with Never-Expiring Password", "note": "## Triage and analysis\n\n### Investigating Account Configured with Never-Expiring Password\n\nActive Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged.\n\nThe setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Inspect the account for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Reset the password of the account and update its password settings.\n- Search for other occurrences on the domain.\n - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser):\n - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"modified-user-account\" and winlog.api:\"wineventlog\" and event.code:\"4738\" and\n message:\"'Don't Expire Password' - Enabled\" and not user.id:\"S-1-5-18\"\n", "references": ["https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire", "http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "62a70f6f-3c37-43df-a556-f64fa475fba2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "62a70f6f-3c37-43df-a556-f64fa475fba2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272.json deleted file mode 100644 index d80bde057bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port HTTP/HTTPS connection", "note": "## Triage and analysis\n\n### Investigating Potential Non-Standard Port HTTP/HTTPS connection\n\nAttackers may alter standard protocol ports, like using HTTP on port 8443 instead of 80, to bypass network filtering and complicate network data analysis. \n\nThis rule looks for HTTP/HTTPS processes where the destination port is not any of the default 80/443 HTTP/HTTPS ports. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential suspicious network traffic, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where process.name : (\"http\", \"https\") and destination.port not in (80, 443) and event.action in (\n \"connection_attempted\", \"ipv4_connection_attempt_event\", \"connection_accepted\", \"ipv4_connection_accept_event\"\n) and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}, {"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}, {"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/", "subtechnique": [{"id": "T1573.001", "name": "Symmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/001/"}, {"id": "T1573.002", "name": "Asymmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json deleted file mode 100644 index a6e33de0c72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port HTTP/HTTPS connection", "query": "network where process.name : (\"http\", \"https\")\n and destination.port not in (80, 443)\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}, {"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}, {"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/", "subtechnique": [{"id": "T1573.001", "name": "Symmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/001/"}, {"id": "T1573.002", "name": "Asymmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json deleted file mode 100644 index 1132490c4da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port HTTP/HTTPS connection", "query": "network where process.name : (\"http\", \"https\")\n and destination.port not in (80, 443)\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}, {"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}, {"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/", "subtechnique": [{"id": "T1573.001", "name": "Symmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/001/"}, {"id": "T1573.002", "name": "Asymmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_3.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_3.json deleted file mode 100644 index c841a3bdea6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port HTTP/HTTPS connection", "note": "## Triage and analysis\n\n### Investigating Potential Non-Standard Port HTTP/HTTPS connection\n\nAttackers may alter standard protocol ports, like using HTTP on port 8443 instead of 80, to bypass network filtering and complicate network data analysis. \n\nThis rule looks for HTTP/HTTPS processes where the destination port is not any of the default 80/443 HTTP/HTTPS ports. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential suspicious network traffic, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where process.name : (\"http\", \"https\")\n and destination.port not in (80, 443)\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}, {"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}, {"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/", "subtechnique": [{"id": "T1573.001", "name": "Symmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/001/"}, {"id": "T1573.002", "name": "Asymmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json b/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json deleted file mode 100644 index b8b749da518..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/62b68eb2-1e47-4da7-85b6-8f478db5b272_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with HTTP/HTTPS. For example, HTTP over port 8443 or port 440 as opposed to the traditional port 80 , 443. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port HTTP/HTTPS connection", "note": "## Triage and analysis\n\n### Investigating Potential Non-Standard Port HTTP/HTTPS connection\n\nAttackers may alter standard protocol ports, like using HTTP on port 8443 instead of 80, to bypass network filtering and complicate network data analysis. \n\nThis rule looks for HTTP/HTTPS processes where the destination port is not any of the default 80/443 HTTP/HTTPS ports. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential suspicious network traffic, reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where process.name : (\"http\", \"https\") and destination.port not in (80, 443) and event.action in (\n \"connection_attempted\", \"ipv4_connection_attempt_event\", \"connection_accepted\", \"ipv4_connection_accept_event\"\n) and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "62b68eb2-1e47-4da7-85b6-8f478db5b272", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}, {"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}, {"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/", "subtechnique": [{"id": "T1573.001", "name": "Symmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/001/"}, {"id": "T1573.002", "name": "Asymmetric Cryptography", "reference": "https://attack.mitre.org/techniques/T1573/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "62b68eb2-1e47-4da7-85b6-8f478db5b272_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e.json b/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e.json deleted file mode 100644 index 3acf5974acb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection Initiated by SSHD Child Process", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.executable == \"/usr/sbin/sshd\"] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n ) and not process.executable in (\"/bin/yum\", \"/usr/bin/yum\")\n ] by process.parent.entity_id\n", "references": ["https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "63431796-f813-43af-820b-492ee2efec8e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "type": "eql", "version": 2}, "id": "63431796-f813-43af-820b-492ee2efec8e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json b/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json deleted file mode 100644 index 476866b5f97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection Initiated by SSHD Child Process", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.executable == \"/usr/sbin/sshd\"] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n )\n ] by process.parent.entity_id\n", "references": ["https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "63431796-f813-43af-820b-492ee2efec8e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "type": "eql", "version": 1}, "id": "63431796-f813-43af-820b-492ee2efec8e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_2.json b/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_2.json deleted file mode 100644 index f316ce10b1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63431796-f813-43af-820b-492ee2efec8e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies an egress internet connection initiated by an SSH Daemon child process. This behavior is indicative of the alteration of a shell configuration file or other mechanism that launches a process when a new SSH login occurs. Attackers can also backdoor the SSH daemon to allow for persistence, call out to a C2 or to steal credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection Initiated by SSHD Child Process", "query": "sequence by host.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.executable == \"/usr/sbin/sshd\"] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n ) and not process.executable in (\"/bin/yum\", \"/usr/bin/yum\")\n ] by process.parent.entity_id\n", "references": ["https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "63431796-f813-43af-820b-492ee2efec8e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "type": "eql", "version": 2}, "id": "63431796-f813-43af-820b-492ee2efec8e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index 53f197441c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", "false_positives": ["Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Assignment of Controller Service Account", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.namespace", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.serviceAccountName", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "63c05204-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "63c05204-339a-11ed-a261-0242ac120002", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json deleted file mode 100644 index a4cd0d6de45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", "false_positives": ["Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Assignment of Controller Service Account", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.namespace", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.serviceAccountName", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "63c05204-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "63c05204-339a-11ed-a261-0242ac120002_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json deleted file mode 100644 index b3354de9095..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c05204-339a-11ed-a261-0242ac120002_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.", "false_positives": ["Controller service accounts aren't normally assigned to running pods, this is abnormal behavior with very few legitimate use-cases and should result in very few false positives."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Suspicious Assignment of Controller Service Account", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb : \"create\"\n and kubernetes.audit.objectRef.resource : \"pods\"\n and kubernetes.audit.objectRef.namespace : \"kube-system\"\n and kubernetes.audit.requestObject.spec.serviceAccountName:*controller\n", "references": ["https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/kubernetes-privilege-escalation-excessive-permissions-in-popular-platforms"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.namespace", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.serviceAccountName", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "63c05204-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "63c05204-339a-11ed-a261-0242ac120002_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index 69cec648c29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", "false_positives": ["Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Denied Service Account Request", "note": "", "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "keyword"}], "risk_score": 47, "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "63c056a0-339a-11ed-a261-0242ac120002", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json deleted file mode 100644 index da94c270e9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", "false_positives": ["Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Denied Service Account Request", "note": "", "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}], "risk_score": 47, "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "63c056a0-339a-11ed-a261-0242ac120002_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json deleted file mode 100644 index 8df7ab16a59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c056a0-339a-11ed-a261-0242ac120002_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.", "false_positives": ["Unauthorized requests from service accounts are highly abnormal and more indicative of human behavior or a serious problem within the cluster. This behavior should be investigated further."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Denied Service Account Request", "note": "", "query": "event.dataset: \"kubernetes.audit_logs\"\n and kubernetes.audit.user.username: system\\:serviceaccount\\:*\n and kubernetes.audit.annotations.authorization_k8s_io/decision: \"forbid\"\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}], "risk_score": 47, "rule_id": "63c056a0-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1613", "name": "Container and Resource Discovery", "reference": "https://attack.mitre.org/techniques/T1613/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "63c056a0-339a-11ed-a261-0242ac120002_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json deleted file mode 100644 index 1328a5acee8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", "false_positives": ["Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Anonymous Request Authorized", "note": "", "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)\n", "references": ["https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestURI", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "keyword"}], "risk_score": 47, "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "63c057cc-339a-11ed-a261-0242ac120002", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json deleted file mode 100644 index 756cec32a92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", "false_positives": ["Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Anonymous Request Authorized", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and (kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\") or not kubernetes.audit.user.username:*)\n and not kubernetes.audit.objectRef.resource:(\"healthz\" or \"livez\" or \"readyz\")\n", "references": ["https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}], "risk_score": 47, "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Initial Access", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "63c057cc-339a-11ed-a261-0242ac120002_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json deleted file mode 100644 index 3fede05205b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", "false_positives": ["Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Anonymous Request Authorized", "note": "", "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.objectRef.resource:(healthz or livez or readyz)\n", "references": ["https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}], "risk_score": 47, "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "63c057cc-339a-11ed-a261-0242ac120002_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json deleted file mode 100644 index 6ec02f234d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63c057cc-339a-11ed-a261-0242ac120002_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster. This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.", "false_positives": ["Anonymous access to the API server is a dangerous setting enabled by default. Common anonymous connections (e.g., health checks) have been excluded from this rule. All other instances of authorized anonymous requests should be investigated."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Anonymous Request Authorized", "note": "", "query": "event.dataset:kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:allow\n and kubernetes.audit.user.username:(\"system:anonymous\" or \"system:unauthenticated\" or not *)\n and not kubernetes.audit.requestURI:(/healthz* or /livez* or /readyz*)\n", "references": ["https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestURI", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.user.username", "type": "unknown"}], "risk_score": 47, "rule_id": "63c057cc-339a-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.001", "name": "Default Accounts", "reference": "https://attack.mitre.org/techniques/T1078/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "63c057cc-339a-11ed-a261-0242ac120002_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b.json b/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b.json deleted file mode 100644 index b38327953ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Sensitive Registry Hive Access via RegBack", "note": "## Triage and analysis\n\n### Investigating Sensitive Registry Hive Access via RegBack\n\nCollecting registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and \n event.action == \"open\" and event.outcome == \"success\" and process.executable != null and \n file.path :\n (\"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM\",\n \"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SECURITY\",\n \"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SYSTEM\") and \n not (\n user.id == \"S-1-5-18\" and process.executable : (\n \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\", \"?:\\\\Windows\\\\system32\\\\taskhost.exe\"\n ))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "63e381a6-0ffe-4afb-9a26-72a59ad16d7b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "63e381a6-0ffe-4afb-9a26-72a59ad16d7b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b_1.json b/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b_1.json deleted file mode 100644 index 22b4c954af5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e381a6-0ffe-4afb-9a26-72a59ad16d7b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Sensitive Registry Hive Access via RegBack", "note": "## Triage and analysis\n\n### Investigating Sensitive Registry Hive Access via RegBack\n\nCollecting registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and \n event.action == \"open\" and event.outcome == \"success\" and process.executable != null and \n file.path :\n (\"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SAM\",\n \"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SECURITY\",\n \"?:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\SYSTEM\") and \n not (user.id == \"S-1-5-18\" and process.executable : \"?:\\\\Windows\\\\system32\\\\taskhostw.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "63e381a6-0ffe-4afb-9a26-72a59ad16d7b", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "63e381a6-0ffe-4afb-9a26-72a59ad16d7b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json deleted file mode 100644 index e127daf1463..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 108}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json deleted file mode 100644 index 7e6f7ae8248..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 102}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json deleted file mode 100644 index 767b8b34d96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 103}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json deleted file mode 100644 index 1e534b93d04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 104}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json deleted file mode 100644 index 1de2f21a394..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 105}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json deleted file mode 100644 index 144280f3104..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 106}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json deleted file mode 100644 index 1d278f16bf9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 107}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_108.json b/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_108.json deleted file mode 100644 index a2a04df14d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/63e65ec3-43b1-45b0-8f2d-45b34291dc44_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Signed Binary", "note": "## Triage and analysis\n\n### Investigating Network Connection via Signed Binary\n\nBy examining the specific traits of Windows binaries (such as process trees, command lines, network connections, registry modifications, and so on) it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule looks for the execution of `expand.exe`, `extrac32.exe`, `ieexec.exe`, or `makecab.exe` utilities, followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n event.type == \"start\"]\n [network where host.os.type == \"windows\" and (process.name : \"expand.exe\" or process.name : \"extrac32.exe\" or\n process.name : \"ieexec.exe\" or process.name : \"makecab.exe\") and\n not cidrmatch(destination.ip,\n \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\",\n \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\",\n \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 108}, "id": "63e65ec3-43b1-45b0-8f2d-45b34291dc44_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763.json b/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763.json deleted file mode 100644 index a8caaedcdc6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of files related to the dynamic linker on Linux systems. The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and\nfile.path : (\"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\") and\nnot (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/platform-python\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "640f79d1-571d-4f96-a9af-1194fc8cf763", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "640f79d1-571d-4f96-a9af-1194fc8cf763", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763_1.json b/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763_1.json deleted file mode 100644 index ee3b772eb41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/640f79d1-571d-4f96-a9af-1194fc8cf763_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of files related to the dynamic linker on Linux systems. The dynamic linker is a shared library that is used by the Linux kernel to load and execute programs. Attackers may attempt to hijack the execution flow of a program by modifying the dynamic linker configuration files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Creation or Modification", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and\nfile.path : (\"/etc/ld.so.preload\", \"/etc/ld.so.conf.d/*\", \"/etc/ld.so.conf\") and\nnot (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/platform-python\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "640f79d1-571d-4f96-a9af-1194fc8cf763", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "640f79d1-571d-4f96-a9af-1194fc8cf763_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json deleted file mode 100644 index c52dc919bfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_process_all_hosts"], "name": "Anomalous Process For a Linux Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "647fc812-7996-4795-8869-9c4ea595fe88", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json deleted file mode 100644 index bd6c5d76e07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_process_all_hosts"], "name": "Anomalous Process For a Linux Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 102}, "id": "647fc812-7996-4795-8869-9c4ea595fe88_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json deleted file mode 100644 index 8ccc5b6d718..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_process_all_hosts"], "name": "Anomalous Process For a Linux Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 103}, "id": "647fc812-7996-4795-8869-9c4ea595fe88_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json b/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json deleted file mode 100644 index 3fba909d877..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/647fc812-7996-4795-8869-9c4ea595fe88_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple Linux hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_process_all_hosts"], "name": "Anomalous Process For a Linux Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Linux Population\n\nSearching for abnormal Linux processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Linux process that is rare and unusual for all of the monitored Linux hosts in your fleet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "647fc812-7996-4795-8869-9c4ea595fe88", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "647fc812-7996-4795-8869-9c4ea595fe88_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json deleted file mode 100644 index be42bf2a248..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Safari Settings via Defaults Command", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json deleted file mode 100644 index e17166301c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Safari Settings via Defaults Command", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json deleted file mode 100644 index 4552cf95fd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Safari Settings via Defaults Command", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json deleted file mode 100644 index 2fb7d16c71c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Safari Settings via Defaults Command", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json b/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json deleted file mode 100644 index 21a15f59def..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6482255d-f468-45ea-a5b3-d3a7de1331ae_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Safari Settings via Defaults Command", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:defaults and process.args:\n (com.apple.Safari and write and not\n (\n UniversalSearchEnabled or\n SuppressSearchSuggestions or\n WebKitTabToLinksPreferenceKey or\n ShowFullURLInSmartSearchField or\n com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks\n )\n )\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "6482255d-f468-45ea-a5b3-d3a7de1331ae_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e.json deleted file mode 100644 index 9be4e5ae55b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json deleted file mode 100644 index 06e59c2b8d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json deleted file mode 100644 index 96fa3793ab8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json deleted file mode 100644 index 58c1c5b8533..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\"] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_4.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_4.json deleted file mode 100644 index 9a6dcc76ece..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 4}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json b/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json deleted file mode 100644 index 3a7de188323..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/64cfca9e-0f6f-4048-8251-9ec56a055e9e_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors a sequence involving a program compilation event followed by its execution and a subsequent network connection event. This behavior can indicate the set up of a reverse tcp connection to a command-and-control server. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Recently Compiled Executable", "query": "sequence by host.id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"gcc\", \"g++\", \"cc\")] by process.args\n [file where host.os.type == \"linux\" and event.action == \"creation\" and process.name == \"ld\"] by file.name\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\"] by process.name\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip != null and \n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")] by process.name\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "64cfca9e-0f6f-4048-8251-9ec56a055e9e_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65432f4a-e716-4cc1-ab11-931c4966da2d_101.json b/packages/security_detection_engine/kibana/security_rule/65432f4a-e716-4cc1-ab11-931c4966da2d_101.json deleted file mode 100644 index 5a3a1ae23e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65432f4a-e716-4cc1-ab11-931c4966da2d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of an MsiExec service child process followed by network or dns lookup activity. Adversaries may abuse Windows Installers for initial access and delivery of malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "MsiExec Service Child Process With Network Connection", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : \"msiexec.exe\" and process.parent.args : \"/v\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\sysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\system32\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\syswow64\\\\srtasks.exe\",\n \"?:\\\\Windows\\\\sys*\\\\taskkill.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\Installer\\\\MSI*.tmp\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\RegSvcs.exe\") and\n not (process.name : (\"rundll32.exe\", \"regsvr32.exe\") and process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\"))]\n[any where host.os.type == \"windows\" and event.category in (\"network\", \"dns\") and process.name != null]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "65432f4a-e716-4cc1-ab11-931c4966da2d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "type": "eql", "version": 101}, "id": "65432f4a-e716-4cc1-ab11-931c4966da2d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json deleted file mode 100644 index 0e9f0758ccd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", "false_positives": ["Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Exposed Service Created With Type NodePort", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", "references": ["https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.type", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "65f9bccd-510b-40df-8263-334f03174fed", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json deleted file mode 100644 index b78f7af7a6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", "false_positives": ["Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Exposed Service Created With Type NodePort", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", "references": ["https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.type", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "65f9bccd-510b-40df-8263-334f03174fed_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json b/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json deleted file mode 100644 index c388735de62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/65f9bccd-510b-40df-8263-334f03174fed_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers within a cluster. This creates a direct method of communication between the cluster and the outside world, which could be used for more malicious behavior and certainly widens the attack surface of your cluster.", "false_positives": ["Developers may have a legitimate use for NodePorts. For frontend parts of an application you may want to expose a Service onto an external IP address without using cloud specific Loadbalancers. NodePort can be used to expose the Service on each Node's IP at a static port (the NodePort). You'll be able to contact the NodePort Service from outside the cluster, by requesting :. NodePort unlike Loadbalancers, allow the freedom to set up your own load balancing solution, configure environments that aren't fully supported by Kubernetes, or even to expose one or more node's IPs directly."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Exposed Service Created With Type NodePort", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"services\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.type:\"NodePort\"\n", "references": ["https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", "https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", "https://www.tigera.io/blog/new-vulnerability-exposes-kubernetes-to-man-in-the-middle-attacks-heres-how-to-mitigate/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.type", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "65f9bccd-510b-40df-8263-334f03174fed", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "65f9bccd-510b-40df-8263-334f03174fed_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json deleted file mode 100644 index 1fc0102ae35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json deleted file mode 100644 index 2fec801c1a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json deleted file mode 100644 index 2a8a87ce3fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json deleted file mode 100644 index 60c2808c693..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json deleted file mode 100644 index 2e1d2224891..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json b/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json deleted file mode 100644 index 076f78d5f59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Mount SMB Share via Command Line", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : \"mount_smbfs\" or\n (process.name : \"open\" and process.args : \"smb://*\") or\n (process.name : \"mount\" and process.args : \"smbfs\") or\n (process.name : \"osascript\" and process.command_line : \"osascript*mount volume*smb://*\")\n ) and\n not process.parent.executable : \"/Applications/Google Drive.app/Contents/MacOS/Google Drive\"\n", "references": ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "661545b4-1a90-4f45-85ce-2ebd7c6a15d0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json deleted file mode 100644 index c366c1228e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name in (\"vmware-vmx\", \"vmx\")\nand process.parent.name == \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json deleted file mode 100644 index d1740c44c19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json deleted file mode 100644 index 55dd3d4d60f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json deleted file mode 100644 index 46c13facc6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json deleted file mode 100644 index d3468d5726c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json b/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json deleted file mode 100644 index 15741500d91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6641a5af-fb7e-487a-adc4-9e6503365318_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware processes, such as \"vmware-vmx\" or \"vmx,\" are terminated on a Linux system by a \"kill\" command. The rule monitors for the \"end\" event type, which signifies the termination of a process. The presence of a \"kill\" command as the parent process for terminating VMware processes may indicate that a threat actor is attempting to interfere with the virtualized environment on the targeted system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Termination of ESXI Process", "query": "process where host.os.type == \"linux\" and event.type == \"end\" and process.name : (\"vmware-vmx\", \"vmx\")\nand process.parent.name : \"kill\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6641a5af-fb7e-487a-adc4-9e6503365318", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "6641a5af-fb7e-487a-adc4-9e6503365318_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_1.json deleted file mode 100644 index acd31c104fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.", "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "new_terms_fields": ["okta.actor.display_name"], "query": "event.dataset: okta.system\n and event.action: \"app.oauth2.as.token.grant\"\n and okta.actor.type: \"PublicClientApp\"\n and okta.debug_context.debug_data.flattened.grantType: \"client_credentials\"\n and okta.outcome.result: \"FAILURE\"\n and not okta.client.user_agent.raw_user_agent: \"Okta-Integrations\"\n and not okta.actor.display_name: (Okta* or Datadog)\n and not okta.debug_context.debug_data.flattened.requestedScopes: (\"okta.logs.read\" or \"okta.eventHooks.read\" or \"okta.inlineHooks.read\")\n and okta.outcome.reason: \"no_matching_scope\"\n", "references": ["https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", "https://developer.okta.com/docs/reference/api/event-types/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.type", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.grantType", "type": "unknown"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.requestedScopes", "type": "unknown"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "6649e656-6f85-11ef-8876-f661ea17fbcc", "severity": "medium", "tags": ["Domain: SaaS", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "6649e656-6f85-11ef-8876-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_104.json b/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_104.json new file mode 100644 index 00000000000..857ebb6dd2f --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_104.json @@ -0,0 +1,119 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", + "new_terms_fields": [ + "okta.actor.display_name" + ], + "query": "event.dataset: okta.system\n and event.action: \"app.oauth2.as.token.grant\"\n and okta.actor.type: \"PublicClientApp\"\n and okta.debug_context.debug_data.flattened.grantType: \"client_credentials\"\n and okta.outcome.result: \"FAILURE\"\n and not okta.client.user_agent.raw_user_agent: \"Okta-Integrations\"\n and not okta.actor.display_name: (Okta* or Datadog)\n and not okta.debug_context.debug_data.flattened.requestedScopes: (\"okta.logs.read\" or \"okta.eventHooks.read\" or \"okta.inlineHooks.read\")\n and okta.outcome.reason: \"no_matching_scope\"\n", + "references": [ + "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.display_name", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.client.user_agent.raw_user_agent", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.flattened.grantType", + "type": "unknown" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.flattened.requestedScopes", + "type": "unknown" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6649e656-6f85-11ef-8876-f661ea17fbcc", + "severity": "medium", + "tags": [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1550", + "name": "Use Alternate Authentication Material", + "reference": "https://attack.mitre.org/techniques/T1550/", + "subtechnique": [ + { + "id": "T1550.001", + "name": "Application Access Token", + "reference": "https://attack.mitre.org/techniques/T1550/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 104 + }, + "id": "6649e656-6f85-11ef-8876-f661ea17fbcc_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_2.json deleted file mode 100644 index b7a05ec6208..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.", "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "new_terms_fields": ["okta.actor.display_name"], "query": "event.dataset: okta.system\n and event.action: \"app.oauth2.as.token.grant\"\n and okta.actor.type: \"PublicClientApp\"\n and okta.debug_context.debug_data.flattened.grantType: \"client_credentials\"\n and okta.outcome.result: \"FAILURE\"\n and not okta.client.user_agent.raw_user_agent: \"Okta-Integrations\"\n and not okta.actor.display_name: (Okta* or Datadog)\n and not okta.debug_context.debug_data.flattened.requestedScopes: (\"okta.logs.read\" or \"okta.eventHooks.read\" or \"okta.inlineHooks.read\")\n and okta.outcome.reason: \"no_matching_scope\"\n", "references": ["https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.type", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.grantType", "type": "unknown"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.requestedScopes", "type": "unknown"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "6649e656-6f85-11ef-8876-f661ea17fbcc", "severity": "medium", "tags": ["Domain: SaaS", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "6649e656-6f85-11ef-8876-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_4.json deleted file mode 100644 index bdc8c581c58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6649e656-6f85-11ef-8876-f661ea17fbcc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a failed OAuth 2.0 token grant attempt for a public client app using client credentials. This event is generated when a public client app attempts to exchange a client credentials grant for an OAuth 2.0 access token, but the request is denied due to the lack of required scopes. This could indicate compromised client credentials in which an adversary is attempting to obtain an access token for unauthorized scopes. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule where the `okta.actor.display_name` field value has not been seen in the last 14 days regarding this event.", "from": "now-9m", "history_window_start": "now-14d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "new_terms_fields": ["okta.actor.display_name"], "query": "event.dataset: okta.system\n and event.action: \"app.oauth2.as.token.grant\"\n and okta.actor.type: \"PublicClientApp\"\n and okta.debug_context.debug_data.flattened.grantType: \"client_credentials\"\n and okta.outcome.result: \"FAILURE\"\n and not okta.client.user_agent.raw_user_agent: \"Okta-Integrations\"\n and not okta.actor.display_name: (Okta* or Datadog)\n and not okta.debug_context.debug_data.flattened.requestedScopes: (\"okta.logs.read\" or \"okta.eventHooks.read\" or \"okta.inlineHooks.read\")\n and okta.outcome.reason: \"no_matching_scope\"\n", "references": ["https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.type", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.grantType", "type": "unknown"}, {"ecs": false, "name": "okta.debug_context.debug_data.flattened.requestedScopes", "type": "unknown"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 47, "rule_id": "6649e656-6f85-11ef-8876-f661ea17fbcc", "severity": "medium", "tags": ["Domain: SaaS", "Data Source: Okta", "Use Case: Threat Detection", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "6649e656-6f85-11ef-8876-f661ea17fbcc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json deleted file mode 100644 index 02f2cf7d228..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json deleted file mode 100644 index d24cbb5b40a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "note": "", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json deleted file mode 100644 index 3a01cebc857..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "note": "", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json deleted file mode 100644 index 7ce5f682f3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "note": "", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json deleted file mode 100644 index 7ce2f7b7c85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json deleted file mode 100644 index 2bb9d941740..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_106.json b/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_106.json deleted file mode 100644 index dabaa366c41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/665e7a4f-c58e-4fc6-bc83-87a7572670ac_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of WebServer access logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WebServer Access Logs Deleted", "query": "file where event.type == \"deletion\" and\n file.path : (\"C:\\\\inetpub\\\\logs\\\\LogFiles\\\\*.log\",\n \"/var/log/apache*/access.log\",\n \"/etc/httpd/logs/access_log\",\n \"/var/log/httpd/access_log\",\n \"/var/www/*/logs/access.log\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "665e7a4f-c58e-4fc6-bc83-87a7572670ac_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json deleted file mode 100644 index d5110f8389f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json deleted file mode 100644 index 1f5772fec70..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 1}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json deleted file mode 100644 index c8da74c489f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "note": "### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 2}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json deleted file mode 100644 index 0b3f4fb3416..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "\nThis rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 3}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json deleted file mode 100644 index 77718bffbe4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json deleted file mode 100644 index a199bb49f3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n event.action == \"authenticated\" and auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and \n auditd.data.addr != null and auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "keyword"}, {"ecs": false, "name": "auditd.data.terminal", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json b/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json deleted file mode 100644 index 8668772d713..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An FTP (file transfer protocol) brute force attack is a method where an attacker systematically tries different combinations of usernames and passwords to gain unauthorized access to an FTP server, and if successful, the impact can include unauthorized data access, manipulation, or theft, compromising the security and integrity of the server and potentially exposing sensitive information. This rule identifies multiple consecutive authentication failures targeting a specific user account from the same source address and within a short time interval, followed by a successful authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful Linux FTP Brute Force Attack Detected", "query": "sequence by host.id, auditd.data.addr, related.user with maxspan=5s\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"failure\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] with runs=10\n [authentication where host.os.type == \"linux\" and event.action == \"authenticated\" and\n auditd.data.terminal == \"ftp\" and event.outcome == \"success\" and auditd.data.addr != null and\n auditd.data.addr != \"0.0.0.0\" and auditd.data.addr != \"::\"] | tail 1\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.addr", "type": "unknown"}, {"ecs": false, "name": "auditd.data.terminal", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "related.user", "type": "keyword"}], "risk_score": 47, "rule_id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json deleted file mode 100644 index 4798159c48c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"www.googleapis.com\", \n \"googleapis.com\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\"))\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json deleted file mode 100644 index 237dc5165a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not process.executable :\n (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Discord\\\\app-*\\\\Discord.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json deleted file mode 100644 index 38705267c3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json deleted file mode 100644 index 2cd3b1277d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json deleted file mode 100644 index 72f67a286fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json deleted file mode 100644 index 143f55b7002..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json deleted file mode 100644 index 07bbdd0fa45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json deleted file mode 100644 index f4af87e31ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"*.pastebin.*\",\n \"*drive.google.*\",\n \"*docs.live.*\",\n \"*api.dropboxapi.*\",\n \"*dropboxusercontent.*\",\n \"*onedrive.*\",\n \"*4shared.*\",\n \"*.file.io\",\n \"*filebin.net\",\n \"*slack-files.com\",\n \"*ghostbin.*\",\n \"*ngrok.*\",\n \"*portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"script.google.com\",\n \"script.googleusercontent.com\"\n ) and\n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json deleted file mode 100644 index 78c8d19c944..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"github.com\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"graph.microsoft.com\") and \n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n ) and process.code_signature.trusted == true\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n )\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_112.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_112.json deleted file mode 100644 index a65b9ac7192..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\"))\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_113.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_113.json deleted file mode 100644 index cd0009d7159..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\"))\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_114.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_114.json deleted file mode 100644 index 092f12e2971..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"www.googleapis.com\", \n \"googleapis.com\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\"))\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_115.json b/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_115.json deleted file mode 100644 index f0a8e17dc9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66883649-f908-4a5b-a1e0-54090a1d3a32_115.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may implement command and control (C2) communications that use common web services to hide their activity. This attack technique is typically targeted at an organization and uses web services common to the victim network, which allows the adversary to blend into legitimate traffic activity. These popular services are typically targeted since they have most likely been used before compromise, which helps malicious traffic blend in.", "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Web Services", "note": "## Triage and analysis\n\n### Investigating Connection to Commonly Abused Web Services\n\nAdversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise.\n\nThis rule looks for processes outside known legitimate program locations communicating with a list of services that can be abused for exfiltration or command and control.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Verify whether the digital signature exists in the executable.\n- Identify the operation type (upload, download, tunneling, etc.).\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives because it detects communication with legitimate services. Noisy false positives can be added as exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n process.name != null and user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n /* Add new WebSvc domains here */\n dns.question.name :\n (\n \"raw.githubusercontent.*\",\n \"pastebin.*\",\n \"paste4btc.com\",\n \"paste.ee\",\n \"ghostbin.com\",\n \"drive.google.com\",\n \"?.docs.live.net\",\n \"api.dropboxapi.*\",\n \"content.dropboxapi.*\",\n \"dl.dropboxusercontent.*\",\n \"api.onedrive.com\",\n \"*.onedrive.org\",\n \"onedrive.live.com\",\n \"filebin.net\",\n \"*.ngrok.io\",\n \"ngrok.com\",\n \"*.portmap.*\",\n \"*serveo.net\",\n \"*localtunnel.me\",\n \"*pagekite.me\",\n \"*localxpose.io\",\n \"*notabug.org\",\n \"rawcdn.githack.*\",\n \"paste.nrecom.net\",\n \"zerobin.net\",\n \"controlc.com\",\n \"requestbin.net\",\n \"slack.com\",\n \"api.slack.com\",\n \"slack-redir.net\",\n \"slack-files.com\",\n \"cdn.discordapp.com\",\n \"discordapp.com\",\n \"discord.com\",\n \"apis.azureedge.net\",\n \"cdn.sql.gg\",\n \"?.top4top.io\",\n \"top4top.io\",\n \"www.uplooder.net\",\n \"*.cdnmegafiles.com\",\n \"transfer.sh\",\n \"gofile.io\",\n \"updates.peer2profit.com\",\n \"api.telegram.org\",\n \"t.me\",\n \"meacz.gq\",\n \"rwrd.org\",\n \"*.publicvm.com\",\n \"*.blogspot.com\",\n \"api.mylnikov.org\",\n \"file.io\",\n \"stackoverflow.com\",\n \"*files.1drv.com\",\n \"api.anonfile.com\",\n \"*hosting-profi.de\",\n \"ipbase.com\",\n \"ipfs.io\",\n \"*up.freeo*.space\",\n \"api.mylnikov.org\",\n \"script.google.com\",\n \"script.googleusercontent.com\",\n \"api.notion.com\",\n \"graph.microsoft.com\",\n \"*.sharepoint.com\",\n \"mbasic.facebook.com\",\n \"login.live.com\",\n \"api.gofile.io\",\n \"api.anonfiles.com\",\n \"api.notion.com\",\n \"api.trello.com\",\n \"gist.githubusercontent.com\",\n \"files.pythonhosted.org\",\n \"g.live.com\",\n \"*.zulipchat.com\",\n \"webhook.site\",\n \"run.mocky.io\",\n \"mockbin.org\", \n \"www.googleapis.com\", \n \"googleapis.com\",\n \"global.rel.tunnels.api.visualstudio.com\",\n \"*.devtunnels.ms\") and\n \n /* Insert noisy false positives here */\n not (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\WWAHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\BraveSoftware\\\\*\\\\Application\\\\brave.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Vivaldi\\\\Application\\\\vivaldi.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera*\\\\opera.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Fiddler\\\\Fiddler.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\",\n \"?:\\\\Windows\\\\system32\\\\mobsync.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mobsync.exe\"\n )\n ) or\n \n /* Discord App */\n (process.name : \"Discord.exe\" and (process.code_signature.subject_name : \"Discord Inc.\" and\n process.code_signature.trusted == true) and dns.question.name : (\"discord.com\", \"cdn.discordapp.com\", \"discordapp.com\")\n ) or \n\n /* MS Sharepoint */\n (process.name : \"Microsoft.SharePoint.exe\" and (process.code_signature.subject_name : \"Microsoft Corporation\" and\n process.code_signature.trusted == true) and dns.question.name : \"onedrive.live.com\"\n ) or \n\n /* Firefox */\n (process.name : \"firefox.exe\" and (process.code_signature.subject_name : \"Mozilla Corporation\" and\n process.code_signature.trusted == true)\n ) or \n\n /* Dropbox */\n (process.name : \"Dropbox.exe\" and (process.code_signature.subject_name : \"Dropbox, Inc\" and\n process.code_signature.trusted == true) and dns.question.name : (\"api.dropboxapi.com\", \"*.dropboxusercontent.com\")\n ) or \n\n /* Obsidian - Plugins are stored on raw.githubusercontent.com */\n (process.name : \"Obsidian.exe\" and (process.code_signature.subject_name : \"Dynalist Inc\" and\n process.code_signature.trusted == true) and dns.question.name : \"raw.githubusercontent.com\"\n ) or \n\n /* WebExperienceHostApp */\n (process.name : \"WebExperienceHostApp.exe\" and (process.code_signature.subject_name : \"Microsoft Windows\" and\n process.code_signature.trusted == true) and dns.question.name : (\"onedrive.live.com\", \"skyapi.onedrive.live.com\")\n ) or\n\n (process.code_signature.subject_name : \"Microsoft *\" and process.code_signature.trusted == true and\n dns.question.name : (\"*.sharepoint.com\", \"graph.microsoft.com\", \"g.live.com\", \"login.live.com\", \"login.live.com\")) or\n\n (process.code_signature.trusted == true and\n process.code_signature.subject_name :\n (\"Johannes Schindelin\",\n \"Redis Inc.\",\n \"Slack Technologies, LLC\",\n \"Cisco Systems, Inc.\",\n \"Dropbox, Inc\",\n \"Amazon.com Services LLC\"))\n ) \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "66883649-f908-4a5b-a1e0-54090a1d3a32", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1102", "name": "Web Service", "reference": "https://attack.mitre.org/techniques/T1102/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/", "subtechnique": [{"id": "T1567.001", "name": "Exfiltration to Code Repository", "reference": "https://attack.mitre.org/techniques/T1567/001/"}, {"id": "T1567.002", "name": "Exfiltration to Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1567/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "66883649-f908-4a5b-a1e0-54090a1d3a32_115", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0.json deleted file mode 100644 index e3c706ea017..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Process Hooking via GDB", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "66c058f3-99f4-4d18-952b-43348f2577a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json deleted file mode 100644 index f973ee35288..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Secret Dumping via GDB", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "66c058f3-99f4-4d18-952b-43348f2577a0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json b/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json deleted file mode 100644 index 7432e464e52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66c058f3-99f4-4d18-952b-43348f2577a0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Process Hooking via GDB", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and \n/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */\nprocess.args != \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "66c058f3-99f4-4d18-952b-43348f2577a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "66c058f3-99f4-4d18-952b-43348f2577a0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json deleted file mode 100644 index 6e6b87132f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where event.action == \"exec\" and host.os.type == \"macos\" and\n process.parent.name: (\n \"Microsoft Word\",\n \"Microsoft Outlook\",\n \"Microsoft Excel\",\n \"Microsoft PowerPoint\",\n \"Microsoft OneNote\"\n ) and\n process.name : (\n \"curl\",\n \"nscurl\",\n \"bash\",\n \"sh\",\n \"osascript\",\n \"python*\",\n \"perl*\",\n \"mktemp\",\n \"chmod\",\n \"php\",\n \"nohup\",\n \"openssl\",\n \"plutil\",\n \"PlistBuddy\",\n \"xattr\",\n \"mktemp\",\n \"sqlite3\",\n \"funzip\",\n \"popen\"\n ) and\n\n // Filter FPs related to product version discovery and Office error reporting behavior\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\",\n \"open -a Safari *\",\n \"defaults read *\",\n \"sysctl hw.model*\",\n \"ioreg -d2 -c IOPlatformExpertDevice *\",\n \"ps aux | grep 'ToDesk_Desktop' | grep -v grep\",\n \"PIPE=\\\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*\"\n ) and\n\n not process.parent.executable :\n (\n \"/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service\",\n \"/usr/local/Privacy-i/PISupervisor\",\n \"/Library/Addigy/lan-cache\",\n \"/Library/Elastic/Agent/*\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/usr/sbin/networksetup\"\n ) and\n not (process.name : \"sh\" and process.command_line : \"*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*\") and\n\n not process.Ext.effective_parent.executable : (\n \"/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service\",\n \"/usr/local/Privacy-i/PISupervisor\",\n \"/Library/Addigy/auditor\",\n \"/Library/Elastic/Agent/*\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/usr/sbin/networksetup\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json deleted file mode 100644 index d8f060e5275..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json deleted file mode 100644 index 805261195d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json deleted file mode 100644 index f8f90c50b2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json deleted file mode 100644 index 575b6195d85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json deleted file mode 100644 index dd1c1d35d60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.parent.name:(\"Microsoft Word\", \"Microsoft PowerPoint\", \"Microsoft Excel\") and\n process.name:\n (\n \"bash\",\n \"dash\",\n \"sh\",\n \"tcsh\",\n \"csh\",\n \"zsh\",\n \"ksh\",\n \"fish\",\n \"python*\",\n \"perl*\",\n \"php*\",\n \"osascript\",\n \"pwsh\",\n \"curl\",\n \"wget\",\n \"cp\",\n \"mv\",\n \"base64\",\n \"launchctl\"\n ) and\n /* noisy false positives related to product version discovery and office errors reporting */\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_206.json b/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_206.json deleted file mode 100644 index 2c75880466f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/66da12b1-ac83-40eb-814c-07ed1d82b7b9_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious macOS MS Office Child Process", "query": "process where event.action == \"exec\" and\n process.parent.name: (\n \"Microsoft Word\",\n \"Microsoft Outlook\",\n \"Microsoft Excel\",\n \"Microsoft PowerPoint\",\n \"Microsoft OneNote\"\n ) and\n process.name : (\n \"curl\",\n \"nscurl\",\n \"bash\",\n \"sh\",\n \"osascript\",\n \"python*\",\n \"perl*\",\n \"mktemp\",\n \"chmod\",\n \"php\",\n \"nohup\",\n \"openssl\",\n \"plutil\",\n \"PlistBuddy\",\n \"xattr\",\n \"mktemp\",\n \"sqlite3\",\n \"funzip\",\n \"popen\"\n ) and\n\n // Filter FPs related to product version discovery and Office error reporting behavior\n not process.args:\n (\n \"ProductVersion\",\n \"hw.model\",\n \"ioreg\",\n \"ProductName\",\n \"ProductUserVisibleVersion\",\n \"ProductBuildVersion\",\n \"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting\",\n \"open -a Safari *\",\n \"defaults read *\",\n \"sysctl hw.model*\",\n \"ioreg -d2 -c IOPlatformExpertDevice *\",\n \"ps aux | grep 'ToDesk_Desktop' | grep -v grep\",\n \"PIPE=\\\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*\"\n ) and\n\n not process.parent.executable :\n (\n \"/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service\",\n \"/usr/local/Privacy-i/PISupervisor\",\n \"/Library/Addigy/lan-cache\",\n \"/Library/Elastic/Agent/*\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/usr/sbin/networksetup\"\n ) and\n not (process.name : \"sh\" and process.command_line : \"*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*\") and\n\n not process.Ext.effective_parent.executable : (\n \"/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service\",\n \"/usr/local/Privacy-i/PISupervisor\",\n \"/Library/Addigy/auditor\",\n \"/Library/Elastic/Agent/*\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/usr/sbin/networksetup\"\n )\n", "references": ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 206}, "id": "66da12b1-ac83-40eb-814c-07ed1d82b7b9_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json deleted file mode 100644 index f532fabee5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 11}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_10.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_10.json deleted file mode 100644 index 21b4111a3a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 10}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_11.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_11.json deleted file mode 100644 index c28ec1dd876..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 11}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_12.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_12.json deleted file mode 100644 index 3214b5feab1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 12}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json deleted file mode 100644 index c9da2497ea6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "note": "", "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Active Directory", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json deleted file mode 100644 index fb0ebdad4a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "note": "", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Active Directory", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json deleted file mode 100644 index 55ce431718a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "note": "", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json deleted file mode 100644 index 434eab8dd26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "note": "", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json deleted file mode 100644 index bc9b70fe541..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json b/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json deleted file mode 100644 index f69f2b2b641..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msPKIAccountCredentials attribute in an Active Directory User Object. Attackers can abuse the credentials roaming feature to overwrite an arbitrary file for privilege escalation. ms-PKI-AccountCredentials contains binary large objects (BLOBs) of encrypted credential objects from the credential manager store, private keys, certificates, and certificate requests.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of the msPKIAccountCredentials", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msPKIAccountCredentials\" and winlog.event_data.OperationType:\"%%14674\" and\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\"\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OperationType", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "670b3b5a-35e5-42db-bd36-6c5b9b4b7313_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json deleted file mode 100644 index 83ab7445918..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json deleted file mode 100644 index 833619b8612..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json deleted file mode 100644 index 1e07d3bd309..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json deleted file mode 100644 index 1fcbbef71d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json deleted file mode 100644 index 6a0663166e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json deleted file mode 100644 index 7867343544c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_207.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_207.json deleted file mode 100644 index 2671e3b8a6e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_209.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_209.json deleted file mode 100644 index 8f7ffdb735d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_309.json b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_309.json new file mode 100644 index 00000000000..bc211705d49 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_309.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta policy. An adversary may attempt to modify an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to modify an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Policy", + "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Policy\n\nModifications to Okta policies may indicate attempts to weaken an organization's security controls. If such an attempt is detected, consider the following steps for investigation.\n\n#### Possible investigation steps:\n- Identify the actor associated with the event. Check the fields `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name`.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Check the nature of the policy modification. You can review the `okta.target` field, especially `okta.target.display_name` and `okta.target.id`.\n- Examine the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the modification attempt.\n- Check if there have been other similar modification attempts in a short time span from the same actor or IP address.\n\n### False positive analysis:\n- This alert might be a false positive if Okta policies are regularly updated in your organization as a part of normal operations.\n- Check if the actor associated with the event has legitimate rights to modify the Okta policies.\n- Verify the actor's geographical location and the time of the modification attempt. If these align with the actor's regular behavior, it could be a false positive.\n\n### Response and remediation:\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Lock the actor's account and enforce password change as an immediate response.\n- Reset MFA tokens for the actor and enforce re-enrollment, if applicable.\n- Review any other actions taken by the actor to assess the overall impact.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.update\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json deleted file mode 100644 index f3594261513..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", "false_positives": ["Legitimate allowlisting of noisy accounts"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": ["https://twitter.com/misconfig/status/1476144066807140355"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json deleted file mode 100644 index 869783db81e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", "false_positives": ["Legitimate allowlisting of noisy accounts"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": ["https://twitter.com/misconfig/status/1476144066807140355"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json deleted file mode 100644 index 006140992ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", "false_positives": ["Legitimate allowlisting of noisy accounts"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": ["https://twitter.com/misconfig/status/1476144066807140355"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json deleted file mode 100644 index 71c4696a457..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", "false_positives": ["Legitimate allowlisting of noisy accounts"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": ["https://twitter.com/misconfig/status/1476144066807140355"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json b/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json deleted file mode 100644 index b531795cc6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the occurrence of mailbox audit bypass associations. The mailbox audit is responsible for logging specified mailbox events (like accessing a folder or a message or permanently deleting a message). However, actions taken by some authorized accounts, such as accounts used by third-party tools or accounts used for lawful monitoring, can create a large number of mailbox audit log entries and may not be of interest to your organization. Because of this, administrators can create bypass associations, allowing certain accounts to perform their tasks without being logged. Attackers can abuse this allowlist mechanism to conceal actions taken, as the mailbox audit will log no activity done by the account.", "false_positives": ["Legitimate allowlisting of noisy accounts"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "O365 Mailbox Audit Logging Bypass", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.action:Set-MailboxAuditBypassAssociation and event.outcome:success\n", "references": ["https://twitter.com/misconfig/status/1476144066807140355"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "675239ea-c1bc-4467-a6d3-b9e2cc7f676d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json deleted file mode 100644 index 27d06699821..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json deleted file mode 100644 index 2b4f788b152..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json deleted file mode 100644 index 5d8fc479d49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json deleted file mode 100644 index bb887641863..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json deleted file mode 100644 index 637d4c07644..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json deleted file mode 100644 index 8423f35142e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207.json deleted file mode 100644 index 9c25224df52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209.json deleted file mode 100644 index fa1113630c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", "false_positives": ["If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Revoke Okta API Token", "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309.json b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309.json new file mode 100644 index 00000000000..a6ec532cf16 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.", + "false_positives": [ + "If the behavior of revoking Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Revoke Okta API Token", + "note": "## Triage and analysis\n\n### Investigating Attempt to Revoke Okta API Token\n\nThe rule alerts when attempts are made to revoke an Okta API token. The API tokens are critical for integration services, and revoking them may lead to disruption in services. Therefore, it's important to validate these activities.\n\n#### Possible investigation steps:\n- Identify the actor associated with the API token revocation attempt. You can use the `okta.actor.alternate_id` field for this purpose.\n- Determine the client used by the actor. Review the `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context` fields.\n- Verify if the API token revocation was authorized or part of some planned activity.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Analyze the past activities of the actor involved in this action. An actor who usually performs such activities may indicate a legitimate reason.\n- Evaluate the actions that happened just before and after this event. It can help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity or was performed by an authorized person.\n\n### Response and remediation:\n- If unauthorized revocation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the revoked token was used for critical integrations, coordinate with the relevant team to minimize the impact.", + "query": "event.dataset:okta.system and event.action:system.api_token.revoke\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json deleted file mode 100644 index da8b1b3685c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 112}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json deleted file mode 100644 index 0cf9b2b5aa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "type": "threshold", "version": 105}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json deleted file mode 100644 index 028301fc040..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id"], "value": 10}, "type": "threshold", "version": 106}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json deleted file mode 100644 index df7f4b305c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "type": "threshold", "version": 107}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json deleted file mode 100644 index 8e90fe300a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "type": "threshold", "version": 108}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json deleted file mode 100644 index 5010224b3d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "type": "threshold", "version": 109}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json deleted file mode 100644 index f9d3d1fb6ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "type": "threshold", "version": 110}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_111.json b/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_111.json deleted file mode 100644 index f35ecd06722..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Process Terminations", "note": "## Triage and analysis\n\n### Investigating High Number of Process Terminations\n\nAttackers can kill processes for a variety of purposes. For example, they can kill process associated with business applications and databases to release the lock on files used by these applications so they may be encrypted,or stop security and backup solutions, etc.\n\nThis rule identifies a high number (10) of process terminations via pkill from the same host within a short time period.\n\n#### Possible investigation steps\n\n- Examine the entry point to the host and user in action via the Analyse View.\n - Identify the session entry leader and session user.\n- Examine the contents of session leading to the process termination(s) via the Session View.\n - Examine the command execution pattern in the session, which may lead to suspricous activities.\n- Examine the process killed during the malicious execution\n - Identify imment threat to the system from the process killed.\n - Take necessary incident response actions to respawn necessary process.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore it to the operational state.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:\"pkill\" and process.args:\"-f\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "threshold": {"field": ["host.id", "process.executable", "user.name"], "value": 10}, "timestamp_override": "event.ingested", "type": "threshold", "version": 111}, "id": "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json deleted file mode 100644 index 04b76c27a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Debugger\", \"MonitorProcess\") and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "6839c821-011d-43bd-bd5b-acff00257226", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json deleted file mode 100644 index 8d0d015cb5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "6839c821-011d-43bd-bd5b-acff00257226_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json deleted file mode 100644 index 612a4733e69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "6839c821-011d-43bd-bd5b-acff00257226_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json deleted file mode 100644 index 67e072f5b97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "6839c821-011d-43bd-bd5b-acff00257226_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json deleted file mode 100644 index be84adb3754..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6839c821-011d-43bd-bd5b-acff00257226_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json deleted file mode 100644 index 84458fdf876..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6839c821-011d-43bd-bd5b-acff00257226_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json deleted file mode 100644 index 523eb873c4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6839c821-011d-43bd-bd5b-acff00257226_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_108.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_108.json deleted file mode 100644 index 82896c4605c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Debugger\", \"MonitorProcess\") and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6839c821-011d-43bd-bd5b-acff00257226_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_109.json b/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_109.json deleted file mode 100644 index 8de0b58479c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6839c821-011d-43bd-bd5b-acff00257226_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Debugger and SilentProcessExit registry keys can allow an adversary to intercept the execution of files, causing a different process to be executed. This functionality can be abused by an adversary to establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Image File Execution Options Injection", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Debugger\", \"MonitorProcess\") and length(registry.data.strings) > 0 and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"HKLM\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*.exe\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\*\\\\Debugger\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\SilentProcessExit\\\\*\\\\MonitorProcess\"\n ) and\n /* add FPs here */\n not registry.data.strings regex~ (\"\"\"C:\\\\Program Files( \\(x86\\))?\\\\ThinKiosk\\\\thinkiosk\\.exe\"\"\", \"\"\".*\\\\PSAppDeployToolkit\\\\.*\"\"\")\n", "references": ["https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "6839c821-011d-43bd-bd5b-acff00257226", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "6839c821-011d-43bd-bd5b-acff00257226_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json deleted file mode 100644 index 4679b0b492e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json deleted file mode 100644 index 2b46c7d84e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Domain Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json deleted file mode 100644 index 1886f4a6169..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Domain Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json deleted file mode 100644 index 185bf733180..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Domain Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json deleted file mode 100644 index 4c161b8e2df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Domain Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json b/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json deleted file mode 100644 index a21938dbc64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/684554fc-0777-47ce-8c9b-3d01f198d7f8_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies a new or modified federation domain, which can be used to create a trust between O365 and an external identity provider.", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "New or Modified Federation Domain", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Set-AcceptedDomain\" or\n\"Set-MsolDomainFederationSettings\" or \"Add-FederatedDomain\" or \"New-AcceptedDomain\" or \"Remove-AcceptedDomain\" or \"Remove-FederatedDomain\") and\nevent.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/add-federateddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-accepteddomain?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "684554fc-0777-47ce-8c9b-3d01f198d7f8", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Domain Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "684554fc-0777-47ce-8c9b-3d01f198d7f8_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json deleted file mode 100644 index cf20aa0f4e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json deleted file mode 100644 index 40205092039..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when Okta ThreatInsight identifies a request from a malicious IP address. Investigating requests from IP addresses identified as malicious by Okta ThreatInsight can help security teams monitor for and respond to credential based attacks against their organization, such as brute force and password spraying attacks.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Threat Detected by Okta ThreatInsight", "note": "", "query": "event.dataset:okta.system and event.action:security.threat.detected\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json deleted file mode 100644 index 94bcbd426cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_104.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_104.json deleted file mode 100644 index 9c774e3aa6b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_205.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_205.json deleted file mode 100644 index f59e48e3870..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_206.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_206.json deleted file mode 100644 index 2576c0f133b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_208.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_208.json deleted file mode 100644 index f50ed205bb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta ThreatInsight Threat Suspected Promotion", "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.threat_suspected", "type": "keyword"}], "risk_score": 47, "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", "rule_name_override": "okta.display_message", "setup": "", "severity": "medium", "severity_mapping": [{"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "okta.debug_context.debug_data.risk_level", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta"], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_308.json b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_308.json new file mode 100644 index 00000000000..5613b7faf09 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6885d2ae-e008-4762-b98a-e8e1cd3a81e9_308.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Okta ThreatInsight is a feature that provides valuable debug data regarding authentication and authorization processes, which is logged in the system. Within this data, there is a specific field called threat_suspected, which represents Okta's internal evaluation of the authentication or authorization workflow. When this field is set to True, it suggests the presence of potential credential access techniques, such as password-spraying, brute-forcing, replay attacks, and other similar threats.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta ThreatInsight Threat Suspected Promotion", + "note": "## Triage and analysis\n\nThis is a promotion rule for Okta ThreatInsight suspected threat events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", + "query": "event.dataset:okta.system and (event.action:security.threat.detected or okta.debug_context.debug_data.threat_suspected: true)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://help.okta.com/en-us/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.html", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.debug_context.debug_data.threat_suspected", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9", + "rule_name_override": "okta.display_message", + "setup": "", + "severity": "medium", + "severity_mapping": [ + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "low", + "value": "LOW" + }, + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "medium", + "value": "MEDIUM" + }, + { + "field": "okta.debug_context.debug_data.risk_level", + "operator": "equals", + "severity": "high", + "value": "HIGH" + } + ], + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "6885d2ae-e008-4762-b98a-e8e1cd3a81e9_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json deleted file mode 100644 index 2b3c5aec08e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json deleted file mode 100644 index fb297f7e31b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json deleted file mode 100644 index eef88b15950..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json deleted file mode 100644 index d94ecfa4d63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json deleted file mode 100644 index 0f905e58a4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json deleted file mode 100644 index 3e22df4c946..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_108.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_108.json deleted file mode 100644 index c5bbe0b292e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json deleted file mode 100644 index 0188c50ccc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json deleted file mode 100644 index df3ac252e6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_111.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_111.json deleted file mode 100644 index 4e700cb4a03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_311.json b/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_311.json deleted file mode 100644 index a7885f70606..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68921d85-d0dc-48b3-865f-43291ca2c4f2_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an integrity level of system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via TelemetryController Scheduled Task Hijack", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"CompatTelRunner.exe\" and process.args : \"-cv*\" and\n not process.name : (\"conhost.exe\",\n \"DeviceCensus.exe\",\n \"CompatTelRunner.exe\",\n \"DismHost.exe\",\n \"rundll32.exe\",\n \"powershell.exe\")\n", "references": ["https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "68921d85-d0dc-48b3-865f-43291ca2c4f2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "68921d85-d0dc-48b3-865f-43291ca2c4f2_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json deleted file mode 100644 index 21a1f048971..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", "false_positives": ["Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", "references": ["https://support.google.com/a/answer/172176?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.role.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "68994a6c-c7ba-4e82-b476-26a26877adf6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json deleted file mode 100644 index 81d02c490d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", "false_positives": ["Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", "references": ["https://support.google.com/a/answer/172176?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.role.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json deleted file mode 100644 index 78287a64afd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", "false_positives": ["Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", "references": ["https://support.google.com/a/answer/172176?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.role.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json b/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json deleted file mode 100644 index bcb3bff9d9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68994a6c-c7ba-4e82-b476-26a26877adf6_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Assigning the administrative role to a user will grant them access to the Google Admin console and grant them administrator privileges which allow them to access and manage various resources and applications. An adversary may create a new administrator account for persistence or apply the admin role to an existing user to carry out further intrusion efforts. Users with super-admin privileges can bypass single-sign on if enabled in Google Workspace.", "false_positives": ["Google Workspace admin role assignments may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Assigned to a User", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Assigned to a User\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups. These assignments should follow the principle of least privilege (PoLP). Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created when prebuilt roles are not sufficient.\n\nAdministrator roles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Administrative roles also give users access to the admin console, where domain-wide settings can be adjusted. Threat actors might rely on these new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected administrative privileges may also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace administrative role is assigned to a user.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user who received the admin role.\n- Identify the role given to the user by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify their administrative privileges are scoped properly.\n- To identify other users with this role, search the alert for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently received this new admin role.\n- After identifying the involved user, create a filter with their `user.name` or `user.target.email`. Review the last 48 hours of their activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying user account that added the admin role, verify the action was intentional.\n- Verify that the target user who was assigned the admin role should have administrative privileges in Google Workspace.\n- Review organizational units or groups the target user might have been added to and ensure the admin role permissions align.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.category:\"iam\" and event.action:\"ASSIGN_ROLE\"\n and google_workspace.event.type:\"DELEGATED_ADMIN_SETTINGS\" and google_workspace.admin.role.name : *_ADMIN_ROLE\n", "references": ["https://support.google.com/a/answer/172176?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.role.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "68994a6c-c7ba-4e82-b476-26a26877adf6", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "68994a6c-c7ba-4e82-b476-26a26877adf6_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json deleted file mode 100644 index eb2db4d14e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 108}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json deleted file mode 100644 index 0e1e02f6de6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 102}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json deleted file mode 100644 index b3cad4ff367..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 103}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json deleted file mode 100644 index 3bc154af3e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 104}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json deleted file mode 100644 index 5fb93c2faa6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 105}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json deleted file mode 100644 index 890d7f1de27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 106}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_107.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_107.json deleted file mode 100644 index 8251a46b9e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 107}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_108.json b/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_108.json deleted file mode 100644 index 6954f0f7238..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/689b9d57-e4d5-4357-ad17-9c334609d79a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A scheduled task was created by a Windows script via cscript.exe, wscript.exe or powershell.exe. This can be abused by an adversary to establish persistence.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Task Created by a Windows Script", "note": "## Triage and analysis\n\nDecode the base64 encoded Tasks Actions registry value to investigate the task's configured action.", "query": "sequence by host.id with maxspan = 30s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "689b9d57-e4d5-4357-ad17-9c334609d79a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 108}, "id": "689b9d57-e4d5-4357-ad17-9c334609d79a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json deleted file mode 100644 index 44e2cdb9fa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json deleted file mode 100644 index 57f8a60139d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json deleted file mode 100644 index 391e3c9f6b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json deleted file mode 100644 index 94d93d2d722..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json b/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json deleted file mode 100644 index d6921180a4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Group Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Group Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log group is a group of log streams that share the same retention, monitoring, and access control settings. You can define log groups and specify which streams to put into each group. There is no limit on the number of log streams that can belong to one log group.\n\nThis rule looks for the deletion of a log group using the API `DeleteLogGroup` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log group's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "68a7a5a5-a2fc-4a76-ba9f-26849de881b4_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e.json b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e.json deleted file mode 100644 index 0d2479fcf48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Access to LDAP Attributes", "query": "any where event.action in (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n winlog.event_data.AccessMaskDescription == \"Read Property\" and length(winlog.event_data.Properties) >= 2000\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 73, "rule_id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: System", "Data Source: Active Directory", "Data Source: Windows"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json deleted file mode 100644 index 66f8aa8d4cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Access to LDAP Attributes", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n winlog.event_data.AccessMaskDescription == \"Read Property\" and length(winlog.event_data.Properties) >= 2000\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 73, "rule_id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: System", "Data Source: Active Directory", "Data Source: Windows"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "68ad737b-f90a-4fe5-bda6-a68fa460044e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_2.json b/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_2.json deleted file mode 100644 index f861db6b0eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68ad737b-f90a-4fe5-bda6-a68fa460044e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify read access to a high number of Active Directory object attributes. The knowledge of objects properties can help adversaries find vulnerabilities, elevate privileges or collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Access to LDAP Attributes", "query": "any where event.action in (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n winlog.event_data.AccessMaskDescription == \"Read Property\" and length(winlog.event_data.Properties) >= 2000\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMaskDescription", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 73, "rule_id": "68ad737b-f90a-4fe5-bda6-a68fa460044e", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: System", "Data Source: Active Directory", "Data Source: Windows"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "68ad737b-f90a-4fe5-bda6-a68fa460044e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68c5c9d1-38e5-48bb-b1b2-8b5951d39738.json b/packages/security_detection_engine/kibana/security_rule/68c5c9d1-38e5-48bb-b1b2-8b5951d39738.json deleted file mode 100644 index a1e5abd03c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68c5c9d1-38e5-48bb-b1b2-8b5951d39738.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies when an AWS RDS DB Snapshot is created. This can be used to evade defenses by allowing an attacker to bypass access controls or cover their tracks by reverting an instance to a previous state. This is a [building block rule](https://www.elastic.co/guide/en/security/current/building-block-rule.html) and does not generate alerts on its own. It is meant to be used for correlation with other rules to detect suspicious activity. To generate alerts, create a rule that uses this signal as a building block.", "false_positives": ["Legitimate manual or automated snapshots created for backups can trigger this rule. Ensure that the snapshots are authorized and align with your organization's policies."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS DB Snapshot Created", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"rds.amazonaws.com\" \n and event.action: (\"CreateDBSnapshot\" or \"CreateDBClusterSnapshot\") and event.outcome: \"success\" \n", "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "68c5c9d1-38e5-48bb-b1b2-8b5951d39738", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.001", "name": "Create Snapshot", "reference": "https://attack.mitre.org/techniques/T1578/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "68c5c9d1-38e5-48bb-b1b2-8b5951d39738", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json deleted file mode 100644 index 8f9e3522e63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json deleted file mode 100644 index 1930cf8fbd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json deleted file mode 100644 index 5b881e7304d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json deleted file mode 100644 index 5266228dbf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json deleted file mode 100644 index 390ebe077cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json deleted file mode 100644 index a524658fdb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json deleted file mode 100644 index 49320cdfb3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json b/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json deleted file mode 100644 index c723fa734b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/68d56fdc-7ffa-4419-8e95-81641bd6f845_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass via ICMLuaUtil Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name == \"dllhost.exe\" and\n process.parent.args in (\"/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\", \"/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}\") and\n process.pe.original_file_name != \"WerFault.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "68d56fdc-7ffa-4419-8e95-81641bd6f845", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "68d56fdc-7ffa-4419-8e95-81641bd6f845_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json deleted file mode 100644 index 57ad7896104..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Xavier Pich"], "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", "false_positives": ["A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS KMS", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json deleted file mode 100644 index f04b6185674..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Xavier Pich"], "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", "false_positives": ["A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json deleted file mode 100644 index 2104ac35003..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Xavier Pich"], "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", "false_positives": ["A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json deleted file mode 100644 index d9263199f37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Xavier Pich"], "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", "false_positives": ["A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json b/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json deleted file mode 100644 index 65f9c87c6ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6951f15e-533c-4a60-8014-a3c3ab851a1b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Xavier Pich"], "description": "Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable.", "false_positives": ["A KMS customer managed key may be disabled or scheduled for deletion by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS KMS Customer Managed Key Disabled or Scheduled for Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:kms.amazonaws.com and event.action:(\"DisableKey\" or \"ScheduleKeyDeletion\") and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/cli/latest/reference/kms/disable-key.html", "https://docs.aws.amazon.com/cli/latest/reference/kms/schedule-key-deletion.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6951f15e-533c-4a60-8014-a3c3ab851a1b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "6951f15e-533c-4a60-8014-a3c3ab851a1b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb.json deleted file mode 100644 index 8d169cdd749..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM User Created Access Keys For Another User", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\n\n\n#### Possible investigation steps\n\n- Identify both related accounts and their role in the environment.\n- Review IAM permission policies for the user identities.\n- Identify the applications or users that should use these accounts.\n- Investigate other alerts associated with the accounts during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owners and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the newly created credentials from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"CreateAccessKey\" and event.outcome == \"success\" and user.name != user.target.name\n", "references": ["https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html"], "risk_score": 47, "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json deleted file mode 100644 index 6554524f684..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user."], "from": "now-10m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM User Created Access Keys For Another User", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\n\n\n#### Possible investigation steps\n\n- Identify both related accounts and their role in the environment.\n- Review IAM permission policies for the user identities.\n- Identify the applications or users that should use these accounts.\n- Investigate other alerts associated with the accounts during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owners and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the newly created credentials from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"CreateAccessKey\" and event.outcome == \"success\" and user.name != user.target.name\n", "references": ["https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html"], "risk_score": 47, "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_2.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_2.json deleted file mode 100644 index 448b08af323..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programatic access keys for another IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM User Created Access Keys For Another User", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS access keys created for IAM users or root user are long-term credentials that provide programatic access to AWS. \nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new \nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\n\n\n#### Possible investigation steps\n\n- Identify both related accounts and their role in the environment.\n- Review IAM permission policies for the user identities.\n- Identify the applications or users that should use these accounts.\n- Investigate other alerts associated with the accounts during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owners and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the newly created credentials from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"CreateAccessKey\" and event.outcome == \"success\" and user.name != user.target.name\n", "references": ["https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html"], "risk_score": 47, "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_3.json b/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_3.json deleted file mode 100644 index 72e3dd8e05e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/696015ef-718e-40ff-ac4a-cc2ba88dbeeb_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by creating a new set of credentials for an existing user. This rule looks for use of the IAM `CreateAccessKey` API operation to create new programmatic access keys for another IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `CreateAccessKey` for the targeted user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM User Created Access Keys For Another User", "note": "## Triage and analysis\n\n### Investigating AWS IAM User Created Access Keys For Another User\n\nAWS access keys created for IAM users or root user are long-term credentials that provide programmatic access to AWS.\nWith access to the `iam:CreateAccessKey` permission, a set of compromised credentials could be used to create a new\nset of credentials for another user for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `CreateAccessKey` operation where the user.name is different from the user.target.name.\n\n\n#### Possible investigation steps\n\n- Identify both related accounts and their role in the environment.\n- Review IAM permission policies for the user identities.\n- Identify the applications or users that should use these accounts.\n- Investigate other alerts associated with the accounts during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owners and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `CreateAccessKey` operation. Verify the `aws.cloudtrail.user_identity.arn` should use this operation against the `user.target.name` account.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the newly created credentials from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.provider == \"iam.amazonaws.com\"\n and event.action == \"CreateAccessKey\"\n and event.outcome == \"success\"\n and user.name != user.target.name\n| keep @timestamp, event.provider, event.action, event.outcome, user.name, user.target.name\n", "references": ["https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/#iamcreateaccesskey", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-iam-persistence", "https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html"], "risk_score": 47, "rule_id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 3}, "id": "696015ef-718e-40ff-ac4a-cc2ba88dbeeb_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac.json b/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac.json deleted file mode 100644 index 3b7ebe07178..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \"Connection refused,\" \"No such file or directory,\" or \"command not found\" in the syslog log file, which may indicate that the rc.local file has been tampered with.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious rc.local Error Message", "query": "host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\nmessage:(\"Connection refused\" or \"No such file or directory\" or \"command not found\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c116bb-d86f-48b0-857d-3648511a6cac", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "69c116bb-d86f-48b0-857d-3648511a6cac", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac_1.json b/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac_1.json deleted file mode 100644 index d4ee3d14f85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c116bb-d86f-48b0-857d-3648511a6cac_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the syslog log file for error messages related to the rc.local process. The rc.local file is a script that is executed during the boot process on Linux systems. Attackers may attempt to modify the rc.local file to execute malicious commands or scripts during system startup. This rule detects error messages such as \"Connection refused,\" \"No such file or directory,\" or \"command not found\" in the syslog log file, which may indicate that the rc.local file has been tampered with.", "from": "now-9m", "index": ["logs-system.syslog-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious rc.local Error Message", "query": "host.os.type:linux and event.dataset:system.syslog and process.name:rc.local and\nmessage:(\"Connection refused\" or \"No such file or directory\" or \"command not found\")\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c116bb-d86f-48b0-857d-3648511a6cac", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Filebeat\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat for the Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the Filebeat System Module to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "69c116bb-d86f-48b0-857d-3648511a6cac_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json deleted file mode 100644 index 19d287b7d18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json deleted file mode 100644 index f09dadaacd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json deleted file mode 100644 index 43dc7375ba4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json deleted file mode 100644 index 166dbce1389..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json deleted file mode 100644 index 67555f7b722..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json deleted file mode 100644 index 0e4b638e4e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json deleted file mode 100644 index de083044d75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_110.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_110.json deleted file mode 100644 index 571a6a5e7d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_310.json b/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_310.json deleted file mode 100644 index 468f8c44b01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c251fb-a5d6-4035-b5ec-40438bd829ff_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of Boot Configuration", "note": "## Triage and analysis\n\n### Investigating Modification of Boot Configuration\n\nBoot entry parameters, or boot parameters, are optional, system-specific settings that represent configuration options. These are stored in a boot configuration data (BCD) store, and administrators can use utilities like `bcdedit.exe` to configure these.\n\nThis rule identifies the usage of `bcdedit.exe` to:\n\n- Disable Windows Error Recovery (recoveryenabled).\n- Ignore errors if there is a failed boot, failed shutdown, or failed checkpoint (bootstatuspolicy ignoreallfailures).\n\nThese are common steps in destructive attacks by adversaries leveraging ransomware.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Check if any files on the host machine have been encrypted.\n\n### False positive analysis\n\n- The usage of these options is not inherently malicious. Administrators can modify these configurations to force a machine to boot for troubleshooting or data recovery purposes.\n\n### Related rules\n\n- Deleting Backup Catalogs with Wbadmin - 581add16-df76-42bb-af8e-c979bfb39a59\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and\n (\n (process.args : \"/set\" and process.args : \"bootstatuspolicy\" and process.args : \"ignoreallfailures\") or\n (process.args : \"no\" and process.args : \"recoveryenabled\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "69c251fb-a5d6-4035-b5ec-40438bd829ff", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "69c251fb-a5d6-4035-b5ec-40438bd829ff_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json deleted file mode 100644 index 6ba966f7d11..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json deleted file mode 100644 index 82271d8787e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json deleted file mode 100644 index bca6a1d5273..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json deleted file mode 100644 index 45f6150a469..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json b/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json deleted file mode 100644 index 60669f824ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be requesting changes in your environment. Password reset attempts from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Password Recovery Requested", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:PasswordRecoveryRequested and event.outcome:success\n", "references": ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce.json deleted file mode 100644 index df5c1b13506..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.", "false_positives": ["AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "EC2 AMI Shared with Another Account", "note": "## Triage and Analysis\n\n### Investigating EC2 AMI Shared with Another Account\n\nThis rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.\n\n#### Possible Investigation Steps\n\n- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.\n- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.\n- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.\n- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.\n\n### False Positive Analysis\n\n- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.\n- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.\n\n### Response and Remediation\n\n- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.\n- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on AMI sharing to tighten control and prevent unauthorized access.\n- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.\n\n### Additional Information\n\nFor more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).\n\n", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"ec2.amazonaws.com\"\n and event.action: ModifyImageAttribute and event.outcome: success\n and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6a309864-fc3f-11ee-b8cc-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "6a309864-fc3f-11ee-b8cc-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce_1.json deleted file mode 100644 index 247c54cae90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a309864-fc3f-11ee-b8cc-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS Amazon Machine Image (AMI) being shared with another AWS account. Adversaries with access may share an AMI with an external AWS account as a means of data exfiltration. AMIs can contain secrets, bash histories, code artifacts, and other sensitive data that adversaries may abuse if shared with unauthorized accounts. AMIs can be made publicly available accidentally as well.", "false_positives": ["AMI sharing is a common practice in AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "EC2 AMI Shared with Another Account", "note": "\n## Triage and Analysis\n\n### Investigating EC2 AMI Shared with Another Account\n\nThis rule identifies when an Amazon Machine Image (AMI) is shared with another AWS account. While sharing AMIs is a common practice, adversaries may exploit this feature to exfiltrate data by sharing AMIs with external accounts under their control.\n\n#### Possible Investigation Steps\n\n- **Review the Sharing Event**: Identify the AMI involved and review the event details in AWS CloudTrail. Look for `ModifyImageAttribute` actions where the AMI attributes were changed to include additional user accounts.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.response.response_elements` fields in the CloudTrail event to identify the AMI ID and the user ID of the account with which the AMI was shared.\n- **Verify the Shared AMI**: Check the AMI that was shared and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in AMI configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Validate External Account**: Examine the AWS account to which the AMI was shared. Determine whether this account is known and previously authorized to access such resources.\n- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing AMI deployments.\n- **Audit Related Security Policies**: Check the security policies governing AMI sharing within your organization to ensure they are being followed and are adequate to prevent unauthorized sharing.\n\n### False Positive Analysis\n\n- **Legitimate Sharing Practices**: AMI sharing is a common and legitimate practice for collaboration and resource management in AWS. Always verify that the sharing activity was unauthorized before escalating.\n- **Automation Tools**: Some organizations use automation tools for AMI management which might programmatically share AMIs. Verify if such tools are in operation and whether their actions are responsible for the observed behavior.\n\n### Response and Remediation\n\n- **Review and Revoke Unauthorized Shares**: If the share is found to be unauthorized, immediately revoke the shared permissions from the AMI.\n- **Enhance Monitoring of Shared AMIs**: Implement monitoring to track changes to shared AMIs and alert on unauthorized access patterns.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on AMI sharing to tighten control and prevent unauthorized access.\n- **Educate Users**: Conduct training sessions for users involved in managing AMIs to reinforce best practices and organizational policies regarding AMI sharing.\n\n### Additional Information\n\nFor more information on managing and sharing AMIs, refer to the [Amazon EC2 User Guide on AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) and [Sharing AMIs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html). Additionally, explore adversarial techniques related to data exfiltration via AMI sharing as documented by Stratus Red Team [here](https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/).\n\n", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"ec2.amazonaws.com\"\n and event.action: ModifyImageAttribute and event.outcome: success\n and aws.cloudtrail.request_parameters: (*imageId* and *add* and *userId*)\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html", "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.ec2-share-ami/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6a309864-fc3f-11ee-b8cc-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "6a309864-fc3f-11ee-b8cc-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json deleted file mode 100644 index 640e58a6e7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json deleted file mode 100644 index 5ff56457ba3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json deleted file mode 100644 index eeb70b1ea44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json deleted file mode 100644 index 97a99b2e4e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json deleted file mode 100644 index 2ddc10dca47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json deleted file mode 100644 index 51fe966e9c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n\n process.parent.args : (\"WdiSystemHost\",\"LicenseManager\",\n \"StorSvc\",\"CDPSvc\",\"cdbhsvc\",\"BthAvctpSvc\",\"SstpSvc\",\"WdiServiceHost\",\n \"imgsvc\",\"TrkWks\",\"WpnService\",\"IKEEXT\",\"PolicyAgent\",\"CryptSvc\",\n \"netprofm\",\"ProfSvc\",\"StateRepository\",\"camsvc\",\"LanmanWorkstation\",\n \"NlaSvc\",\"EventLog\",\"hidserv\",\"DisplayEnhancementService\",\"ShellHWDetection\",\n \"AppHostSvc\",\"fhsvc\",\"CscService\",\"PushToInstall\") and\n\n /* unknown FPs can be added here */\n\n not process.name : (\"WerFault.exe\",\"WerFaultSecure.exe\",\"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and process.parent.args : \"WdiServiceHost\") and\n not (process.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_i4x50\\\\lib\\\\lexexe.exe\") and\n process.parent.args : \"imgsvc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_108.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_108.json deleted file mode 100644 index 263b87a8941..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json deleted file mode 100644 index ffc062e18f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json b/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json deleted file mode 100644 index 8b0a96e8e04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.", "false_positives": ["Changes to Windows services or a rarely executed child process."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Service Host Child Process - Childless Service", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and\n\n /* based on svchost service arguments -s svcname where the service is known to be childless */\n process.parent.args : (\n \"WdiSystemHost\", \"LicenseManager\", \"StorSvc\", \"CDPSvc\", \"cdbhsvc\", \"BthAvctpSvc\", \"SstpSvc\", \"WdiServiceHost\",\n \"imgsvc\", \"TrkWks\", \"WpnService\", \"IKEEXT\", \"PolicyAgent\", \"CryptSvc\", \"netprofm\", \"ProfSvc\", \"StateRepository\",\n \"camsvc\", \"LanmanWorkstation\", \"NlaSvc\", \"EventLog\", \"hidserv\", \"DisplayEnhancementService\", \"ShellHWDetection\",\n \"AppHostSvc\", \"fhsvc\", \"CscService\", \"PushToInstall\"\n ) and\n\n /* unknown FPs can be added here */\n not process.name : (\"WerFault.exe\", \"WerFaultSecure.exe\", \"wermgr.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\RelPost.exe\" and process.parent.args : \"WdiSystemHost\") and\n not (\n process.name : \"rundll32.exe\" and\n process.args : \"?:\\\\WINDOWS\\\\System32\\\\winethc.dll,ForceProxyDetectionOnNextRun\" and\n process.parent.args : \"WdiServiceHost\"\n ) and\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Kodak\\\\kds_?????\\\\lib\\\\lexexe.exe\"\n ) and process.parent.args : \"imgsvc\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.012", "name": "Process Hollowing", "reference": "https://attack.mitre.org/techniques/T1055/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json deleted file mode 100644 index 64fb6ef77be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 315}, "id": "6aace640-e631-4870-ba8e-5fdda09325db", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json deleted file mode 100644 index da5642fc0f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json deleted file mode 100644 index 2ed84697e1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json deleted file mode 100644 index f4957e7730a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json deleted file mode 100644 index b6bca63334c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json deleted file mode 100644 index e965e9322b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json deleted file mode 100644 index ce58b8eda06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json deleted file mode 100644 index ca706f8a306..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and \n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_212.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_212.json deleted file mode 100644 index c9813788272..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json deleted file mode 100644 index 29adbb74608..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_314.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_314.json deleted file mode 100644 index 6634bf07a8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_315.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_315.json deleted file mode 100644 index b5066f4a60d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_315.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 315}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_315", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_316.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_316.json deleted file mode 100644 index 79932799845..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_316.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 316}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_316", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_416.json b/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_416.json deleted file mode 100644 index 868eb0a91eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6aace640-e631-4870-ba8e-5fdda09325db_416.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Exporting Exchange Mailbox via PowerShell", "note": "## Triage and analysis\n\n### Investigating Exporting Exchange Mailbox via PowerShell\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThe `New-MailBoxExportRequest` cmdlet is used to begin the process of exporting contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange.\n\nAttackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the export operation:\n - Identify the user account that performed the action and whether it should perform this kind of action.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Check if this operation was approved and performed according to the organization's change management policy.\n - Retrieve the operation status and use the `Get-MailboxExportRequest` cmdlet to review previous requests.\n - By default, no group in Exchange has the privilege to import or export mailboxes. Investigate administrators that assigned the \"Mailbox Import Export\" privilege for abnormal activity.\n- Investigate if there is a significant quantity of export requests in the alert timeframe. This operation is done on a per-mailbox basis and can be part of a mass export.\n- If the operation was completed successfully:\n - Check if the file is on the path specified in the command.\n - Investigate if the file was compressed, archived, or retrieved by the attacker for exfiltration.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Use the `Remove-MailboxExportRequest` cmdlet to remove fully or partially completed export requests.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of users with the \"Mailbox Import Export\" privilege to ensure that the least privilege principle is being followed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.command_line : (\"*MailboxExportRequest*\", \"*-Mailbox*-ContentFilter*\")\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6aace640-e631-4870-ba8e-5fdda09325db", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}, {"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 416}, "id": "6aace640-e631-4870-ba8e-5fdda09325db_416", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4.json deleted file mode 100644 index 7405198b1e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json deleted file mode 100644 index 05e85343260..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\")\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json deleted file mode 100644 index 33270304e54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\")\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json deleted file mode 100644 index 9413667f6fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\")\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_4.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_4.json deleted file mode 100644 index 88aef2f08aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\")\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json deleted file mode 100644 index f5c47007037..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and\nevent.type == \"start\" and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json b/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json deleted file mode 100644 index aebc2e1f8d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious linux tools through ProxyChains. ProxyChains is a command-line tool that enables the routing of network connections through intermediary proxies, enhancing anonymity and enabling access to restricted resources. Attackers can exploit the ProxyChains utility to hide their true source IP address, evade detection, and perform malicious activities through a chain of proxy servers, potentially masking their identity and intentions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Utility Launched via ProxyChains", "note": "## Triage and analysis\n\n### Investigating Suspicious Utility Launched via ProxyChains\n\nAttackers can leverage `proxychains` to obfuscate their origin and bypass network defenses by routing their malicious traffic through multiple intermediary servers.\n\nThis rule looks for a list of suspicious processes spawned through `proxychains` by analyzing process command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate network obfuscation. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses this utility for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"proxychains\" and process.args : (\n \"ssh\", \"sshd\", \"sshuttle\", \"socat\", \"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\",\n \"ssf\", \"3proxy\", \"ngrok\", \"gost\", \"pivotnacci\", \"chisel*\", \"nmap\", \"ping\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\", \"ftp\", \"curl\", \"wget\"\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "6ace94ba-f02c-4d55-9f53-87d99b6f9af4_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json deleted file mode 100644 index b8d5ea0cf8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "new_terms_fields": ["host.id", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json deleted file mode 100644 index 595d86e494f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json deleted file mode 100644 index dcfd23e4e30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json deleted file mode 100644 index 4e7640c6ebb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json deleted file mode 100644 index 676a9d91899..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "new_terms_fields": ["host.id", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json b/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json deleted file mode 100644 index c0430ac57fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of a compression utility to collect known files containing sensitive information, such as credentials and system configurations.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Files Compression", "new_terms_fields": ["host.id", "process.command_line", "process.parent.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and\n process.name:(zip or tar or gzip or hdiutil or 7z) and\n process.args:\n (\n /root/.ssh/id_rsa or\n /root/.ssh/id_rsa.pub or\n /root/.ssh/id_ed25519 or\n /root/.ssh/id_ed25519.pub or\n /root/.ssh/authorized_keys or\n /root/.ssh/authorized_keys2 or\n /root/.ssh/known_hosts or\n /root/.bash_history or\n /etc/hosts or\n /home/*/.ssh/id_rsa or\n /home/*/.ssh/id_rsa.pub or\n /home/*/.ssh/id_ed25519 or\n /home/*/.ssh/id_ed25519.pub or\n /home/*/.ssh/authorized_keys or\n /home/*/.ssh/authorized_keys2 or\n /home/*/.ssh/known_hosts or\n /home/*/.bash_history or\n /root/.aws/credentials or\n /root/.aws/config or\n /home/*/.aws/credentials or\n /home/*/.aws/config or\n /root/.docker/config.json or\n /home/*/.docker/config.json or\n /etc/group or\n /etc/passwd or\n /etc/shadow or\n /etc/gshadow\n )\n", "references": ["https://www.trendmicro.com/en_ca/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "6b84d470-9036-4cc0-a27c-6d90bbfe81ab_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json deleted file mode 100644 index bbe4831080a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "iam where event.action == \"changed-computer-account\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json deleted file mode 100644 index 6fcd35d4dc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where host.os.type == \"windows\" and event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where host.os.type == \"windows\" and DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "type": "eql", "version": 104}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json deleted file mode 100644 index f2ef328fd7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "type": "eql", "version": 105}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json deleted file mode 100644 index d7cb57dbe40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "sequence by winlog.computer_name with maxspan=5m\n\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"changed-computer-account\" and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n ] by winlog.event_data.SubjectLogonId\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "type": "eql", "version": 106}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json deleted file mode 100644 index 7c4daaf4485..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "iam where event.action == \"changed-computer-account\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_108.json b/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_108.json deleted file mode 100644 index 60a88579c55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6bed021a-0afb-461c-acbe-ffdb9574d3f3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the remote update to a computer account's DnsHostName attribute. If the new value set is a valid domain controller DNS hostname and the subject computer name is not a domain controller, then it's highly likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Computer Account DnsHostName Update", "query": "iam where event.action == \"changed-computer-account\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and\n\n /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */\n winlog.event_data.DnsHostName : \"??*\" and\n\n /* exclude FPs where DnsHostName starts with the ComputerName that was changed */\n not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1))\n", "references": ["https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4", "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-26923"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.DnsHostName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6bed021a-0afb-461c-acbe-ffdb9574d3f3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50.json b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50.json deleted file mode 100644 index c8af5aa2587..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.", "false_positives": ["There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic Licence v2", "name": "Container Management Utility Run Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" \n and process.name: (\"dockerd\", \"docker\", \"kubelet\", \"kube-proxy\", \"kubectl\", \"containerd\", \"runc\", \"systemd\", \"crictl\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6c6bb7ea-0636-44ca-b541-201478ef6b50", "severity": "low", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6c6bb7ea-0636-44ca-b541-201478ef6b50", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json b/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json deleted file mode 100644 index c4c3502f9fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6c6bb7ea-0636-44ca-b541-201478ef6b50_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.", "false_positives": ["There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic Licence v2", "name": "Container Management Utility Run Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" \n and process.name: (\"dockerd\", \"docker\", \"kubelet\", \"kube-proxy\", \"kubectl\", \"containerd\", \"runc\", \"systemd\", \"crictl\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6c6bb7ea-0636-44ca-b541-201478ef6b50", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6c6bb7ea-0636-44ca-b541-201478ef6b50_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json deleted file mode 100644 index 6e06afd691d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json deleted file mode 100644 index fed88608378..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json deleted file mode 100644 index da3f5914897..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json deleted file mode 100644 index 86bfd16239f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json deleted file mode 100644 index f2efd4c983d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json deleted file mode 100644 index 568732f9977..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json deleted file mode 100644 index ab95f39aceb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json b/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json deleted file mode 100644 index d0ab360310e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cd1779c-560f-4b68-a8f1-11009b27fe63_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.", "false_positives": ["Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.", "This rule was tuned using the following baseline: https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to help determine normalcy."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Server UM Writing Suspicious Files", "note": "## Triage and analysis\n\nPositive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).\n\nMicrosoft highly recommends that the best course of action is patching, but this may not protect already compromised systems\nfrom existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support\n[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n process.name : (\"UMWorkerProcess.exe\", \"umservice.exe\") and\n file.extension : (\"php\", \"jsp\", \"js\", \"aspx\", \"asmx\", \"asax\", \"cfm\", \"shtml\") and\n (\n file.path : \"?:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\*\" or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\*\" and\n not (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\\\\version\\\\*\" or\n file.name : (\"errorFE.aspx\", \"expiredpassword.aspx\", \"frowny.aspx\", \"GetIdToken.htm\", \"logoff.aspx\",\n \"logon.aspx\", \"OutlookCN.aspx\", \"RedirSuiteServiceProxy.aspx\", \"signout.aspx\"))) or\n\n (file.path : \"?:\\\\*\\\\Microsoft\\\\Exchange Server*\\\\FrontEnd\\\\HttpProxy\\\\ecp\\\\auth\\\\*\" and\n not file.name : \"TimeoutLogoff.aspx\")\n )\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6cd1779c-560f-4b68-a8f1-11009b27fe63", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6cd1779c-560f-4b68-a8f1-11009b27fe63_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336.json b/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336.json deleted file mode 100644 index 46dcdf6f5e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new GitHub repository was created.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Repo Created", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"repo.create\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6cea88e4-6ce2-4238-9981-a54c140d6336", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6cea88e4-6ce2-4238-9981-a54c140d6336", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_1.json b/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_1.json deleted file mode 100644 index bda9c13fbcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new GitHub repository was created.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Repo Created", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"repo.create\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "6cea88e4-6ce2-4238-9981-a54c140d6336", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6cea88e4-6ce2-4238-9981-a54c140d6336_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_103.json b/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_103.json new file mode 100644 index 00000000000..35942519ee1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6cea88e4-6ce2-4238-9981-a54c140d6336_103.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "A new GitHub repository was created.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Repo Created", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"repo.create\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "6cea88e4-6ce2-4238-9981-a54c140d6336", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "6cea88e4-6ce2-4238-9981-a54c140d6336_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json deleted file mode 100644 index a9442edbc23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 109}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json deleted file mode 100644 index cd989076197..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json deleted file mode 100644 index 4e5ea9e43d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json deleted file mode 100644 index 50b61829621..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 106}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json deleted file mode 100644 index 978ca565f26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE NOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR user_account == null)\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid, services.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path = authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 107}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_108.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_108.json deleted file mode 100644 index 00a9fe5a883..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 108}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json deleted file mode 100644 index 91166c81db7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 109}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_110.json b/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_110.json deleted file mode 100644 index 9e732ae0c65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d448b96-c922-4adb-b51c-b767f1ea5b76_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_rare_process_by_host_windows"], "name": "Unusual Process For a Windows Host", "note": "## Triage and analysis\n\n### Investigating Unusual Process For a Windows Host\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for an individual Windows host in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "6d448b96-c922-4adb-b51c-b767f1ea5b76", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "machine_learning", "version": 110}, "id": "6d448b96-c922-4adb-b51c-b767f1ea5b76_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8.json deleted file mode 100644 index 98491cb601b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via CVE-2023-4911", "query": "sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.env_vars : \"*GLIBC_TUNABLES=glibc.*=glibc.*=*\"] with runs=5\n", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 4}, "id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json deleted file mode 100644 index f5517f962fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via CVE-2023-4911", "note": "## Setup\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings\nof the Elastic Defend integration.\nTo set up environment variable capture for an Elastic Agent policy:\n- Go to Security \u2192 Manage \u2192 Policies.\n- Select an Elastic Agent policy.\n- Click Show advanced settings.\n- Scroll down or search for linux.advanced.capture_env_vars.\n- Enter the names of env vars you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".\n- Click Save.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and\nthe rule will function properly.\nFor more information on capturing environment variables refer - https://www.elastic.co/guide/en/security/current/environment-variable-capture.html", "query": "sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.env_vars : \"*GLIBC_TUNABLES=glibc.*=glibc.*=*\"] with runs=5\n", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", "setup": "Elastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings\nof the Elastic Defend integration.\nTo set up environment variable capture for an Elastic Agent policy:\nGo to Security \u2192 Manage \u2192 Policies.Select an Elastic Agent policy.Click Show advanced settings.Scroll down or search for linux.advanced.capture_env_vars.Enter the names of env vars you want to capture, separated by commas.For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".Click Save.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and\nthe rule will function properly.\nFor more information on capturing environment variables refer - https://www.elastic.co/guide/en/security/current/environment-variable-capture.html", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json deleted file mode 100644 index 7859e997a0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via CVE-2023-4911", "query": "sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.env_vars : \"*GLIBC_TUNABLES=glibc.*=glibc.*=*\"] with runs=5\n", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to Security \u2192 Manage \u2192 Policies.\n- Select an Elastic Agent policy.\n- Click Show advanced settings.\n- Scroll down or search for linux.advanced.capture_env_vars.\n- Enter the names of env vars you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".\n- Click Save.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and\nthe rule will function properly.\nFor more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json b/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json deleted file mode 100644 index 0bd3267699b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via CVE-2023-4911", "query": "sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.env_vars : \"*GLIBC_TUNABLES=glibc.*=glibc.*=*\"] with runs=5\n", "references": ["https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"GLIBC_TUNABLES\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 3}, "id": "6d8685a1-94fa-4ef7-83de-59302e7c4ca8_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ded0996-7d4b-40f2-bf4a-6913e7591795_1.json b/packages/security_detection_engine/kibana/security_rule/6ded0996-7d4b-40f2-bf4a-6913e7591795_1.json deleted file mode 100644 index d4a8f171c50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ded0996-7d4b-40f2-bf4a-6913e7591795_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the installation of root certificates on a Linux system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Root Certificate Installation", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name in (\"update-ca-trust\", \"update-ca-certificates\") and not (\n process.parent.name : (\n \"ca-certificates.postinst\", \"ca-certificates-*.trigger\", \"pacman\", \"pamac-daemon\", \"autofirma.postinst\"\n ) or\n process.parent.args : \"/var/tmp/rpm*\" or\n (process.parent.name in (\"sh\", \"bash\", \"zsh\") and process.args == \"-e\")\n)\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ded0996-7d4b-40f2-bf4a-6913e7591795", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6ded0996-7d4b-40f2-bf4a-6913e7591795_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json deleted file mode 100644 index 30e40dd6766..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json deleted file mode 100644 index 27fb7ddae48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json deleted file mode 100644 index a5a67246180..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json deleted file mode 100644 index 72fd23e5812..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json deleted file mode 100644 index f04ba6a675b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n TeamViewer* or \"NetSupport Ltd\" or \"GlavSoft\" or \"LogMeIn, Inc.\" or \"Ammyy LLC\" or\n \"Nanosystems S.r.l.\" or \"Remote Utilities LLC\" or \"ShowMyPC\" or \"Splashtop Inc.\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or \"Pro Softnet Corporation\" or \"BeamYourScreen GmbH\" or\n \"RealVNC\" or \"uvnc\" or \"SAFIB\") or\n\n process.name.caseless : (\n \"teamviewer.exe\" or \"apc_Admin.exe\" or \"apc_host.exe\" or \"SupremoHelper.exe\" or \"rfusclient.exe\" or\n \"spclink.exe\" or \"smpcview.exe\" or \"ROMServer.exe\" or \"strwinclt.exe\" or \"RPCSuite.exe\" or \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or \"tvn.exe\" or \"LMIIgnition.exe\" or \"B4-Service.exe\" or \"Mikogo-Service.exe\" or \"AnyDesk.exe\" or\n \"Splashtop-streamer.exe\" or AA_v*.exe, or \"rutserv.exe\" or \"rutview.exe\" or \"vncserver.exe\" or \"vncviewer.exe\" or\n \"tvnserver.exe\" or \"tvnviewer.exe\" or \"winvnc.exe\" or \"RemoteDesktopManager.exe\" or \"LogMeIn.exe\" or ScreenConnect*.exe or\n \"RemotePC.exe\" or \"r_server.exe\" or \"radmin.exe\" or \"ROMServer.exe\" or \"ROMViewer.exe\" or \"DWRCC.exe\" or \"AeroAdmin.exe\" or\n \"ISLLightClient.exe\" or \"ISLLight.exe\" or \"AteraAgent.exe\" or \"SRService.exe\")\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json deleted file mode 100644 index fcf46b7c9cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_6.json deleted file mode 100644 index b9a1a97de67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_7.json b/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_7.json deleted file mode 100644 index 45de7f3cebd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e1a2cc4-d260-11ed-8829-f661ea17fbcc_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install legitimate remote access tools (RAT) to compromised endpoints for further command-and-control (C2). Adversaries can rely on installed RATs for persistence, execution of native commands and more. This rule detects when a process is started whose name or code signature resembles commonly abused RATs. This is a New Terms rule type indicating the host has not seen this RAT process started before within the last 30 days.", "from": "now-9m", "history_window_start": "now-15d", "index": ["logs-endpoint.events.process-*", "endgame-*", "winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Commonly Abused Remote Access Tool Execution", "new_terms_fields": ["host.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Commonly Abused Remote Access Tool Execution\n\nRemote access software is a class of tools commonly used by IT departments to provide support by connecting securely to users' computers. Remote access is an ever-growing market where new companies constantly offer new ways of quickly accessing remote systems.\n\nAt the same pace as IT departments adopt these tools, the attackers also adopt them as part of their workflow to connect into an interactive session, maintain access with legitimate software as a persistence mechanism, drop malicious software, etc.\n\nThis rule detects when a remote access tool is seen in the environment for the first time in the last 15 days, enabling analysts to investigate and enforce the correct usage of such tools.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Check if the execution of the remote access tool is approved by the organization's IT department.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n - If the tool is not approved for use in the organization, the employee could have been tricked into installing it and providing access to a malicious third party. Investigate whether this third party could be attempting to scam the end-user or gain access to the environment through social engineering.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- If an authorized support person or administrator used the tool to conduct legitimate support or remote access, consider reinforcing that only tooling approved by the IT policy should be used. The analyst can dismiss the alert if no other suspicious behavior is observed involving the host or users.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If an unauthorized third party did the access via social engineering, consider improvements to the security awareness program.\n- Enforce that only tooling approved by the IT policy should be used for remote access purposes and only by authorized staff.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type: \"windows\" and\n\n event.category: \"process\" and event.type : \"start\" and\n\n (\n process.code_signature.subject_name : (\n \"Action1 Corporation\" or\n \"AeroAdmin LLC\" or\n \"Ammyy LLC\" or\n \"Atera Networks Ltd\" or\n \"AWERAY PTE. LTD.\" or\n \"BeamYourScreen GmbH\" or\n \"Bomgar Corporation\" or\n \"DUC FABULOUS CO.,LTD\" or\n \"DOMOTZ INC.\" or\n \"DWSNET O\u00dc\" or\n \"FleetDeck Inc\" or\n \"GlavSoft LLC\" or\n \"GlavSoft LLC.\" or\n \"Hefei Pingbo Network Technology Co. Ltd\" or\n \"IDrive, Inc.\" or\n \"IMPERO SOLUTIONS LIMITED\" or\n \"Instant Housecall\" or\n \"ISL Online Ltd.\" or\n \"LogMeIn, Inc.\" or\n \"Monitoring Client\" or\n \"MMSOFT Design Ltd.\" or\n \"Nanosystems S.r.l.\" or\n \"NetSupport Ltd\" or\n \"NinjaRMM, LLC\" or\n \"Parallels International GmbH\" or\n \"philandro Software GmbH\" or\n \"Pro Softnet Corporation\" or\n \"RealVNC\" or\n \"RealVNC Limited\" or\n \"BreakingSecurity.net\" or\n \"Remote Utilities LLC\" or\n \"Rocket Software, Inc.\" or\n \"SAFIB\" or\n \"Servably, Inc.\" or\n \"ShowMyPC INC\" or\n \"Splashtop Inc.\" or\n \"Superops Inc.\" or\n \"TeamViewer\" or\n \"TeamViewer GmbH\" or\n \"TeamViewer Germany GmbH\" or\n \"Techinline Limited\" or\n \"uvnc bvba\" or\n \"Yakhnovets Denis Aleksandrovich IP\" or\n \"Zhou Huabing\"\n ) or\n\n process.name.caseless : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n ) or\n process.name : (\n AA_v*.exe or\n \"AeroAdmin.exe\" or\n \"AnyDesk.exe\" or\n \"apc_Admin.exe\" or\n \"apc_host.exe\" or\n \"AteraAgent.exe\" or\n aweray_remote*.exe or\n \"AweSun.exe\" or\n \"B4-Service.exe\" or\n \"BASupSrvc.exe\" or\n \"bomgar-scc.exe\" or\n \"domotzagent.exe\" or\n \"domotz-windows-x64-10.exe\" or\n \"dwagsvc.exe\" or\n \"DWRCC.exe\" or\n \"ImperoClientSVC.exe\" or\n \"ImperoServerSVC.exe\" or\n \"ISLLight.exe\" or\n \"ISLLightClient.exe\" or\n fleetdeck_commander*.exe or\n \"getscreen.exe\" or\n \"LMIIgnition.exe\" or\n \"LogMeIn.exe\" or\n \"ManageEngine_Remote_Access_Plus.exe\" or\n \"Mikogo-Service.exe\" or\n \"NinjaRMMAgent.exe\" or\n \"NinjaRMMAgenPatcher.exe\" or\n \"ninjarmm-cli.exe\" or\n \"r_server.exe\" or\n \"radmin.exe\" or\n \"radmin3.exe\" or\n \"RCClient.exe\" or\n \"RCService.exe\" or\n \"RemoteDesktopManager.exe\" or\n \"RemotePC.exe\" or\n \"RemotePCDesktop.exe\" or\n \"RemotePCService.exe\" or\n \"rfusclient.exe\" or\n \"ROMServer.exe\" or\n \"ROMViewer.exe\" or\n \"RPCSuite.exe\" or\n \"rserver3.exe\" or\n \"rustdesk.exe\" or\n \"rutserv.exe\" or\n \"rutview.exe\" or\n \"saazapsc.exe\" or\n ScreenConnect*.exe or\n \"smpcview.exe\" or\n \"spclink.exe\" or\n \"Splashtop-streamer.exe\" or\n \"SRService.exe\" or\n \"strwinclt.exe\" or\n \"Supremo.exe\" or\n \"SupremoService.exe\" or\n \"teamviewer.exe\" or\n \"TiClientCore.exe\" or\n \"TSClient.exe\" or\n \"tvn.exe\" or\n \"tvnserver.exe\" or\n \"tvnviewer.exe\" or\n UltraVNC*.exe or\n UltraViewer*.exe or\n \"vncserver.exe\" or\n \"vncviewer.exe\" or\n \"winvnc.exe\" or\n \"winwvc.exe\" or\n \"Zaservice.exe\" or\n \"ZohoURS.exe\"\n )\n\t) and\n\n\tnot (process.pe.original_file_name : (\"G2M.exe\" or \"Updater.exe\" or \"powershell.exe\") and process.code_signature.subject_name : \"LogMeIn, Inc.\")\n", "references": ["https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/", "https://attack.mitre.org/techniques/T1219/", "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "6e1a2cc4-d260-11ed-8829-f661ea17fbcc_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json deleted file mode 100644 index a2cd5d8558a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 106}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json deleted file mode 100644 index bbaf0f77d07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 102}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json deleted file mode 100644 index 9ed6609ea4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 103}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json deleted file mode 100644 index 8c5a99a4388..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 104}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json deleted file mode 100644 index a8b2e2bf92a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 105}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json deleted file mode 100644 index 2ac642bbc84..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 106}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_107.json b/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_107.json deleted file mode 100644 index badc98196b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e40d56f-5c0e-4ac6-aece-bee96645b172_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Searches for rare processes running on multiple hosts in an entire fleet or network. This reduces the detection of false positives since automated maintenance processes usually only run occasionally on a single machine but are common to all or many hosts in a fleet.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_process_all_hosts"], "name": "Anomalous Process For a Windows Population", "note": "## Triage and analysis\n\n### Investigating Anomalous Process For a Windows Population\n\nSearching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors.\n\nThis rule uses a machine learning job to detect a Windows process that is rare and unusual for all of the monitored Windows hosts in your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n - Investigate the process metadata \u2014 such as the digital signature, directory, etc. \u2014 to obtain more context that can indicate whether the executable is associated with an expected software vendor or package.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host?\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Validate if the activity has a consistent cadence (for example, if it runs monthly or quarterly), as it could be part of a monthly or quarterly business process.\n- Examine the arguments and working directory of the process. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSyste' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Retrieve Service Unisgned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Unusual Process For a Windows Host - 6d448b96-c922-4adb-b51c-b767f1ea5b76\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Unusual Windows Process Calling the Metadata Service - abae61a8-c560-4dbd-acca-1e1438bff36b\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "6e40d56f-5c0e-4ac6-aece-bee96645b172", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "type": "machine_learning", "version": 107}, "id": "6e40d56f-5c0e-4ac6-aece-bee96645b172_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json deleted file mode 100644 index 72b4ece4e21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json deleted file mode 100644 index 955db3525b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json deleted file mode 100644 index cc8549d8e42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json deleted file mode 100644 index b105cb64c75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json deleted file mode 100644 index 0a3e49c1a9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:\"Directory Service Changes\" and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_107.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_107.json deleted file mode 100644 index b6e330b1d45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_108.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_108.json deleted file mode 100644 index b8ee69df34c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_109.json b/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_109.json deleted file mode 100644 index e17e702c535..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9130a5-9be6-48e5-943a-9628bfc74b18_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their Administrative Privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "AdminSDHolder Backdoor", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:5136 and\n winlog.event_data.ObjectDN:CN=AdminSDHolder,CN=System*\n", "references": ["https://adsecurity.org/?p=1906", "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory#adminsdholder"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "6e9130a5-9be6-48e5-943a-9628bfc74b18", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}, {"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "6e9130a5-9be6-48e5-943a-9628bfc74b18_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json deleted file mode 100644 index 5107963b30f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n ((process.Ext.effective_parent.executable : (\"/Volumes/*\", \"/Applications/*\") or process.parent.executable : (\"/Volumes/*\", \"/Applications/*\")) or\n (process.Ext.effective_parent.name : \".*\" or process.parent.name : \".*\")) and\n not process.Ext.effective_parent.executable : (\"/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent\",\n \"/Applications/Kaspersky Anti-Virus For Mac.app/Contents/MacOS/kavd.app/Contents/MacOS/kavd\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_ctl\",\n \"/Applications/NordVPN.app/Contents/MacOS/NordVPN\",\n \"/Applications/Xcode.app/Contents/MacOS/Xcode\",\n \"/Applications/ESET Endpoint Security.app/Contents/Helpers/Uninstaller.app/Contents/MacOS/Uninstaller\",\n \"/Applications/Parallels Desktop.app/Contents/MacOS/prl_client_app\",\n \"/Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler\",\n \"/Applications/com.avast.av.uninstaller.app/Contents/MacOS/com.avast.av.uninstaller\",\n \"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ESET Management Agent.app/Contents/MacOS/ERAAgent\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": false, "name": "process.Ext.effective_parent.name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json deleted file mode 100644 index 64a2fbcbd94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json deleted file mode 100644 index e92cb5a2547..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json deleted file mode 100644 index e055c3e5b3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json deleted file mode 100644 index 036ab645960..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json deleted file mode 100644 index 823697e4a43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json b/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json deleted file mode 100644 index c32c99935be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Users or Groups via Built-in Commands", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n (\n process.name : (\"ldapsearch\", \"dsmemberutil\") or\n (process.name : \"dscl\" and\n process.args : (\"read\", \"-read\", \"list\", \"-list\", \"ls\", \"search\", \"-search\") and\n process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n\t) and\n not process.parent.executable : (\"/Applications/NoMAD.app/Contents/MacOS/NoMAD\",\n \"/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence\",\n \"/Applications/Sourcetree.app/Contents/MacOS/Sourcetree\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Library/Application Support/AirWatch/hubd\",\n \"/opt/jc/bin/jumpcloud-agent\",\n \"/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon\",\n \"/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon\",\n \"/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6e9b351e-a531-4bdc-b73e-7034d6eed7ff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json deleted file mode 100644 index a0efff32bec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 108}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json deleted file mode 100644 index 137394fe2df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "eql", "version": 102}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json deleted file mode 100644 index 9e628af9dec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "eql", "version": 103}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json deleted file mode 100644 index 5f06a1cb33a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "eql", "version": 104}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json deleted file mode 100644 index 6270490ed29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "eql", "version": 105}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json deleted file mode 100644 index 9d7753dbfc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 106}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json deleted file mode 100644 index 7a46980499c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 107}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_108.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_108.json deleted file mode 100644 index b7011fd9914..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 108}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_109.json b/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_109.json deleted file mode 100644 index 06a4f9eab95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea41894-66c3-4df7-ad6b-2c5074eb3df8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of the Windows Error Reporting process (WerFault.exe or Wermgr.exe) with matching command-line and process executable values performing outgoing network connections. This may be indicative of a masquerading attempt to evade suspicious child process behavior detections.", "false_positives": ["Legit Application Crash with rare Werfault commandline value"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Error Manager Masquerading", "note": "## Triage and analysis\n\n### Investigating Potential Windows Error Manager Masquerading\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `wermgr.exe` or `WerFault.exe`, by looking for a process creation with no arguments followed by a network connection.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan = 5s\n [process where host.os.type == \"windows\" and event.type:\"start\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : (\"wermgr.exe\", \"WerFault.exe\") and network.protocol != \"dns\" and\n network.direction : (\"outgoing\", \"egress\") and destination.ip !=\"::1\" and destination.ip !=\"127.0.0.1\"\n ]\n", "references": ["https://twitter.com/SBousseaden/status/1235533224337641473", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://app.any.run/tasks/26051d84-b68e-4afb-8a9a-76921a271b81/", "https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "type": "eql", "version": 109}, "id": "6ea41894-66c3-4df7-ad6b-2c5074eb3df8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json deleted file mode 100644 index 09ade02c101..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or ?process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json deleted file mode 100644 index df320e9eab5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json deleted file mode 100644 index 6cabe732921..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json deleted file mode 100644 index edeb3a6d0e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name:\"wmic.exe\" or process.pe.original_file_name:\"wmic.exe\") and\n process.args:\"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args:\"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json deleted file mode 100644 index 8444d986253..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json deleted file mode 100644 index f420eeff2aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json deleted file mode 100644 index 752052c574b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json deleted file mode 100644 index 8c813db02ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_111.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_111.json deleted file mode 100644 index 2ec4e158a5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or ?process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_112.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_112.json deleted file mode 100644 index 0a27961e4e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or ?process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_113.json b/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_113.json deleted file mode 100644 index ee4ed09865f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ea55c81-e2ba-42f2-a134-bccf857ba922_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Windows Management Instrumentation Command (WMIC) to discover certain System Security Settings such as AntiVirus or Host Firewall details.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery using WMIC", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery using WMIC\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `wmic` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name : \"wmic.exe\" or ?process.pe.original_file_name : \"wmic.exe\") and\nprocess.args : \"/namespace:\\\\\\\\root\\\\SecurityCenter2\" and process.args : \"Get\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ea55c81-e2ba-42f2-a134-bccf857ba922", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "6ea55c81-e2ba-42f2-a134-bccf857ba922_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e.json deleted file mode 100644 index 784bf211692..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"-D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json deleted file mode 100644 index b29a82013da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n// gost & pivotnacci - spawned without process.parent.name\n(process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n// ssh\n(process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4)) or\n// sshuttle\n(process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n// socat\n(process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n// chisel\n(process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n// iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n(process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json deleted file mode 100644 index 5557213fab5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json deleted file mode 100644 index 9e0035f07fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_4.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_4.json deleted file mode 100644 index 9f2c06b23ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and ((\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json deleted file mode 100644 index 2120adca1ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\nevent.type == \"start\" and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json deleted file mode 100644 index 9bccdf9d7a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Tunneling and/or Port Forwarding", "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf.json b/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf.json deleted file mode 100644 index a1fd71705da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Group Modification by SYSTEM", "query": "iam where winlog.api == \"wineventlog\" and event.code == \"4728\" and\nwinlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n/* DOMAIN_USERS and local groups */\nnot group.id : \"S-1-5-21-*-513\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "6f024bde-7085-489b-8250-5957efdf1caf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6f024bde-7085-489b-8250-5957efdf1caf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_1.json b/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_1.json deleted file mode 100644 index 0f30299ba26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Group Modification by SYSTEM", "query": "iam where winlog.api == \"wineventlog\" and event.code == \"4728\" and\nwinlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n/* DOMAIN_USERS and local groups */\nnot group.id : \"S-1-5-21-*-513\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "6f024bde-7085-489b-8250-5957efdf1caf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "6f024bde-7085-489b-8250-5957efdf1caf_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_2.json b/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_2.json deleted file mode 100644 index cc83bc07ddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f024bde-7085-489b-8250-5957efdf1caf_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain account.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Group Modification by SYSTEM", "query": "iam where winlog.api == \"wineventlog\" and event.code == \"4728\" and\nwinlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n/* DOMAIN_USERS and local groups */\nnot group.id : \"S-1-5-21-*-513\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "6f024bde-7085-489b-8250-5957efdf1caf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "6f024bde-7085-489b-8250-5957efdf1caf_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd.json deleted file mode 100644 index 0ce81032821..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of an Okta user session started via a proxy.", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Okta User Session Started via Proxy", "new_terms_fields": ["okta.actor.id", "cloud.account.id"], "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n\n## Setup", "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json deleted file mode 100644 index 69290067e42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of an Okta user session started via a proxy.", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Okta User Session Started via Proxy", "new_terms_fields": ["okta.actor.id", "cloud.account.id"], "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n\n## Setup", "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104.json new file mode 100644 index 00000000000..e0f81d97639 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies the first occurrence of an Okta user session started via a proxy.", + "history_window_start": "now-7d", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of Okta User Session Started via Proxy", + "new_terms_fields": [ + "okta.actor.id", + "cloud.account.id" + ], + "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n\n## Setup", + "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.security_context.is_proxy", + "type": "boolean" + } + ], + "risk_score": 47, + "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1133", + "name": "External Remote Services", + "reference": "https://attack.mitre.org/techniques/T1133/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 104 + }, + "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_104", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2.json deleted file mode 100644 index 2d97c5b9d9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of an Okta user session started via a proxy.", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Okta User Session Started via Proxy", "new_terms_fields": ["okta.actor.id", "cloud.account.id"], "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n\n## Setup", "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4.json deleted file mode 100644 index 2e678b5d550..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of an Okta user session started via a proxy.", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Okta User Session Started via Proxy", "new_terms_fields": ["okta.actor.id", "cloud.account.id"], "note": "## Triage and analysis\n\n### Investigating First Occurrence of Okta User Session Started via Proxy\n\nThis rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.\n\n#### Possible investigation steps:\n- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.\n- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.\n- Review the past activities of the actor involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n\n### Response and remediation:\n- Review the profile of the user involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the user.\n- If the user is not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n\n## Setup", "query": "event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/#issuer-object", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.security_context.is_proxy", "type": "boolean"}], "risk_score": 47, "rule_id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json deleted file mode 100644 index e6421ae9ce3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json deleted file mode 100644 index 0372f4f48da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json deleted file mode 100644 index 2f6f4f31041..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json b/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json deleted file mode 100644 index 264a7c81769..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/6f435062-b7fc-4af9-acea-5b1ead65c5a5_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Google Workspace admin roles may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Role Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Role Modified\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt admin roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred. Each Google Workspace service has a set of custodial privileges that can be added to custom roles.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might modify existing roles with new privileges to advance their intrusion efforts and laterally move throughout the organization. Users with unexpected privileges might also cause operational dysfunction if unfamiliar settings are adjusted without warning.\n\nThis rule identifies when a Google Workspace role is modified.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role modified by reviewing the `google_workspace.admin.role.name` field in the alert.\n- Identify the privilege that was added or removed by reviewing the `google_workspace.admin.privilege.name` field in the alert.\n- After identifying the involved user, verify administrative privileges are scoped properly.\n- To identify other users with this role, search for `event.action: ASSIGN_ROLE`\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this role.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n- If a privilege was added, monitor users assigned this role for the next 24 hours and look for attempts to use the new privilege.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace actions that are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that modified the role, verify the action was intentional.\n- Verify that the user is expected to have administrative privileges in Google Workspace to modify roles.\n- Review organizational units or groups the role might have been added to and ensure the new privileges align properly.\n- Use the `user.name` to filter for `event.action` where `ADD_PRIVILEGE` or `UPDATE_ROLE` has been seen before to check if these actions are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ADD_PRIVILEGE or UPDATE_ROLE)\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "6f435062-b7fc-4af9-acea-5b1ead65c5a5_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json deleted file mode 100644 index 14e2c8b948a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json deleted file mode 100644 index 76989e8d6c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json deleted file mode 100644 index 15c75324918..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json deleted file mode 100644 index 51b5ce2efb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json deleted file mode 100644 index 2744d07bfca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_209.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_209.json deleted file mode 100644 index e2ec25c08c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-441c593e16ab_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses.", "false_positives": ["Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudTrail Log Deleted", "note": "## Triage and analysis\n\n### Investigating AWS CloudTrail Log Deleted\n\nAmazon CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your Amazon Web Services account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your Amazon Web Services infrastructure. CloudTrail provides event history of your Amazon Web Services account activity, including actions taken through the Amazon Management Console, Amazon SDKs, command line tools, and other Amazon Web Services services. This event history simplifies security analysis, resource change tracking, and troubleshooting.\n\nThis rule identifies the deletion of an AWS log trail using the API `DeleteTrail` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log trail's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:DeleteTrail and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "7024e2a0-315d-4334-bb1a-441c593e16ab", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "7024e2a0-315d-4334-bb1a-441c593e16ab_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json deleted file mode 100644 index 33effc13165..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": ["Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Resource Deletion", "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": ["https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json deleted file mode 100644 index aed19b2f7e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": ["Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Resource Deletion", "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": ["https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json deleted file mode 100644 index 04f0d70a305..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": ["Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Resource Deletion", "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": ["https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json deleted file mode 100644 index 0b503747b34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": ["Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Resource Deletion", "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": ["https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json b/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json deleted file mode 100644 index fe997c1dd6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7024e2a0-315d-4334-bb1a-552d604f27bc_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances.", "false_positives": ["Privileged IAM users with security responsibilities may be expected to make changes to the Config service in order to align with local security policies and requirements. Automation, orchestration, and security tools may also make changes to the Config service, where they are used to automate setup or configuration of AWS accounts. Other kinds of user or service contexts do not commonly make changes to this service."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Config Resource Deletion", "note": "## Triage and analysis\n\n### Investigating AWS Config Resource Deletion\n\nAWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.\n\nThis rule looks for the deletion of AWS Config resources using various API actions. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the AWS resource that was involved and its criticality, ownership, and role in the environment. Also investigate if the resource is security-related.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and\n event.action:(DeleteConfigRule or DeleteOrganizationConfigRule or DeleteConfigurationAggregator or\n DeleteConfigurationRecorder or DeleteConformancePack or DeleteOrganizationConformancePack or\n DeleteDeliveryChannel or DeleteRemediationConfiguration or DeleteRetentionConfiguration)\n", "references": ["https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7024e2a0-315d-4334-bb1a-552d604f27bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "7024e2a0-315d-4334-bb1a-552d604f27bc_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d.json b/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d.json deleted file mode 100644 index 9358622ee04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via MSIEXEC", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and process.parent.executable != null and\n (\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.args : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\") and\n not process.parent.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Users\\\\*\\\\Desktop\\\\*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\programdata\\\\*\")) or\n\n (process.args_count == 1 and not process.parent.executable : (\"?:\\\\Windows\\\\explorer.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\explorer.exe\")) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n (process.parent.args : \"Schedule\" or process.parent.name : \"wmiprvse.exe\" or\n process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*\" or\n (process.parent.name : (\"powershell.exe\", \"cmd.exe\") and length(process.parent.command_line) >= 200))) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n ?process.working_directory : \"?:\\\\\" and process.parent.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* noisy pattern */\n not (process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\" and ?process.parent.args_count >= 2 and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\*.msi\") and\n\n not process.args : (\"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Program Files\\\\*\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json b/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json deleted file mode 100644 index 42b5f26214d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via MSIEXEC", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and process.parent.executable != null and\n (\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.args : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\") and\n not process.parent.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Users\\\\*\\\\Desktop\\\\*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\programdata\\\\*\")) or\n\n (process.args_count == 1 and not process.parent.executable : (\"?:\\\\Windows\\\\explorer.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\explorer.exe\")) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n (process.parent.args : \"Schedule\" or process.parent.name : \"wmiprvse.exe\" or\n process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*\" or\n (process.parent.name : (\"powershell.exe\", \"cmd.exe\") and length(process.parent.command_line) >= 200))) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.working_directory : \"?:\\\\\" and process.parent.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* noisy pattern */\n not (process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\" and process.parent.args_count >= 2 and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\*.msi\") and\n\n not process.args : (\"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Program Files\\\\*\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_2.json b/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_2.json deleted file mode 100644 index 2064e436eff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/708c9d92-22a3-4fe0-b6b9-1f861c55502d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious execution of the built-in Windows Installer, msiexec.exe, to install a package from usual paths or parent process. Adversaries may abuse msiexec.exe to launch malicious local MSI files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via MSIEXEC", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"msiexec.exe\" and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and process.parent.executable != null and\n (\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n process.args : (\"?:\\\\Users\\\\*\", \"?:\\\\ProgramData\\\\*\") and\n not process.parent.executable : (\"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Users\\\\*\\\\Desktop\\\\*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\programdata\\\\*\")) or\n\n (process.args_count == 1 and not process.parent.executable : (\"?:\\\\Windows\\\\explorer.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\explorer.exe\")) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n (process.parent.args : \"Schedule\" or process.parent.name : \"wmiprvse.exe\" or\n process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*\" or\n (process.parent.name : (\"powershell.exe\", \"cmd.exe\") and length(process.parent.command_line) >= 200))) or\n\n (process.args : \"/i\" and process.args : (\"/q\", \"/quiet\") and process.args_count == 4 and\n ?process.working_directory : \"?:\\\\\" and process.parent.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* noisy pattern */\n not (process.parent.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\" and ?process.parent.args_count >= 2 and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\*.msi\") and\n\n not process.args : (\"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Program Files\\\\*\")\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", "https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.007", "name": "Msiexec", "reference": "https://attack.mitre.org/techniques/T1218/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "708c9d92-22a3-4fe0-b6b9-1f861c55502d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json deleted file mode 100644 index 6c72da0b178..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json deleted file mode 100644 index 762e2dac6f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json deleted file mode 100644 index 865aacdb479..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json deleted file mode 100644 index 68d2b56a52d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json deleted file mode 100644 index 5f317092ec5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json deleted file mode 100644 index 7dd391daf45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json b/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json deleted file mode 100644 index 0361b5853d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Standard Registry Provider", "note": "## Triage and analysis\n\n### Investigating Persistence via WMI Standard Registry Provider\n\nThe Windows Management Instrumentation (WMI) StdRegProv is a registry provider that allows users to manage registry keys and values on Windows systems. Adversaries may abuse this functionality to modify registry locations commonly used for persistence, enabling them to maintain unauthorized access to a system.\n\nThis rule identifies instances where the WMI StdRegProv is used to modify specific registry paths associated with persistence mechanisms.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Identify which process triggered this behavior.\n- Verify whether the file specified in the run key is signed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Examine the file specified in the run key using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.data.strings != null and process.name : \"WmiPrvSe.exe\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Command Processor\\\\Autorun\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ServiceDLL\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\UserInitMprLogonScript\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\Load\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\Shell\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logoff\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Logon\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Shutdown\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\System\\\\Scripts\\\\Startup\\\\Script\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Ctf\\\\LangBarAddin\\\\*\\\\FilePath\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Exec\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Internet Explorer\\\\Extensions\\\\*\\\\Script\"\n )\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json deleted file mode 100644 index 37c3340f786..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json deleted file mode 100644 index 6c36756b006..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json deleted file mode 100644 index c754a5a9908..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json deleted file mode 100644 index 11f7a9b0a44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json b/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json deleted file mode 100644 index 2654551947a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Unload Elastic Endpoint Security Kernel Extension", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kextunload and process.args:(\"/System/Library/Extensions/EndpointSecurity.kext\" or \"EndpointSecurity.kext\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "70fa1af4-27fd-4f26-bd03-50b6af6b9e24_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json deleted file mode 100644 index a842c2d9824..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", "false_positives": ["Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Container Created with Excessive Linux Capabilities", "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", "references": ["https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", "https://man7.org/linux/man-pages/man7/capabilities.7.html", "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "7164081a-3930-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "7164081a-3930-11ed-a261-0242ac120002", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json deleted file mode 100644 index a049702c31e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", "false_positives": ["Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Container Created with Excessive Linux Capabilities", "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", "references": ["https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", "https://man7.org/linux/man-pages/man7/capabilities.7.html", "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "7164081a-3930-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "7164081a-3930-11ed-a261-0242ac120002_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json deleted file mode 100644 index 14af3dbdb04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", "false_positives": ["Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Container Created with Excessive Linux Capabilities", "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", "references": ["https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", "https://man7.org/linux/man-pages/man7/capabilities.7.html", "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "7164081a-3930-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "7164081a-3930-11ed-a261-0242ac120002_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json deleted file mode 100644 index f6f7d659614..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7164081a-3930-11ed-a261-0242ac120002_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a container deployed with one or more dangerously permissive Linux capabilities. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster. The capabilities detected in this rule have been used in container escapes to the host machine.", "false_positives": ["Some container images require the addition of privileged capabilities. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image."], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Container Created with Excessive Linux Capabilities", "note": "## Triage and analysis\n\n### Investigating Kubernetes Container Created with Excessive Linux Capabilities\n\nLinux capabilities were designed to divide root privileges into smaller units. Each capability grants a thread just enough power to perform specific privileged tasks. In Kubernetes, containers are given a set of default capabilities that can be dropped or added to at the time of creation. Added capabilities entitle containers in a pod with additional privileges that can be used to change\ncore processes, change network settings of a cluster, or directly access the underlying host. The following have been used in container escape techniques:\n\nBPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.\nDAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.\nNET_ADMIN - Perform various network-related operations.\nSYS_ADMIN - Perform a range of system administration operations.\nSYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.\nSYS_MODULE - Load and unload kernel modules.\nSYS_PTRACE - Trace arbitrary processes using ptrace(2).\nSYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).\nSYSLOG - Perform privileged syslog(2) operations.\n\n### False positive analysis\n\n- While these capabilities are not included by default in containers, some legitimate images may need to add them. This rule leaves space for the exception of trusted container images. To add an exception, add the trusted container image name to the query field, kubernetes.audit.requestObject.spec.containers.image.", "query": "event.dataset: kubernetes.audit_logs\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.verb: create\n and kubernetes.audit.objectRef.resource: pods\n and kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add: (\"BPF\" or \"DAC_READ_SEARCH\" or \"NET_ADMIN\" or \"SYS_ADMIN\" or \"SYS_BOOT\" or \"SYS_MODULE\" or \"SYS_PTRACE\" or \"SYS_RAWIO\" or \"SYSLOG\")\n and not kubernetes.audit.requestObject.spec.containers.image : (\"docker.elastic.co/beats/elastic-agent:8.4.0\" or \"rancher/klipper-lb:v0.3.5\" or \"\")\n", "references": ["https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container", "https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities", "https://man7.org/linux/man-pages/man7/capabilities.7.html", "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "7164081a-3930-11ed-a261-0242ac120002", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "7164081a-3930-11ed-a261-0242ac120002_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json deleted file mode 100644 index c5829747c03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(updated or renamed or rename or file_rename_event) and \nnot event.type:deletion and file.path:/etc/ld.so.preload and not process.name:(wine or oneagentinstallaction)\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json deleted file mode 100644 index c32ddd4830a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json deleted file mode 100644 index 5918a402d62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json deleted file mode 100644 index a967e1073fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and\nevent.action:(updated or renamed or rename)\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json deleted file mode 100644 index b5c6a616a9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "query": "event.category:file and host.os.type:linux and not event.type:deletion and file.path:/etc/ld.so.preload and\nevent.action:(updated or renamed or rename)\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json deleted file mode 100644 index 2fc9b2c6bf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and \nnot event.type:deletion and file.path:/etc/ld.so.preload\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json b/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json deleted file mode 100644 index 82554911d96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/717f82c2-7741-4f9b-85b8-d06aeb853f4f_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "from": "now-9m", "history_window_start": "now-10d", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Dynamic Linker Preload Shared Object", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(updated or renamed or rename) and \nnot event.type:deletion and file.path:/etc/ld.so.preload\n", "references": ["https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "717f82c2-7741-4f9b-85b8-d06aeb853f4f_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json deleted file mode 100644 index 6670a5019e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\",\n \"C:\\\\Windows\\\\CSC\\\\*:CscBitmapStream\") and\n\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\DataExchangeHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drivers\\\\Intel\\\\ICPS\\\\IntelConnectivityNetworkService.exe\",\n \"?:\\\\Windows\\\\System32\\\\drivers\\\\RivetNetworks\\\\Killer\\\\KillerNetworkService.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\windows\\\\System32\\\\svchost.exe\"\n ) and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "71bccb61-e19b-452f-b104-79a60e546a95", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json deleted file mode 100644 index 8688fc2ea5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json deleted file mode 100644 index e754c3e4d0e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json deleted file mode 100644 index 51454e3afff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json deleted file mode 100644 index bc709775233..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json deleted file mode 100644 index 8e5496d48e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \"C:\\\\*:zone.identifier*\" and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json deleted file mode 100644 index 41618562b75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json deleted file mode 100644 index e964d593bff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json deleted file mode 100644 index 3d180f0c8c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json deleted file mode 100644 index 03ca35000f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json deleted file mode 100644 index fc21859145d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\") and\n\n not process.executable :\n (\"?:\\\\windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files(x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\") and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"png\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_115.json b/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_115.json deleted file mode 100644 index 995bb7d9db1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71bccb61-e19b-452f-b104-79a60e546a95_115.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious creation of Alternate Data Streams on highly targeted files. This is uncommon for legitimate files and sometimes done by adversaries to hide malware.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Creation - Alternate Data Stream", "note": "## Triage and analysis\n\n### Investigating Unusual File Creation - Alternate Data Stream\n\nAlternate Data Streams (ADS) are file attributes only found on the NTFS file system. In this file system, files are built up from a couple of attributes; one of them is $Data, also known as the data attribute.\n\nThe regular data stream, also referred to as the unnamed data stream since the name string of this attribute is empty, contains the data inside the file. So any data stream that has a name is considered an alternate data stream.\n\nAttackers can abuse these alternate data streams to hide malicious files, string payloads, etc. This rule detects the creation of alternate data streams on highly targeted file types.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Retrieve the contents of the alternate data stream, and analyze it for potential maliciousness. Analysts can use the following PowerShell cmdlet to accomplish this:\n - `Get-Content C:\\Path\\To\\file.exe -stream SampleAlternateDataStreamName`\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n file.path : \"C:\\\\*:*\" and\n not file.path : \n (\"C:\\\\*:zone.identifier*\",\n \"C:\\\\users\\\\*\\\\appdata\\\\roaming\\\\microsoft\\\\teams\\\\old_weblogs_*:$DATA\",\n \"C:\\\\Windows\\\\CSC\\\\*:CscBitmapStream\") and\n\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\Dropbox\\\\Client\\\\Dropbox.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files\\\\ExpressConnect\\\\ExpressConnectNetworkService.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\EXCEL.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\OUTLOOK.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\POWERPNT.EXE\",\n \"?:\\\\Program Files\\\\Microsoft Office\\\\root\\\\*\\\\WINWORD.EXE\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Rivet Networks\\\\SmartByte\\\\SmartByteNetworkService.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\System32\\\\DataExchangeHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\drivers\\\\Intel\\\\ICPS\\\\IntelConnectivityNetworkService.exe\",\n \"?:\\\\Windows\\\\System32\\\\drivers\\\\RivetNetworks\\\\Killer\\\\KillerNetworkService.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\System32\\\\PickerHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\RuntimeBroker.exe\",\n \"?:\\\\Windows\\\\System32\\\\SearchProtocolHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\sihost.exe\",\n \"?:\\\\windows\\\\System32\\\\svchost.exe\"\n ) and\n\n file.extension :\n (\n \"pdf\",\n \"dll\",\n \"exe\",\n \"dat\",\n \"com\",\n \"bat\",\n \"cmd\",\n \"sys\",\n \"vbs\",\n \"ps1\",\n \"hta\",\n \"txt\",\n \"vbe\",\n \"js\",\n \"wsh\",\n \"docx\",\n \"doc\",\n \"xlsx\",\n \"xls\",\n \"pptx\",\n \"ppt\",\n \"rtf\",\n \"gif\",\n \"jpg\",\n \"png\",\n \"bmp\",\n \"img\",\n \"iso\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71bccb61-e19b-452f-b104-79a60e546a95", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "71bccb61-e19b-452f-b104-79a60e546a95_115", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json deleted file mode 100644 index 341a052fa46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json deleted file mode 100644 index 5a63995636f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json deleted file mode 100644 index 67336132932..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json deleted file mode 100644 index f51f56023cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json deleted file mode 100644 index f88c04fabb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json deleted file mode 100644 index 679ce644bcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable :\n (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\mstsc.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\")\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_107.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_107.json deleted file mode 100644 index a9eb9f35ee1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json deleted file mode 100644 index d2945ae43d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json deleted file mode 100644 index 56cad5ed109..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_110.json b/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_110.json deleted file mode 100644 index ebd32b52fae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71c5cb27-eca5-4151-bb47-64bc3f883270_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious Image Loading of the Remote Desktop Services ActiveX Client (mstscax), this may indicate the presence of RDP lateral movement capability.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious RDP ActiveX Client Loaded", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"mstscax.dll\" or file.name : \"mstscax.dll\") and\n /* depending on noise in your env add here extra paths */\n process.executable : (\n \"C:\\\\Windows\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Users\\\\Default\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\ProgramData\\\\*\",\n \"\\\\Device\\\\Mup\\\\*\",\n \"\\\\\\\\*\"\n ) and\n /* add here FPs */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vmconnect.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsSandboxClient.exe\",\n \"?:\\\\Windows\\\\System32\\\\hvsirdpclient.exe\"\n )\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "71c5cb27-eca5-4151-bb47-64bc3f883270", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "71c5cb27-eca5-4151-bb47-64bc3f883270_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0.json deleted file mode 100644 index eb8943e4ed9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Passwd File Event Action", "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where host.os.type == \"linux\" and file.path == \"/etc/passwd\" and process.parent.pid != 1 and\n not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 3}, "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json deleted file mode 100644 index 0a939b962ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Passwd File Event Action", "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where event.dataset == \"auditd_manager.auditd\" and host.os.type == \"linux\" and file.path == \"/etc/passwd\" and\n process.parent.pid != 1 and not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", "setup": "\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json b/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json deleted file mode 100644 index 0dde3b2b4d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71d6a53d-abbd-40df-afee-c21fff6aafb0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the generation of a passwd password entry via openssl, followed by a file write activity on the \"/etc/passwd\" file. The \"/etc/passwd\" file in Linux stores user account information, including usernames, user IDs, group IDs, home directories, and default shell paths. Attackers may exploit a misconfiguration in the \"/etc/passwd\" file permissions or other privileges to add a new entry to the \"/etc/passwd\" file with root permissions, and leverage this new user account to login as root.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Passwd File Event Action", "query": "sequence by host.id, process.parent.pid with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"openssl\" and process.args == \"passwd\" and user.id != \"0\"]\n [file where host.os.type == \"linux\" and file.path == \"/etc/passwd\" and process.parent.pid != 1 and\n not auditd.data.a2 == \"80000\" and event.outcome == \"success\" and user.id != \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "71d6a53d-abbd-40df-afee-c21fff6aafb0", "setup": "\nThis rule requires data coming in from Elastic Defend and Auditd Manager.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/passwd -p wa -k etcpasswd\"\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "71d6a53d-abbd-40df-afee-c21fff6aafb0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce.json deleted file mode 100644 index 07cbde61b43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.", "false_positives": ["AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "note": "## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA\n\nThis rule detects when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule identifies when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the trust anchor creation. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the trust anchor was created. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Verify the Certificate Authority**: Ensure that the external certificate authority used is authorized and recognized. Unauthorized external CAs can be a red flag for malicious activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the trust anchor creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the creation was unauthorized, remove the trust anchor and revoke any associated permissions.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving the creation of trust anchors with external certificate authorities.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning IAM Roles Anywhere and the use of certificate authorities.\n- **Audit IAM Roles and Policies**: Conduct a comprehensive audit of all IAM roles and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing IAM Roles Anywhere and securing AWS environments, refer to the [AWS IAM Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on IAM roles and trust anchors:\n- [AWS IAM Roles Anywhere Introduction](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)\n- [Ermetic Blog on IAM Users and Third Parties](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateTrustAnchor\n and event.outcome: success\n and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*\n", "references": ["https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "71de53ea-ff3b-11ee-b572-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "71de53ea-ff3b-11ee-b572-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json deleted file mode 100644 index 702aa059b49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/71de53ea-ff3b-11ee-b572-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule detects when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.", "false_positives": ["AWS IAM Roles Anywhere Trust Anchors are legitimate profiles that can be created by administrators to allow access from any location. Ensure that the trust anchor is created by a legitimate administrator and that the external certificate authority is authorized."], "from": "now-30m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "note": "\n## Triage and Analysis\n\n### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA\n\nThis rule detects when an AWS IAM Roles Anywhere Trust Anchor with an external certificate authority is created. AWS Roles Anywhere profiles are legitimate profiles that can be created by administrators to allow access from any location. This rule identifies when a trust anchor is created with an external certificate authority that is not managed by AWS Certificate Manager Private Certificate Authority (ACM PCA). Adversaries may accomplish this to maintain persistence in the environment.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the trust anchor creation. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the trust anchor was created. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Verify the Certificate Authority**: Ensure that the external certificate authority used is authorized and recognized. Unauthorized external CAs can be a red flag for malicious activity.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the trust anchor creation aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the creation was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the creation was unauthorized, remove the trust anchor and revoke any associated permissions.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving the creation of trust anchors with external certificate authorities.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning IAM Roles Anywhere and the use of certificate authorities.\n- **Audit IAM Roles and Policies**: Conduct a comprehensive audit of all IAM roles and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing IAM Roles Anywhere and securing AWS environments, refer to the [AWS IAM Roles Anywhere documentation](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html) and AWS best practices for security. Additionally, consult the following resources for specific details on IAM roles and trust anchors:\n- [AWS IAM Roles Anywhere Introduction](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html)\n- [Ermetic Blog on IAM Users and Third Parties](https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/)\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: rolesanywhere.amazonaws.com\n and event.action: CreateTrustAnchor\n and event.outcome: success\n and not aws.cloudtrail.request_parameters: *sourceType=AWS_ACM_PCA*\n", "references": ["https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "71de53ea-ff3b-11ee-b572-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "71de53ea-ff3b-11ee-b572-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json deleted file mode 100644 index 72de38a7b4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "false_positives": ["If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json deleted file mode 100644 index 54f32d210c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "false_positives": ["If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json deleted file mode 100644 index c3785de4939..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "false_positives": ["If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json deleted file mode 100644 index e72f81cfdbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "false_positives": ["If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json b/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json deleted file mode 100644 index ad1af938300..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/721999d0-7ab2-44bf-b328-6e63367b9b29_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware.", "false_positives": ["If Cloud App Security identifies, for example, a high rate of file uploads or file deletion activities it may represent an adverse encryption process."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Potential ransomware activity", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Potential ransomware activity\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "721999d0-7ab2-44bf-b328-6e63367b9b29", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "721999d0-7ab2-44bf-b328-6e63367b9b29_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_1.json b/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_1.json deleted file mode 100644 index a4d2589f036..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", "query": "from logs-aws_bedrock.invocation-*\n// truncate the timestamp to a 1-minute window\n| eval target_time_window = DATE_TRUNC(1 minutes, @timestamp)\n| where gen_ai.response.error_code == \"ValidationException\"\n// count the number of users causing validation errors within a 1 minute window\n| stats total_denials = count(*) by target_time_window, user.id, cloud.account.id\n| where total_denials > 3\n", "references": ["https://atlas.mitre.org/techniques/AML.T0015", "https://atlas.mitre.org/techniques/AML.T0034", "https://atlas.mitre.org/techniques/AML.T0046", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "725a048a-88c5-4fc7-8677-a44fc0031822", "setup": "## Setup\n\nThis rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:\n\nhttps://www.elastic.co/docs/current/integrations/aws_bedrock\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034", "Mitre Atlas: T0046"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "725a048a-88c5-4fc7-8677-a44fc0031822_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_2.json b/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_2.json deleted file mode 100644 index dbb6af8419e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/725a048a-88c5-4fc7-8677-a44fc0031822_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring exhorbitant costs.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Detected Multiple Validation Exception Errors by a Single User", "query": "from logs-aws_bedrock.invocation-*\n// truncate the timestamp to a 1-minute window\n| eval target_time_window = DATE_TRUNC(1 minutes, @timestamp)\n| where gen_ai.response.error_code == \"ValidationException\"\n| keep user.id, gen_ai.request.model.id, cloud.account.id, gen_ai.response.error_code, target_time_window\n// count the number of users causing validation errors within a 1 minute window\n| stats total_denials = count(*) by target_time_window, user.id, cloud.account.id\n| where total_denials > 3\n", "references": ["https://atlas.mitre.org/techniques/AML.T0015", "https://atlas.mitre.org/techniques/AML.T0034", "https://atlas.mitre.org/techniques/AML.T0046", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 73, "rule_id": "725a048a-88c5-4fc7-8677-a44fc0031822", "setup": "## Setup\n\nThis rule requires that AWS Bedrock Integration be configured. For more information, see the AWS Bedrock integration documentation:\n\nhttps://www.elastic.co/docs/current/integrations/aws_bedrock\n", "severity": "high", "tags": ["Domain: LLM", "Data Source: AWS", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Use Case: Policy Violation", "Mitre Atlas: T0015", "Mitre Atlas: T0034", "Mitre Atlas: T0046"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "725a048a-88c5-4fc7-8677-a44fc0031822_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json deleted file mode 100644 index 12a563a1356..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json deleted file mode 100644 index 596b08d8e01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json deleted file mode 100644 index 7db8c7368ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json deleted file mode 100644 index c0347d6c916..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json deleted file mode 100644 index 4bacbbe72bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json deleted file mode 100644 index 8695b8b8de9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_207.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_207.json deleted file mode 100644 index 924b4d63dcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_209.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_209.json deleted file mode 100644 index 07a00bc3b9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Reset MFA Factors for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "729aa18d-06a6-41c7-b175-b65b739b1181_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_309.json b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_309.json new file mode 100644 index 00000000000..ac3d697ecb6 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/729aa18d-06a6-41c7-b175-b65b739b1181_309.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if the MFA factors for Okta user accounts are regularly reset in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Reset MFA Factors for an Okta User Account", + "note": "", + "query": "event.dataset:okta.system and event.action:user.mfa.factor.reset_all\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "729aa18d-06a6-41c7-b175-b65b739b1181", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "729aa18d-06a6-41c7-b175-b65b739b1181_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17.json b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17.json deleted file mode 100644 index 11586b2fa52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages Discovery building block rule alert data to alert on signals with unusual unique host.id, user.id and process.executable entries.", "from": "now-9m", "history_window_start": "now-14d", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Unusual Discovery Signal Alert with Unusual Process Executable", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:\"1d72d014-e2ab-4707-b056-9b96abe7b511\"\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "72ed9140-fe9d-4a34-a026-75b50e484b17", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "72ed9140-fe9d-4a34-a026-75b50e484b17", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json b/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json deleted file mode 100644 index bb87f17243d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/72ed9140-fe9d-4a34-a026-75b50e484b17_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id, user.id and process.executable entries.", "from": "now-9m", "history_window_start": "now-14d", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Unusual Discovery Signal Alert with Unusual Process Executable", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:\"1d72d014-e2ab-4707-b056-9b96abe7b511\"\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "72ed9140-fe9d-4a34-a026-75b50e484b17", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "72ed9140-fe9d-4a34-a026-75b50e484b17_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5.json b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5.json deleted file mode 100644 index a3436fedb12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.", "false_positives": ["Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JetBrains TeamCity Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable :\n (\"?:\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files (x86)\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\TeamCity\\\\BuildAgent\\\\jre\\\\bin\\\\java.exe\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"msiexec.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wmic.exe\", \"curl.exe\", \"ssh.exe\",\n \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\", \"certreq.exe\", \"net.exe\", \"nltest.exe\", \"whoami.exe\", \"hostname.exe\",\n \"tasklist.exe\", \"arp.exe\", \"nbtstat.exe\", \"netstat.exe\", \"reg.exe\", \"tasklist.exe\", \"Microsoft.Workflow.Compiler.exe\",\n \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\",\n \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\",\"msxsl.exe\", \"netsh.exe\", \"odbcconf.exe\", \"ping.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\",\n \"systeminfo.exe\", \"tracert.exe\", \"wmic.exe\", \"wscript.exe\",\"xwizard.exe\", \"explorer.exe\", \"msdt.exe\") and\n not (process.name : \"powershell.exe\" and process.args : \"-ExecutionPolicy\" and process.args : \"?:\\\\TeamCity\\\\buildAgent\\\\work\\\\*.ps1\") and\n not (process.name : \"cmd.exe\" and process.args : \"dir\" and process.args : \"/-c\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "730ed57d-ae0f-444f-af50-78708b57edd5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "730ed57d-ae0f-444f-af50-78708b57edd5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json deleted file mode 100644 index dc89c95ff02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.", "false_positives": ["Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JetBrains TeamCity Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable :\n (\"?:\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files (x86)\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\TeamCity\\\\BuildAgent\\\\jre\\\\bin\\\\java.exe\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"msiexec.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wmic.exe\", \"curl.exe\", \"ssh.exe\",\n \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\", \"certreq.exe\", \"net.exe\", \"nltest.exe\", \"whoami.exe\", \"hostname.exe\",\n \"tasklist.exe\", \"arp.exe\", \"nbtstat.exe\", \"netstat.exe\", \"reg.exe\", \"tasklist.exe\", \"Microsoft.Workflow.Compiler.exe\",\n \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\",\n \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\",\"msxsl.exe\", \"netsh.exe\", \"odbcconf.exe\", \"ping.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\",\n \"systeminfo.exe\", \"tracert.exe\", \"wmic.exe\", \"wscript.exe\",\"xwizard.exe\", \"explorer.exe\", \"msdt.exe\") and\n not (process.name : \"powershell.exe\" and process.args : \"-ExecutionPolicy\" and process.args : \"?:\\\\TeamCity\\\\buildAgent\\\\work\\\\*.ps1\") and\n not (process.name : \"cmd.exe\" and process.args : \"dir\" and process.args : \"/-c\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "730ed57d-ae0f-444f-af50-78708b57edd5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "730ed57d-ae0f-444f-af50-78708b57edd5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_2.json b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_2.json deleted file mode 100644 index e4a7c6272c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.", "false_positives": ["Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JetBrains TeamCity Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable :\n (\"?:\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files (x86)\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\TeamCity\\\\BuildAgent\\\\jre\\\\bin\\\\java.exe\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"msiexec.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wmic.exe\", \"curl.exe\", \"ssh.exe\",\n \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\", \"certreq.exe\", \"net.exe\", \"nltest.exe\", \"whoami.exe\", \"hostname.exe\",\n \"tasklist.exe\", \"arp.exe\", \"nbtstat.exe\", \"netstat.exe\", \"reg.exe\", \"tasklist.exe\", \"Microsoft.Workflow.Compiler.exe\",\n \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\",\n \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\",\"msxsl.exe\", \"netsh.exe\", \"odbcconf.exe\", \"ping.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\",\n \"systeminfo.exe\", \"tracert.exe\", \"wmic.exe\", \"wscript.exe\",\"xwizard.exe\", \"explorer.exe\", \"msdt.exe\") and\n not (process.name : \"powershell.exe\" and process.args : \"-ExecutionPolicy\" and process.args : \"?:\\\\TeamCity\\\\buildAgent\\\\work\\\\*.ps1\") and\n not (process.name : \"cmd.exe\" and process.args : \"dir\" and process.args : \"/-c\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "730ed57d-ae0f-444f-af50-78708b57edd5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "730ed57d-ae0f-444f-af50-78708b57edd5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_3.json b/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_3.json deleted file mode 100644 index 162c473ab0f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/730ed57d-ae0f-444f-af50-78708b57edd5_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the JetBrain TeamCity process. This activity could be related to JetBrains remote code execution vulnerabilities.", "false_positives": ["Powershell and Windows Command Shell are often observed as legit child processes of the Jetbrains TeamCity service and may require further tuning."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JetBrains TeamCity Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable :\n (\"?:\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files (x86)\\\\TeamCity\\\\jre\\\\bin\\\\java.exe\",\n \"?:\\\\TeamCity\\\\BuildAgent\\\\jre\\\\bin\\\\java.exe\") and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"msiexec.exe\", \"certutil.exe\", \"bitsadmin.exe\", \"wmic.exe\", \"curl.exe\", \"ssh.exe\",\n \"rundll32.exe\", \"regsvr32.exe\", \"mshta.exe\", \"certreq.exe\", \"net.exe\", \"nltest.exe\", \"whoami.exe\", \"hostname.exe\",\n \"tasklist.exe\", \"arp.exe\", \"nbtstat.exe\", \"netstat.exe\", \"reg.exe\", \"tasklist.exe\", \"Microsoft.Workflow.Compiler.exe\",\n \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\",\n \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\",\"msxsl.exe\", \"netsh.exe\", \"odbcconf.exe\", \"ping.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\",\n \"systeminfo.exe\", \"tracert.exe\", \"wmic.exe\", \"wscript.exe\",\"xwizard.exe\", \"explorer.exe\", \"msdt.exe\") and\n not (process.name : \"powershell.exe\" and process.args : \"-ExecutionPolicy\" and process.args : \"?:\\\\TeamCity\\\\buildAgent\\\\work\\\\*.ps1\") and\n not (process.name : \"cmd.exe\" and process.args : \"dir\" and process.args : \"/-c\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/c/teamcity-vulnerability-exploits-lead-to-jasmin-ransomware.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "730ed57d-ae0f-444f-af50-78708b57edd5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "730ed57d-ae0f-444f-af50-78708b57edd5_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160.json b/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160.json deleted file mode 100644 index cfca7e8cc4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution of rc.local Script", "query": "process where host.os.type == \"linux\" and event.type == \"info\" and event.action == \"already_running\" and \nprocess.parent.args == \"/etc/rc.local\" and process.parent.args == \"start\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}], "risk_score": 47, "rule_id": "7318affb-bfe8-4d50-a425-f617833be160", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7318affb-bfe8-4d50-a425-f617833be160", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160_1.json b/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160_1.json deleted file mode 100644 index 4be6f2d8f6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7318affb-bfe8-4d50-a425-f617833be160_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the potential execution of the `/etc/rc.local` script through the `already_running` event action created by the `rc-local.service` systemd service. The `/etc/rc.local` script is a legacy initialization script that is executed at the end of the boot process. The `/etc/rc.local` script is not enabled by default on most Linux distributions. The `/etc/rc.local` script can be used by attackers to persistently execute malicious commands or scripts on a compromised system at reboot. As the rc.local file is executed prior to the initialization of Elastic Defend, the execution event is not ingested, and therefore the `already_running` event is leveraged to provide insight into the potential execution of `rc.local`.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution of rc.local Script", "query": "process where host.os.type == \"linux\" and event.type == \"info\" and event.action == \"already_running\" and \nprocess.parent.args == \"/etc/rc.local\" and process.parent.args == \"start\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}], "risk_score": 47, "rule_id": "7318affb-bfe8-4d50-a425-f617833be160", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7318affb-bfe8-4d50-a425-f617833be160_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json deleted file mode 100644 index 89566cfc5ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json deleted file mode 100644 index 6e7d34c0871..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json deleted file mode 100644 index db3e6ac1486..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json deleted file mode 100644 index b6d119659b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json deleted file mode 100644 index e30ce2de0b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json deleted file mode 100644 index 30e361bd5c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json deleted file mode 100644 index d602e5e9457..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json deleted file mode 100644 index 2ac07f90843..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json b/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json deleted file mode 100644 index d00e5222c5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows contains accessibility features that may be launched with a key combination before a user has logged in. An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Modification of Accessibility Binaries", "note": "## Triage and analysis\n\n### Investigating Potential Modification of Accessibility Binaries\n\nAdversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.\n\nMore details can be found [here](https://attack.mitre.org/techniques/T1546/008/).\n\nThis rule looks for the execution of supposed accessibility binaries that don't match any of the accessibility features binaries' original file names, which is likely a custom binary deployed by the attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"Utilman.exe\", \"winlogon.exe\") and user.name == \"SYSTEM\" and\n process.pe.original_file_name : \"?*\" and\n process.args :\n (\n \"C:\\\\Windows\\\\System32\\\\osk.exe\",\n \"C:\\\\Windows\\\\System32\\\\Magnify.exe\",\n \"C:\\\\Windows\\\\System32\\\\Narrator.exe\",\n \"C:\\\\Windows\\\\System32\\\\Sethc.exe\",\n \"utilman.exe\",\n \"ATBroker.exe\",\n \"DisplaySwitch.exe\",\n \"sethc.exe\"\n )\n and not process.pe.original_file_name in\n (\n \"osk.exe\",\n \"sethc.exe\",\n \"utilman2.exe\",\n \"DisplaySwitch.exe\",\n \"ATBroker.exe\",\n \"ScreenMagnifier.exe\",\n \"SR.exe\",\n \"Narrator.exe\",\n \"magnify.exe\",\n \"MAGNIFY.EXE\"\n )\n\n/* uncomment once in winlogbeat to avoid bypass with rogue process with matching pe original file name */\n/* and process.code_signature.subject_name == \"Microsoft Windows\" and process.code_signature.status == \"trusted\" */\n", "references": ["https://www.elastic.co/blog/practical-security-engineering-stateful-detection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.008", "name": "Accessibility Features", "reference": "https://attack.mitre.org/techniques/T1546/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "7405ddf1-6c8e-41ce-818f-48bea6bcaed8_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json deleted file mode 100644 index 9a52259089b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Unsigned or Untrusted Parent", "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n (process.parent.code_signature.exists : false or process.parent.code_signature.trusted : false) and\n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.parent.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json deleted file mode 100644 index dfef0c484dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", "query": "event.category:process and host.os.type:macos and event.type:start and\n process.name:launchctl and\n process.args:(setenv and not (JAVA*_HOME or\n RUNTIME_JAVA_HOME or\n DBUS_LAUNCHD_SESSION_BUS_SOCKET or\n ANT_HOME or\n LG_WEBOS_TV_SDK_HOME or\n WEBOS_CLI_TV or\n EDEN_ENV)\n ) and\n not process.parent.executable:(\"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/usr/local/bin/kr\" or\n \"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin\" or\n \"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\") and\n not process.args : \"*.vmoptions\"\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json deleted file mode 100644 index a73d1200008..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json deleted file mode 100644 index 03a899904c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json deleted file mode 100644 index f403b3b5150..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json b/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json deleted file mode 100644 index bdffcb46d5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Environment Variable via Launchctl", "query": "event.category:process and host.os.type:macos and event.type:start and \n process.name:launchctl and \n process.args:(setenv and not (ANT_HOME or \n DBUS_LAUNCHD_SESSION_BUS_SOCKET or \n EDEN_ENV or \n LG_WEBOS_TV_SDK_HOME or \n RUNTIME_JAVA_HOME or \n WEBOS_CLI_TV or \n JAVA*_HOME) and \n not *.vmoptions) and \n not process.parent.executable:(\"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper\" or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or \n /usr/local/bin/kr)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json deleted file mode 100644 index bf075c5bd21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", "false_positives": ["Users working late, or logging in from unusual time zones while traveling, may trigger this rule."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_hour_for_a_user", "name": "Unusual Hour for a User to Logon", "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 105}, "id": "745b0119-0560-43ba-860a-7235dd8cee8d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json deleted file mode 100644 index 6d0fd8ebf15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", "false_positives": ["Users working late, or logging in from unusual time zones while traveling, may trigger this rule."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_hour_for_a_user", "name": "Unusual Hour for a User to Logon", "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 102}, "id": "745b0119-0560-43ba-860a-7235dd8cee8d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json deleted file mode 100644 index b08d1262d75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", "false_positives": ["Users working late, or logging in from unusual time zones while traveling, may trigger this rule."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_hour_for_a_user", "name": "Unusual Hour for a User to Logon", "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 103}, "id": "745b0119-0560-43ba-860a-7235dd8cee8d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json b/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json deleted file mode 100644 index d0c8a5011c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/745b0119-0560-43ba-860a-7235dd8cee8d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. In addition, unauthorized user activity often takes place during non-business hours.", "false_positives": ["Users working late, or logging in from unusual time zones while traveling, may trigger this rule."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_hour_for_a_user", "name": "Unusual Hour for a User to Logon", "note": "## Triage and analysis\n\n### Investigating Unusual Hour for a User to Logon\n\nThis rule uses a machine learning job to detect a user logging in at a time of day that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different time zones. It can also indicate unauthorized user activity, as it often occurs during non-business hours.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, network connections, data access, and logon events.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n\n### False positive analysis\n\n- Users may need to log in during non-business hours to perform work-related tasks. Examine whether the company policies authorize this or if the activity is done under change management.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "745b0119-0560-43ba-860a-7235dd8cee8d", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 104}, "id": "745b0119-0560-43ba-860a-7235dd8cee8d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json deleted file mode 100644 index 362f69bb111..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_dns_question", "name": "Unusual DNS Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "type": "machine_learning", "version": 104}, "id": "746edc4c-c54c-49c6-97a1-651223819448", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json deleted file mode 100644 index 4add53ce1b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_dns_question", "name": "Unusual DNS Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "type": "machine_learning", "version": 101}, "id": "746edc4c-c54c-49c6-97a1-651223819448_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json deleted file mode 100644 index c28a2d165fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_dns_question", "name": "Unusual DNS Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "type": "machine_learning", "version": 102}, "id": "746edc4c-c54c-49c6-97a1-651223819448_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json b/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json deleted file mode 100644 index 7257f834154..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/746edc4c-c54c-49c6-97a1-651223819448_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual DNS query that indicate network activity with unusual DNS domains. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, when a user clicks on a link in a phishing email or opens a malicious document, a request may be sent to download and run a payload from an uncommon domain. When malware is already running, it may send requests to an uncommon DNS domain the malware uses for command-and-control communication.", "false_positives": ["A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. Network activity that occurs rarely, in small quantities, can trigger this alert. Possible examples are browsing technical support or vendor networks sparsely. A user who visits a new or unique web destination may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_dns_question", "name": "Unusual DNS Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "746edc4c-c54c-49c6-97a1-651223819448", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.004", "name": "DNS", "reference": "https://attack.mitre.org/techniques/T1071/004/"}]}]}], "type": "machine_learning", "version": 103}, "id": "746edc4c-c54c-49c6-97a1-651223819448_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json deleted file mode 100644 index 6ed446cad5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and not process.name:(\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\n)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json deleted file mode 100644 index d9546c22055..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and not process.name == \"auditbeat\"\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json deleted file mode 100644 index a17c8e7ca63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json deleted file mode 100644 index 25f310f722b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_105.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_105.json deleted file mode 100644 index c7cc282e7a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and\nnot process.name:(dpkg or dockerd or unattended-upg)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json deleted file mode 100644 index 77ce0e24d64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and\nnot process.name:(dpkg or dockerd or unattended-upg)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json deleted file mode 100644 index 03b3ddf9bb7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:(\"opened-file\" or \"read-file\" or \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\" or \"/etc/sysctl.d\" or /etc/sysctl.d/*) and not process.name:(\n dpkg or dockerd or unattended-upg or systemd-sysctl or python* or auditbeat or dpkg or grep or pool*\n)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json deleted file mode 100644 index a24e2e3b623..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and \nnot process.name in (\"auditbeat\", \"systemd-sysctl\")\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json b/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json deleted file mode 100644 index d4846cb8928..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7592c127-89fb-4209-a8f6-f9944dfd7e02_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors file events on sysctl configuration files (e.g., /etc/sysctl.conf, /etc/sysctl.d/*.conf) to identify potential unauthorized access or manipulation of system-level configuration settings. Attackers may tamper with the sysctl configuration files to modify kernel parameters, potentially compromising system stability, performance, or security.", "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Sysctl File Event", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action in (\"opened-file\", \"read-file\", \"wrote-to-file\") and\nfile.path : (\"/etc/sysctl.conf\", \"/etc/sysctl.d\", \"/etc/sysctl.d/*\") and \nnot process.name in (\"auditbeat\", \"systemd-sysctl\", \"dpkg\", \"dnf\", \"yum\", \"rpm\", \"apt\")\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7592c127-89fb-4209-a8f6-f9944dfd7e02", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n\n```\n-w /etc/sysctl.conf -p wa -k sysctl\n-w /etc/sysctl.d -p wa -k sysctl\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "7592c127-89fb-4209-a8f6-f9944dfd7e02_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593.json b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593.json deleted file mode 100644 index 564ef624f76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response.", "from": "now-119m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Disabled via Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and registry.data.strings : (\"3\", \"4\") and\n not \n (\n process.name : \"services.exe\" and user.id : \"S-1-5-18\"\n )\n and not registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\MrxSmb10\\\\Start\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "75dcb176-a575-4e33-a020-4a52aaa1b593", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "75dcb176-a575-4e33-a020-4a52aaa1b593", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json deleted file mode 100644 index 4d27c68cdf0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Disabled via Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and registry.data.strings : (\"3\", \"4\") and\n not \n (\n process.name : \"services.exe\" and user.id : \"S-1-5-18\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "75dcb176-a575-4e33-a020-4a52aaa1b593", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "75dcb176-a575-4e33-a020-4a52aaa1b593_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json b/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json deleted file mode 100644 index 4717e4fc1b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/75dcb176-a575-4e33-a020-4a52aaa1b593_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify services start settings using processes other than services.exe. Attackers may attempt to modify security and monitoring services to avoid detection or delay response.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Disabled via Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and registry.data.strings : (\"3\", \"4\") and\n not \n (\n process.name : \"services.exe\" and user.id : \"S-1-5-18\"\n )\n and not registry.path : \"HKLM\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\MrxSmb10\\\\Start\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "75dcb176-a575-4e33-a020-4a52aaa1b593", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "75dcb176-a575-4e33-a020-4a52aaa1b593_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json deleted file mode 100644 index 7026e442ded..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.", "false_positives": ["Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: Unauthorized Method", "query": "http.response.status_code:405\n", "references": ["https://en.wikipedia.org/wiki/HTTP_405"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "http.response.status_code", "type": "long"}], "risk_score": 47, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "severity": "medium", "tags": ["Data Source: APM"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json b/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json deleted file mode 100644 index 916fab88b35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/75ee75d8-c180-481c-ba88-ee50129a6aef_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A request to a web application returned a 405 response, which indicates the web application declined to process the request because the HTTP method is not allowed for the resource.", "false_positives": ["Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: Unauthorized Method", "query": "http.response.status_code:405\n", "references": ["https://en.wikipedia.org/wiki/HTTP_405"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "http.response.status_code", "type": "long"}], "risk_score": 47, "rule_id": "75ee75d8-c180-481c-ba88-ee50129a6aef", "severity": "medium", "tags": ["Elastic", "APM"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "75ee75d8-c180-481c-ba88-ee50129a6aef_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json deleted file mode 100644 index ea3288f23bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Sudoers File Modification", "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "76152ca1-71d0-4003-9e37-0983e12832da", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json deleted file mode 100644 index 2cbebf43f67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Sudoers File Modification", "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", "severity": "high", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "76152ca1-71d0-4003-9e37-0983e12832da_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json deleted file mode 100644 index b0c4d562a72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Sudoers File Modification", "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "76152ca1-71d0-4003-9e37-0983e12832da_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json b/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json deleted file mode 100644 index 178a28d2a66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76152ca1-71d0-4003-9e37-0983e12832da_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Sudoers File Modification", "query": "event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76152ca1-71d0-4003-9e37-0983e12832da", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "76152ca1-71d0-4003-9e37-0983e12832da_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json deleted file mode 100644 index ecb9713b375..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostIPC", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostIPC", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "764c8437-a581-4537-8060-1fdb0e92c92d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json deleted file mode 100644 index eaefa771469..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostIPC", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostIPC", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "764c8437-a581-4537-8060-1fdb0e92c92d_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json deleted file mode 100644 index 0294abfa522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostIPC", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostIPC", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "764c8437-a581-4537-8060-1fdb0e92c92d_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json b/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json deleted file mode 100644 index d7854e1b777..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c8437-a581-4537-8060-1fdb0e92c92d_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod using the host IPC namespace. This gives access to data used by any pod that also use the hosts IPC namespace. If any process on the host or any processes in a pod uses the hosts inter-process communication mechanisms (shared memory, semaphore arrays, message queues, etc.), an attacker can read/write to those same mechanisms. They may look for files in /dev/shm or use ipcs to check for any IPC facilities being used.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the host's IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostIPC", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostIPC:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostIPC", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "764c8437-a581-4537-8060-1fdb0e92c92d", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "764c8437-a581-4537-8060-1fdb0e92c92d_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json deleted file mode 100644 index 59de795710f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "query": "any where event.action in (\"Directory Service Access\", \"object-operation-performed\") and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json deleted file mode 100644 index ac3db4fd32d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11.json deleted file mode 100644 index 063c026b5a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "query": "any where event.action in (\"Directory Service Access\", \"object-operation-performed\") and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12.json deleted file mode 100644 index 77819953a8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "query": "any where event.action in (\"Directory Service Access\", \"object-operation-performed\") and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json deleted file mode 100644 index d01fc6340fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json deleted file mode 100644 index c25c5eaeb3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json deleted file mode 100644 index b35fcf0f566..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "note": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json deleted file mode 100644 index d9f0320b9f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json deleted file mode 100644 index 6af4739b178..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "note": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json b/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json deleted file mode 100644 index b52b300d199..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to a Sensitive LDAP Attribute", "query": "any where event.action == \"Directory Service Access\" and event.code == \"4662\" and\n\n not winlog.event_data.SubjectUserSid : \"S-1-5-18\" and\n\n winlog.event_data.Properties : (\n /* unixUserPassword */\n \"*612cb747-c0e8-4f92-9221-fdd5f15b550d*\",\n\n /* ms-PKI-AccountCredentials */\n \"*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*\",\n\n /* ms-PKI-DPAPIMasterKeys */\n \"*b3f93023-9239-4f7c-b99c-6745d87adbc2*\",\n\n /* msPKI-CredentialRoamingTokens */\n \"*b7ff5a38-0818-42b0-8110-d3d154c97f24*\"\n ) and\n\n /*\n Excluding noisy AccessMasks\n 0x0 undefined and 0x100 Control Access\n https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662\n */\n not winlog.event_data.AccessMask in (\"0x0\", \"0x100\")\n", "references": ["https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming", "https://social.technet.microsoft.com/wiki/contents/articles/11483.windows-credential-roaming.aspx", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5136"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66", "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json deleted file mode 100644 index 1a7c315f81e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\" and\nnot process.name == \"dockerd\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json deleted file mode 100644 index b6749297b21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json deleted file mode 100644 index ea56bc073a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json deleted file mode 100644 index 661def7aa7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json deleted file mode 100644 index 8e36e097dba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json deleted file mode 100644 index 9109d9ce802..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json deleted file mode 100644 index 5e6ebda7290..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json b/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json deleted file mode 100644 index 2bcd8405814..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/766d3f91-3f12-448c-b65f-20123e9e9e8c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a hidden shared object (.so) file. Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Shared Object File", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.extension == \"so\" and file.name : \".*.so\" and\nnot process.name == \"dockerd\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "766d3f91-3f12-448c-b65f-20123e9e9e8c", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "766d3f91-3f12-448c-b65f-20123e9e9e8c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json deleted file mode 100644 index 186bdb4a7d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": ["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "setup": "## Setup\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json deleted file mode 100644 index 504df7b779e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": ["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal "contains" and keyword equal "pipe"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json deleted file mode 100644 index f0a42d3270c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", "note": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": ["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "setup": "Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal "contains" and keyword equal "pipe"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json deleted file mode 100644 index cf156e024eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": ["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "setup": "\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json b/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json deleted file mode 100644 index 699e9a5f9a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76ddb638-abf7-42d5-be22-4a70b0bf7241_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by masquerading as a known named pipe and manipulating a privileged process to connect to it.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Rogue Named Pipe Impersonation", "query": "file where host.os.type == \"windows\" and event.action : \"Pipe Created*\" and\n /* normal sysmon named pipe creation events truncate the pipe keyword */\n file.name : \"\\\\*\\\\Pipe\\\\*\"\n", "references": ["https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/", "https://github.com/zcgonvh/EfsPotato", "https://twitter.com/SBousseaden/status/1429530155291193354"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "76ddb638-abf7-42d5-be22-4a70b0bf7241", "setup": "## Setup\n\nNamed Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings:\n`condition equal \"contains\" and keyword equal \"pipe\"`\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "76ddb638-abf7-42d5-be22-4a70b0bf7241_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json deleted file mode 100644 index b58a701e207..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args == \"-e\" and process.args_count >= 3 and \n not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 9}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json deleted file mode 100644 index fb25ec571c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json deleted file mode 100644 index 67211c8068c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json deleted file mode 100644 index 493bd75d738..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json deleted file mode 100644 index 10103e7abc3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name : \"python*\" and process.args : \"-c\") or\n (process.name : \"php*\" and process.args : \"-r\") or\n (process.name : \"perl\" and process.args : \"-e\") or\n (process.name : \"ruby\" and process.args : (\"-e\", \"-rsocket\")) or\n (process.name : \"lua*\" and process.args : \"-e\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3) or\n (process.name : \"telnet\" and process.args_count >= 3) or\n (process.name : \"awk\")) and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and\n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 4}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json deleted file mode 100644 index e8919500317..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json deleted file mode 100644 index e3b456c8093..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 6}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_7.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_7.json deleted file mode 100644 index 8591a5c4116..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args_count >= 3 and not process.args in (\n \"-z\", \"-zv\", \"-vz\", \"-v\"\n )) or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 7}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_8.json b/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_8.json deleted file mode 100644 index cc18f52227e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76e4d92b-61c1-4a95-ab61-5fd94179a1ee_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by the specified utilities that are initialized from a single process followed by a network connection attempt will be captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Child Process", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"fork\") and (\n (process.name : \"python*\" and process.args : \"-c\" and process.args : (\n \"*import*pty*spawn*\", \"*import*subprocess*call*\"\n )) or\n (process.name : \"perl*\" and process.args : \"-e\" and process.args : \"*socket*\" and process.args : (\n \"*exec*\", \"*system*\"\n )) or\n (process.name : \"ruby*\" and process.args : (\"-e\", \"-rsocket\") and process.args : (\n \"*TCPSocket.new*\", \"*TCPSocket.open*\"\n )) or\n (process.name : \"lua*\" and process.args : \"-e\" and process.args : \"*socket.tcp*\" and process.args : (\n \"*io.popen*\", \"*os.execute*\"\n )) or\n (process.name : \"php*\" and process.args : \"-r\" and process.args : \"*fsockopen*\" and process.args : \"*/bin/*sh*\") or \n (process.name : (\"awk\", \"gawk\", \"mawk\", \"nawk\") and process.args : \"*/inet/tcp/*\") or\n (process.name : \"openssl\" and process.args : \"-connect\") or\n (process.name : (\"nc\", \"ncat\", \"netcat\") and process.args == \"-e\" and process.args_count >= 3 and \n not process.args == \"-z\") or\n (process.name : \"telnet\" and process.args_count >= 3)\n ) and process.parent.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\",\n \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n process.name : (\"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\") and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 8}, "id": "76e4d92b-61c1-4a95-ab61-5fd94179a1ee_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json deleted file mode 100644 index 0be5aaa6153..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json deleted file mode 100644 index 6eb07f476ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json deleted file mode 100644 index 69727028eae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json deleted file mode 100644 index 94a76179736..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json deleted file mode 100644 index 90f3bab4e6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json deleted file mode 100644 index 9d24f7a35ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json deleted file mode 100644 index 1aae8c1a522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json deleted file mode 100644 index 89c5976ca19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_211.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_211.json deleted file mode 100644 index 2bb0e6f5a2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json deleted file mode 100644 index 4ce1151a833..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_313.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_313.json deleted file mode 100644 index 141a1ccd201..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_314.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_314.json deleted file mode 100644 index 233a7e50e64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_414.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_414.json deleted file mode 100644 index 106655d3626..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_414.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 414}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_414", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_415.json b/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_415.json deleted file mode 100644 index de53f264d4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_415.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Tunneling Detected", "note": "## Triage and analysis\n\n### Investigating Potential Remote Desktop Tunneling Detected\n\nProtocol Tunneling is a mechanism that involves explicitly encapsulating a protocol within another for various use cases, ranging from providing an outer layer of encryption (similar to a VPN) to enabling traffic that network appliances would filter to reach their destination.\n\nAttackers may tunnel Remote Desktop Protocol (RDP) traffic through other protocols like Secure Shell (SSH) to bypass network restrictions that block incoming RDP connections but may be more permissive to other protocols.\n\nThis rule looks for command lines involving the `3389` port, which RDP uses by default and options commonly associated with tools that perform tunneling.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine network data to determine if the host communicated with external servers using the tunnel.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Investigate the command line for the execution of programs that are unrelated to tunneling, like Remote Desktop clients.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Take the necessary actions to disable the tunneling, which can be a process kill, service deletion, registry key modification, etc. Inspect the host to learn which method was used and to determine a response for the case.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* RDP port and usual SSH tunneling related switches in command line */\n process.args : \"*:3389\" and\n process.args : (\"-L\", \"-P\", \"-R\", \"-pw\", \"-ssh\")\n", "references": ["https://blog.netspi.com/how-to-access-rdp-over-a-reverse-ssh-tunnel/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 415}, "id": "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f_415", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json deleted file mode 100644 index ebd9f86f1e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json deleted file mode 100644 index fa01787c2eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json deleted file mode 100644 index e5c67434400..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json deleted file mode 100644 index 57adecc4151..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json deleted file mode 100644 index 1a8003035d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json deleted file mode 100644 index 1d472cb4abd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_109.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_109.json deleted file mode 100644 index d9c2372aa44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json deleted file mode 100644 index 75adfbda2c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json deleted file mode 100644 index 183c82b7a7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_112.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_112.json deleted file mode 100644 index 05fdacade86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_113.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_113.json deleted file mode 100644 index fbb0f43b551..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\",\n \"dsquery.exe\",\n \"dsget.exe\",\n \"gpresult.exe\",\n \"hostname.exe\",\n \"ipconfig.exe\",\n \"nbtstat.exe\",\n \"net.exe\",\n \"net1.exe\",\n \"netsh.exe\",\n \"netstat.exe\",\n \"nltest.exe\",\n \"ping.exe\",\n \"qprocess.exe\",\n \"quser.exe\",\n \"qwinsta.exe\",\n \"reg.exe\",\n \"sc.exe\",\n \"systeminfo.exe\",\n \"tasklist.exe\",\n \"tracert.exe\",\n \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_313.json b/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_313.json deleted file mode 100644 index e8a3d63f011..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/770e0c4d-b998-41e5-a62e-c7901fd7f470_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies native Windows host and network enumeration commands spawned by the Windows Management Instrumentation Provider Service (WMIPrvSE).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration Command Spawned via WMIPrvSE", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.command_line != null and \n process.name:\n (\n \"arp.exe\", \"dsquery.exe\", \"dsget.exe\", \"gpresult.exe\", \"hostname.exe\", \"ipconfig.exe\", \"nbtstat.exe\",\n \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"ping.exe\", \"qprocess.exe\", \"quser.exe\",\n \"qwinsta.exe\", \"reg.exe\", \"sc.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\"\n ) and\n process.parent.name:\"wmiprvse.exe\" and \n not (\n process.name : \"sc.exe\" and process.args : \"RemoteRegistry\" and process.args : \"start=\" and \n process.args : (\"demand\", \"disabled\")\n ) and\n not process.args : \"tenable_mw_scan\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "770e0c4d-b998-41e5-a62e-c7901fd7f470", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/"}, {"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "770e0c4d-b998-41e5-a62e-c7901fd7f470_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json deleted file mode 100644 index 9572ab1da7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Application", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json b/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json deleted file mode 100644 index f8a76b6dbd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/774f5e28-7b75-4a58-b94e-41bf060fdd86_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "User Added as Owner for Azure Application", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add owner to application\" and event.outcome:(Success or success)\n", "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "774f5e28-7b75-4a58-b94e-41bf060fdd86", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "774f5e28-7b75-4a58-b94e-41bf060fdd86_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64.json deleted file mode 100644 index 779e6488e02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "UID Elevation from Previously Unknown Executable", "new_terms_fields": ["process.executable"], "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\n /usr/libexec/postfix/local\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\" or \"master\" or \"omsbaseline\" or \"dzdo\" or\n \"sandfly\" or \"logrotate\"\n ) or\n process.args:/usr/bin/python*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "7787362c-90ff-4b1a-b313-8808b1020e64", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json deleted file mode 100644 index a894134ab10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "UID Elevation from Previously Unknown Executable", "new_terms_fields": ["host.id", "process.executable", "process.command_line"], "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/*\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\"\n ) or\n process.args:/usr/bin/python*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "7787362c-90ff-4b1a-b313-8808b1020e64_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json deleted file mode 100644 index d12fdce6cdf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "UID Elevation from Previously Unknown Executable", "new_terms_fields": ["host.id", "process.executable", "process.command_line"], "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/*\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\" or \"master\" or \"omsbaseline\" or \"dzdo\" or\n \"sandfly\" or \"logrotate\"\n ) or\n process.args:/usr/bin/python*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "7787362c-90ff-4b1a-b313-8808b1020e64_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_3.json b/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_3.json deleted file mode 100644 index 9139d2cdd49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7787362c-90ff-4b1a-b313-8808b1020e64_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through a previously unknown executable. Attackers may attempt to evade detection by hijacking the execution flow and hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "UID Elevation from Previously Unknown Executable", "new_terms_fields": ["process.executable"], "query": "host.os.type:\"linux\" and event.category:\"process\" and event.action:\"uid_change\" and event.type:\"change\" and user.id:\"0\"\nand process.parent.name:(\"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\") and not (\n process.executable:(\n /bin/* or /usr/bin/* or /sbin/* or /usr/sbin/* or /snap/* or /tmp/newroot/* or /var/lib/docker/* or /usr/local/* or\n /opt/psa/admin/* or /usr/lib/snapd/snap-confine or /opt/dynatrace/* or /opt/microsoft/* or\n /var/lib/snapd/snap/bin/node or /opt/gitlab/embedded/sbin/logrotate or /etc/apt/universal-hooks/* or\n /opt/puppetlabs/puppet/bin/puppet or /opt/cisco/* or /run/k3s/containerd/* or /usr/lib/postfix/sbin/master or\n /usr/libexec/postfix/local\n ) or\n process.name:(\n \"bash\" or \"dash\" or \"sh\" or \"tcsh\" or \"csh\" or \"zsh\" or \"ksh\" or \"fish\" or \"sudo\" or \"su\" or \"apt\" or \"apt-get\" or\n \"aptitude\" or \"squid\" or \"snap\" or \"fusermount\" or \"pkexec\" or \"umount\" or \"master\" or \"omsbaseline\" or \"dzdo\" or\n \"sandfly\" or \"logrotate\"\n ) or\n process.args:/usr/bin/python*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7787362c-90ff-4b1a-b313-8808b1020e64", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "7787362c-90ff-4b1a-b313-8808b1020e64_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json deleted file mode 100644 index 372048f5917..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json deleted file mode 100644 index 4caf92c0198..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "severity": "medium", "tags": ["Elastic", "Elastic Endgame"], "type": "query", "version": 101}, "id": "77a3c3df-8ec4-4da4-b758-878f551dee69_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json deleted file mode 100644 index 445d64add82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "severity": "medium", "tags": ["Data Source: Elastic Endgame"], "type": "query", "version": 102}, "id": "77a3c3df-8ec4-4da4-b758-878f551dee69_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_103.json b/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_103.json deleted file mode 100644 index 0c13c864528..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/77a3c3df-8ec4-4da4-b758-878f551dee69_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected an Adversary Behavior. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Adversary Behavior - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "77a3c3df-8ec4-4da4-b758-878f551dee69", "severity": "medium", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "77a3c3df-8ec4-4da4-b758-878f551dee69_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json deleted file mode 100644 index 924a3f3106d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 7}, "id": "781f8746-2180-4691-890c-4c96d11ca91d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json deleted file mode 100644 index c0dc02e7743..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}], "risk_score": 47, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "medium", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 10}], "field": ["source.ip"], "value": 1}, "type": "threshold", "version": 1}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json deleted file mode 100644 index 2896e9e8610..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and \nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "type": "threshold", "version": 2}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json deleted file mode 100644 index 11a01860217..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and \nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "type": "threshold", "version": 3}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json deleted file mode 100644 index 949dcf4e793..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and \nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "type": "threshold", "version": 4}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_5.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_5.json deleted file mode 100644 index 57f728d7e64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_6.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_6.json deleted file mode 100644 index 0a07f0fda24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_7.json b/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_7.json deleted file mode 100644 index 46b5a1d8f9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/781f8746-2180-4691-890c-4c96d11ca91d_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential network sweep. A network sweep is a method used by attackers to scan a target network, identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination hosts on commonly used network services.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential Network Sweep Detected", "query": "destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and\nsource.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "781f8746-2180-4691-890c-4c96d11ca91d", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.ip", "value": 100}], "field": ["source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 7}, "id": "781f8746-2180-4691-890c-4c96d11ca91d_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7.json b/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7.json deleted file mode 100644 index 87933c12829..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Yum/DNF Plugin Status Discovery", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"grep\" and process.args : \"plugins*\" and process.args : (\n \"/etc/yum.conf\", \"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\",\n \"/usr/lib/python*/site-packages/dnf-plugins/*\", \"/etc/dnf/plugins/*\", \"/etc/dnf/dnf.conf\"\n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", "https://pwnshift.github.io/2020/10/01/persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "78390eb5-c838-4c1d-8240-69dd7397cfb7", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "78390eb5-c838-4c1d-8240-69dd7397cfb7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7_1.json b/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7_1.json deleted file mode 100644 index 7e2c09dc378..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78390eb5-c838-4c1d-8240-69dd7397cfb7_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of the `grep` command with the `plugins` argument on Linux systems. This command is used to search for YUM/DNF configurations and/or plugins with an enabled state. This behavior may indicate an attacker is attempting to establish persistence in a YUM or DNF plugin.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Yum/DNF Plugin Status Discovery", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"grep\" and process.args : \"plugins*\" and process.args : (\n \"/etc/yum.conf\", \"/usr/lib/yum-plugins/*\", \"/etc/yum/pluginconf.d/*\",\n \"/usr/lib/python*/site-packages/dnf-plugins/*\", \"/etc/dnf/plugins/*\", \"/etc/dnf/dnf.conf\"\n)\n", "references": ["https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/yum_package_manager_persistence.rb", "https://pwnshift.github.io/2020/10/01/persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "78390eb5-c838-4c1d-8240-69dd7397cfb7", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "78390eb5-c838-4c1d-8240-69dd7397cfb7_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json deleted file mode 100644 index d1c597efc03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", "false_positives": ["Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json deleted file mode 100644 index 38bafd890c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", "false_positives": ["Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json deleted file mode 100644 index ecb722e50f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", "false_positives": ["Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json b/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json deleted file mode 100644 index e9a5eadafdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/785a404b-75aa-4ffd-8be5-3334a5a544dd_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google marketplace application is added to the Google Workspace domain. An adversary may add a malicious application to an organization\u2019s Google Workspace domain in order to maintain a presence in their target\u2019s organization and steal data.", "false_positives": ["Applications can be added to a Google Workspace domain by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Application Added to Google Workspace Domain", "note": "## Triage and analysis\n\n### Investigating Application Added to Google Workspace Domain\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or on Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule checks for applications that were manually added to the Marketplace by a Google Workspace account.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- With access to the Google Workspace admin console, visit the `Security > Investigation tool` with filters for the user email and event is `Assign Role` or `Update Role` to determine if new cloud roles were recently updated.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Google Workspace administrators might intentionally remove an application from the blocklist due to a re-assessment or a domain-wide required need for the application.\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Contact the user to verify that they intentionally removed the application from the blocklist and their reasoning.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_APPLICATION\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "785a404b-75aa-4ffd-8be5-3334a5a544dd", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "785a404b-75aa-4ffd-8be5-3334a5a544dd_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json deleted file mode 100644 index b26e618b453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Privilege Identity Management Role Modified", "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.\n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json b/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json deleted file mode 100644 index 7c90091ca3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7882cebf-6cf1-4de3-9662-213aa13e8b80_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Privilege Identity Management Role Modified", "note": "## Triage and analysis\n\n### Investigating Azure Privilege Identity Management Role Modified\n\nAzure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.\n\nThis rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?\n- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Restore the PIM roles to the desired state.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Update role setting in PIM\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "7882cebf-6cf1-4de3-9662-213aa13e8b80", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "7882cebf-6cf1-4de3-9662-213aa13e8b80_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json deleted file mode 100644 index 94cee76dbeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 209}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json deleted file mode 100644 index 07ba035eb75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"], "type": "machine_learning", "version": 104}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json deleted file mode 100644 index 7c86de1dc88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 105}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_106.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_106.json deleted file mode 100644 index 4dcf587cd3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 106}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_107.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_107.json deleted file mode 100644 index a2fa08f36a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 107}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_208.json b/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_208.json deleted file mode 100644 index 9f27c22333e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78d3d8d9-b476-451d-a9e0-7a5addd70670_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.", "false_positives": ["Spikes in error message activity can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges."], "from": "now-60m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_distinct_count_error_message", "name": "Spike in AWS Error Messages", "note": "## Triage and analysis\n\n### Investigating Spike in AWS Error Messages\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect a significant spike in the rate of a particular error in the CloudTrail messages. Spikes in error messages may accompany attempts at privilege escalation, lateral movement, or discovery.\n\n#### Possible investigation steps\n\n- Examine the history of the error. If the error only manifested recently, it might be related to recent changes in an automation module or script. You can find the error in the `aws.cloudtrail.error_code field` field.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These may indicate the source of the program or the nature of the task being performed when the error occurred.\n - Check whether the error is related to unsuccessful attempts to enumerate or access objects, data, or secrets.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n- The adoption of new services or the addition of new functionality to scripts may generate false positives.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "78d3d8d9-b476-451d-a9e0-7a5addd70670", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 208}, "id": "78d3d8d9-b476-451d-a9e0-7a5addd70670_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546.json deleted file mode 100644 index 8118f1138aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 205}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json deleted file mode 100644 index ede0d937011..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\", \n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_102.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_102.json deleted file mode 100644 index 48db59e06c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json deleted file mode 100644 index 73b64ed9d2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 203}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_204.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_204.json deleted file mode 100644 index 647ae4e1615..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 204}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_205.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_205.json deleted file mode 100644 index 2a31634d203..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 205}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_305.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_305.json deleted file mode 100644 index 674621c1a3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_305.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 305}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_305", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_306.json b/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_306.json deleted file mode 100644 index 6b1a943206d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78de1aeb-5225-4067-b8cc-f4a1de8a8546_306.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious ScreenConnect Client Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name :\n (\"ScreenConnect.ClientService.exe\",\n \"ScreenConnect.WindowsClient.exe\",\n \"ScreenConnect.WindowsBackstageShell.exe\",\n \"ScreenConnect.WindowsFileManager.exe\") and\n (\n (process.name : \"powershell.exe\" and\n process.args : (\"-enc\", \"-ec\", \"-e\", \"*downloadstring*\", \"*Reflection.Assembly*\", \"*http*\")) or\n (process.name : \"cmd.exe\" and process.args : \"/c\") or\n (process.name : \"net.exe\" and process.args : \"/add\") or\n (process.name : \"schtasks.exe\" and process.args : (\"/create\", \"-create\")) or\n (process.name : \"sc.exe\" and process.args : \"create\") or\n (process.name : \"rundll32.exe\" and not process.args : \"url.dll,FileProtocolHandler\") or\n (process.name : \"msiexec.exe\" and process.args : (\"/i\", \"-i\") and\n process.args : (\"/q\", \"/quiet\", \"/qn\", \"-q\", \"-quiet\", \"-qn\", \"-Q+\")) or\n process.name : (\"mshta.exe\", \"certutil.exe\", \"bistadmin.exe\", \"certreq.exe\", \"wscript.exe\", \"cscript.exe\", \"curl.exe\",\n \"ssh.exe\", \"scp.exe\", \"wevtutil.exe\", \"wget.exe\", \"wmic.exe\")\n )\n", "references": ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 306}, "id": "78de1aeb-5225-4067-b8cc-f4a1de8a8546_306", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386.json b/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386.json deleted file mode 100644 index bd925c4da4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Renamed via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file rename over SMB.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and\n network.type == \"ipv4\" and not endswith(source.address, destination.address)]\n [file where host.os.type == \"windows\" and\n event.action == \"rename\" and process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and\n file.extension != null and file.Ext.entropy >= 6 and file.path : \"C:\\\\Users\\\\*\" and\n file.Ext.original.name : (\"*.jpg\", \"*.bmp\", \"*.png\", \"*.pdf\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.lnk\") and\n not file.extension : (\"jpg\", \"bmp\", \"png\", \"pdf\", \"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"*.lnk\")] with runs=3\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.address", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_1.json b/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_1.json deleted file mode 100644 index 0aa660d63f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Renamed via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file rename over SMB.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [file where host.os.type == \"windows\" and\n event.action == \"rename\" and process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and\n file.extension != null and file.Ext.entropy >= 6 and\n file.Ext.original.name : (\"*.jpg\", \"*.bmp\", \"*.png\", \"*.pdf\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.lnk\") and\n not file.extension : (\"jpg\", \"bmp\", \"png\", \"pdf\", \"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"*.lnk\")] with runs=3\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}, {"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_2.json b/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_2.json deleted file mode 100644 index 85ca746d2e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78e9b5d5-7c07-40a7-a591-3dbbf464c386_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Renamed via SMB", "note": "## Triage and analysis\n\n## Performance\n\n- This rule may cause medium to high performance impact due to logic scoping all icoming SMB network events.\n\n#### Possible investigation steps\n\n- Investigate the source.ip address connecting to port 445 on this host.\n- Identify the user account that performed the file creation via SMB.\n- If the number of files is too high and source.ip connecting over SMB is unusual isolate the host and block the used credentials.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Remote file rename over SMB.\n\n### Related rules\n\n- Third-party Backup Files Deleted via Unexpected Process - 11ea6bec-ebde-4d71-a8e9-784948f8e3e9\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n- Volume Shadow Copy Deletion via WMIC - dc9c1f74-dac3-48e3-b47f-eb79db358f57\n- Potential Ransomware Note File Dropped via SMB - 02bab13d-fb14-4d7c-b6fe-4a28874d37c5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If any other destructive action was identified on the host, it is recommended to prioritize the investigation and look for ransomware preparation and execution activities.\n- If any backups were affected:\n - Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id with maxspan=1s\n [network where host.os.type == \"windows\" and\n event.action == \"connection_accepted\" and destination.port == 445 and source.port >= 49152 and process.pid == 4 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n [file where host.os.type == \"windows\" and\n event.action == \"rename\" and process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-*\") and\n file.extension != null and file.Ext.entropy >= 6 and\n file.Ext.original.name : (\"*.jpg\", \"*.bmp\", \"*.png\", \"*.pdf\", \"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\", \"*.ppt\", \"*.pptx\", \"*.lnk\") and\n not file.extension : (\"jpg\", \"bmp\", \"png\", \"pdf\", \"doc\", \"docx\", \"xls\", \"xlsx\", \"ppt\", \"pptx\", \"*.lnk\")] with runs=3\n", "references": ["https://news.sophos.com/en-us/2023/12/21/akira-again-the-ransomware-that-keeps-on-taking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}, {"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "78e9b5d5-7c07-40a7-a591-3dbbf464c386_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json deleted file mode 100644 index f0ffb216e39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json deleted file mode 100644 index 94249065de6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json deleted file mode 100644 index 7e90db99e52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json deleted file mode 100644 index fc048159f8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json deleted file mode 100644 index a4c327c3bf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json b/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json deleted file mode 100644 index 0f594a62a74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unsigned library created in the last 5 minutes and subsequently loaded by a shared windows service (svchost). Adversaries may use this technique to maintain persistence or run with System privileges.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by Svchost", "query": "library where host.os.type == \"windows\" and\n\n process.executable : \n (\"?:\\\\Windows\\\\System32\\\\svchost.exe\", \"?:\\\\Windows\\\\Syswow64\\\\svchost.exe\") and \n \n dll.code_signature.trusted != true and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and \n \n dll.hash.sha256 != null and \n \n (\n /* DLL created within 5 minutes of the library load event - compatible with Elastic Endpoint 8.4+ */\n dll.Ext.relative_file_creation_time <= 300 or \n \n /* unusual paths */\n dll.path :(\"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Users\\\\*\",\n \"?:\\\\PerfLogs\\\\*\",\n \"?:\\\\Windows\\\\Tasks\\\\*\",\n \"?:\\\\Intel\\\\*\",\n \"?:\\\\AMD\\\\Temp\\\\*\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*\",\n \"?:\\\\Windows\\\\ServiceState\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"?:\\\\Windows\\\\Branding\\\\*\",\n \"?:\\\\Windows\\\\csc\\\\*\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"?:\\\\Windows\\\\en-US\\\\*\",\n \"?:\\\\Windows\\\\wlansvc\\\\*\",\n \"?:\\\\Windows\\\\Prefetch\\\\*\",\n \"?:\\\\Windows\\\\Fonts\\\\*\",\n \"?:\\\\Windows\\\\diagnostics\\\\*\",\n \"?:\\\\Windows\\\\TAPI\\\\*\",\n \"?:\\\\Windows\\\\INF\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"?:\\\\windows\\\\tracing\\\\*\",\n \"?:\\\\windows\\\\IME\\\\*\",\n \"?:\\\\Windows\\\\Performance\\\\*\",\n \"?:\\\\windows\\\\intel\\\\*\",\n \"?:\\\\windows\\\\ms\\\\*\",\n \"?:\\\\Windows\\\\dot3svc\\\\*\",\n \"?:\\\\Windows\\\\panther\\\\*\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*\",\n \"?:\\\\Windows\\\\OCR\\\\*\",\n \"?:\\\\Windows\\\\appcompat\\\\*\",\n \"?:\\\\Windows\\\\apppatch\\\\*\",\n \"?:\\\\Windows\\\\addins\\\\*\",\n \"?:\\\\Windows\\\\Setup\\\\*\",\n \"?:\\\\Windows\\\\Help\\\\*\",\n \"?:\\\\Windows\\\\SKB\\\\*\",\n \"?:\\\\Windows\\\\Vss\\\\*\",\n \"?:\\\\Windows\\\\servicing\\\\*\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*\",\n \"?:\\\\Windows\\\\Logs\\\\*\",\n \"?:\\\\Windows\\\\WaaS\\\\*\",\n \"?:\\\\Windows\\\\twain_32\\\\*\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*\",\n \"?:\\\\Windows\\\\PLA\\\\*\",\n \"?:\\\\Windows\\\\Migration\\\\*\",\n \"?:\\\\Windows\\\\debug\\\\*\",\n \"?:\\\\Windows\\\\Cursors\\\\*\",\n \"?:\\\\Windows\\\\Containers\\\\*\",\n \"?:\\\\Windows\\\\Boot\\\\*\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*\",\n \"?:\\\\Windows\\\\TextInput\\\\*\",\n \"?:\\\\Windows\\\\security\\\\*\",\n \"?:\\\\Windows\\\\schemas\\\\*\",\n \"?:\\\\Windows\\\\SchCache\\\\*\",\n \"?:\\\\Windows\\\\Resources\\\\*\",\n \"?:\\\\Windows\\\\rescache\\\\*\",\n \"?:\\\\Windows\\\\Provisioning\\\\*\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"?:\\\\Windows\\\\media\\\\*\",\n \"?:\\\\Windows\\\\Globalization\\\\*\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"?:\\\\$Recycle.Bin\\\\*\")\n ) and \n \n not dll.hash.sha256 : \n (\"3ed33e71641645367442e65dca6dab0d326b22b48ef9a4c2a2488e67383aa9a6\", \n \"b4db053f6032964df1b254ac44cb995ffaeb4f3ade09597670aba4f172cf65e4\", \n \"214c75f678bc596bbe667a3b520aaaf09a0e50c364a28ac738a02f867a085eba\", \n \"23aa95b637a1bf6188b386c21c4e87967ede80242327c55447a5bb70d9439244\", \n \"5050b025909e81ae5481db37beb807a80c52fc6dd30c8aa47c9f7841e2a31be7\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "78ef0c95-9dc2-40ac-a8da-5deb6293a14e_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1.json deleted file mode 100644 index 168f35c0481..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1000, "name": "File Compressed or Archived into Common Format", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.executable != null and not user.id : (\"S-1-5-18\", \"S-1-5-17\") and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : (\"excel.exe\", \"winword.exe\", \"powerpnt.exe\") and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"OneDrive.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n (\n file.extension : (\"xlsx\", \"docx\", \"pptx\", \"xlsm\") or\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\logs\\\\*\"\n )\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n ) or\n (\n process.name : \"w3wp.exe\" and\n process.code_signature.subject_name : \"Microsoft Windows\" and process.code_signature.trusted == true and\n file.path : \"?:\\\\inetpub\\\\temp\\\\IIS Temporary Compressed Files\\\\*\"\n )\n )\n", "references": ["https://en.wikipedia.org/wiki/List_of_file_signatures"], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", "severity": "low", "tags": ["Data Source: Elastic Defend", "Domain: Endpoint", "OS: macOS", "OS: Windows", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}, {"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1132", "name": "Data Encoding", "reference": "https://attack.mitre.org/techniques/T1132/", "subtechnique": [{"id": "T1132.001", "name": "Standard Encoding", "reference": "https://attack.mitre.org/techniques/T1132/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "79124edf-30a8-4d48-95c4-11522cad94b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json deleted file mode 100644 index 78a1735d005..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1000, "name": "File Compressed or Archived into Common Format", "query": "file where event.type in (\"creation\", \"change\") and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n )\n", "references": ["https://en.wikipedia.org/wiki/List_of_file_signatures"], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}], "risk_score": 21, "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", "severity": "low", "tags": ["Data Source: Elastic Defend", "Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1132", "name": "Data Encoding", "reference": "https://attack.mitre.org/techniques/T1132/", "subtechnique": [{"id": "T1132.001", "name": "Standard Encoding", "reference": "https://attack.mitre.org/techniques/T1132/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "79124edf-30a8-4d48-95c4-11522cad94b1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json deleted file mode 100644 index 23ca8dc0d25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1000, "name": "File Compressed or Archived into Common Format", "query": "file where event.type in (\"creation\", \"change\") and process.executable != null and not user.id : \"S-1-5-18\" and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : \"excel.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n file.extension : (\"tmp\", \"xlsx\", \"gz\", \"xlsb\", \"xar\", \"xslm\")\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n )\n )\n", "references": ["https://en.wikipedia.org/wiki/List_of_file_signatures"], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", "severity": "low", "tags": ["Data Source: Elastic Defend", "Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1132", "name": "Data Encoding", "reference": "https://attack.mitre.org/techniques/T1132/", "subtechnique": [{"id": "T1132.001", "name": "Standard Encoding", "reference": "https://attack.mitre.org/techniques/T1132/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "79124edf-30a8-4d48-95c4-11522cad94b1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json deleted file mode 100644 index bd7976acb5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1000, "name": "File Compressed or Archived into Common Format", "query": "file where event.type in (\"creation\", \"change\") and process.executable != null and not user.id : \"S-1-5-18\" and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : \"excel.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n file.extension : (\"tmp\", \"xlsx\", \"gz\", \"xlsb\", \"xar\", \"xslm\")\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n )\n )\n", "references": ["https://en.wikipedia.org/wiki/List_of_file_signatures"], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", "severity": "low", "tags": ["Data Source: Elastic Defend", "Domain: Endpoint", "OS: macOS", "OS: Windows", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1132", "name": "Data Encoding", "reference": "https://attack.mitre.org/techniques/T1132/", "subtechnique": [{"id": "T1132.001", "name": "Standard Encoding", "reference": "https://attack.mitre.org/techniques/T1132/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "79124edf-30a8-4d48-95c4-11522cad94b1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_4.json b/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_4.json deleted file mode 100644 index a6834d99668..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79124edf-30a8-4d48-95c4-11522cad94b1_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects files being compressed or archived into common formats. This is a common technique used to obfuscate files to evade detection or to staging data for exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 1000, "name": "File Compressed or Archived into Common Format", "query": "file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.executable != null and not user.id : (\"S-1-5-18\", \"S-1-5-17\") and\n file.Ext.header_bytes : (\n /* compression formats */\n \"1F9D*\", /* tar zip, tar.z (Lempel-Ziv-Welch algorithm) */\n \"1FA0*\", /* tar zip, tar.z (LZH algorithm) */\n \"425A68*\", /* Bzip2 */\n \"524E4301*\", /* Rob Northen Compression */\n \"524E4302*\", /* Rob Northen Compression */\n \"4C5A4950*\", /* LZIP */\n \"504B0*\", /* ZIP */\n \"526172211A07*\", /* RAR compressed */\n \"44434D0150413330*\", /* Windows Update Binary Delta Compression file */\n \"50413330*\", /* Windows Update Binary Delta Compression file */\n \"377ABCAF271C*\", /* 7-Zip */\n \"1F8B*\", /* GZIP */\n \"FD377A585A00*\", /* XZ, tar.xz */\n \"7801*\",\t /* zlib: No Compression (no preset dictionary) */\n \"785E*\",\t /* zlib: Best speed (no preset dictionary) */\n \"789C*\",\t /* zlib: Default Compression (no preset dictionary) */\n \"78DA*\", \t /* zlib: Best Compression (no preset dictionary) */\n \"7820*\",\t /* zlib: No Compression (with preset dictionary) */\n \"787D*\",\t /* zlib: Best speed (with preset dictionary) */\n \"78BB*\",\t /* zlib: Default Compression (with preset dictionary) */\n \"78F9*\",\t /* zlib: Best Compression (with preset dictionary) */\n \"62767832*\", /* LZFSE */\n \"28B52FFD*\", /* Zstandard, zst */\n \"5253564B44415441*\", /* QuickZip rs compressed archive */\n \"2A2A4143452A2A*\", /* ACE */\n\n /* archive formats */\n \"2D686C302D*\", /* lzh */\n \"2D686C352D*\", /* lzh */\n \"303730373037*\", /* cpio */\n \"78617221*\", /* xar */\n \"4F4152*\", /* oar */\n \"49536328*\" /* cab archive */\n ) and\n not (\n (\n process.name : \"firefox.exe\" and\n process.code_signature.subject_name : \"Mozilla Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"wazuh-agent.exe\" and\n process.code_signature.subject_name : \"Wazuh, Inc\" and process.code_signature.trusted == true and\n file.name : (\"ossec-*.log.gz\", \"tmp-entry.gz\", \"tmp-entry\", \"last-entry.gz\")\n ) or\n (\n process.name : (\"excel.exe\", \"winword.exe\", \"powerpnt.exe\") and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true\n ) or\n (\n process.name : \"OneDrive.exe\" and\n process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true and\n (\n file.extension : (\"xlsx\", \"docx\", \"pptx\", \"xlsm\") or\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\logs\\\\*\"\n )\n ) or\n (\n process.name : \"Dropbox.exe\" and\n process.code_signature.subject_name : \"Dropbox, Inc\" and process.code_signature.trusted == true and\n file.name : \"store.bin\"\n ) or\n (\n process.name : \"DellSupportAssistRemedationService.exe\" and\n process.code_signature.subject_name : \"Dell Inc\" and process.code_signature.trusted == true and\n file.extension : \"manifest\"\n ) or\n (\n process.name : \"w3wp.exe\" and\n process.code_signature.subject_name : \"Microsoft Windows\" and process.code_signature.trusted == true and\n file.path : \"?:\\\\inetpub\\\\temp\\\\IIS Temporary Compressed Files\\\\*\"\n )\n )\n", "references": ["https://en.wikipedia.org/wiki/List_of_file_signatures"], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "79124edf-30a8-4d48-95c4-11522cad94b1", "severity": "low", "tags": ["Data Source: Elastic Defend", "Domain: Endpoint", "OS: macOS", "OS: Windows", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/", "subtechnique": [{"id": "T1560.001", "name": "Archive via Utility", "reference": "https://attack.mitre.org/techniques/T1560/001/"}]}, {"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/", "subtechnique": [{"id": "T1074.001", "name": "Local Data Staging", "reference": "https://attack.mitre.org/techniques/T1074/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1132", "name": "Data Encoding", "reference": "https://attack.mitre.org/techniques/T1132/", "subtechnique": [{"id": "T1132.001", "name": "Standard Encoding", "reference": "https://attack.mitre.org/techniques/T1132/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "79124edf-30a8-4d48-95c4-11522cad94b1_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json deleted file mode 100644 index 044cbba6c60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", "false_positives": ["Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Key Vault Modified", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json b/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json deleted file mode 100644 index 21618daf623..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to key vaults should be secured to allow only authorized applications and users.", "false_positives": ["Key vault modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Key vault modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Key Vault Modified", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KEYVAULT/VAULTS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47.json deleted file mode 100644 index 7c2334246f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (process.code_signature.status : \"?*\" or process.code_signature.exists != null) and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\",\n \"?:\\\\Program Files (x86)\\\\Axence\\\\nVision Agent 2\\\\nss\\\\certutil.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: (\"Lenovo\", \"HP Inc.\", \"Dell Inc\") and process.code_signature.status: \"trusted\") or\n (process.name: \"convert.exe\" and process.code_signature.subject_name: \"ImageMagick Studio LLC\" and process.code_signature.status: \"trusted\") or\n (process.name: \"systeminfo.exe\" and process.code_signature.subject_name: \"Arctic Wolf Networks, Inc.\" and process.code_signature.status: \"trusted\") or\n (\n process.name: \"certutil.exe\" and\n process.code_signature.subject_name: (\n \"Intel(R) Online Connect Access\",\n \"Fortinet Technologies (Canada) ULC\"\n ) and process.code_signature.status: \"trusted\"\n ) or\n (\n process.name: \"sfc.exe\" and\n process.code_signature.subject_name: (\n \"Cisco Systems, Inc.\",\n \"CISCO SYSTEMS CANADA CO\"\n ) and process.code_signature.status: \"trusted\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json deleted file mode 100644 index 36cbba9b938..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 Executable", "query": "process where event.type == \"start\" and process.code_signature.status : \"*\" and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: \"Lenovo\" and process.code_signature.status: \"trusted\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json deleted file mode 100644 index 836fe645e2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 Executable", "query": "process where event.type == \"start\" and process.code_signature.status : \"*\" and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: \"Lenovo\" and process.code_signature.status: \"trusted\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json deleted file mode 100644 index b9b14f6fd0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (process.code_signature.status : \"?*\" or process.code_signature.exists != null) and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: \"Lenovo\" and process.code_signature.status: \"trusted\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4.json b/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4.json deleted file mode 100644 index 942a6c94c30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 Executable", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n (process.code_signature.status : \"?*\" or process.code_signature.exists != null) and\n process.name: (\n \"agentactivationruntimestarter.exe\", \"agentservice.exe\", \"aitstatic.exe\", \"alg.exe\", \"apphostregistrationverifier.exe\", \"appidcertstorecheck.exe\", \"appidpolicyconverter.exe\", \"appidtel.exe\", \"applicationframehost.exe\", \"applysettingstemplatecatalog.exe\", \"applytrustoffline.exe\", \"approvechildrequest.exe\", \"appvclient.exe\", \"appvdllsurrogate.exe\", \"appvnice.exe\", \"appvshnotify.exe\", \"arp.exe\", \"assignedaccessguard.exe\", \"at.exe\", \"atbroker.exe\", \"attrib.exe\", \"audiodg.exe\", \"auditpol.exe\", \"authhost.exe\", \"autochk.exe\", \"autoconv.exe\", \"autofmt.exe\", \"axinstui.exe\", \"baaupdate.exe\", \"backgroundtaskhost.exe\", \"backgroundtransferhost.exe\", \"bcdboot.exe\", \"bcdedit.exe\", \"bdechangepin.exe\", \"bdehdcfg.exe\", \"bdeuisrv.exe\", \"bdeunlock.exe\", \"bioiso.exe\", \"bitlockerdeviceencryption.exe\", \"bitlockerwizard.exe\", \"bitlockerwizardelev.exe\", \"bitsadmin.exe\", \"bootcfg.exe\", \"bootim.exe\", \"bootsect.exe\", \"bridgeunattend.exe\", \"browserexport.exe\", \"browser_broker.exe\", \"bthudtask.exe\", \"bytecodegenerator.exe\", \"cacls.exe\", \"calc.exe\", \"camerasettingsuihost.exe\", \"castsrv.exe\", \"certenrollctrl.exe\", \"certreq.exe\", \"certutil.exe\", \"change.exe\", \"changepk.exe\", \"charmap.exe\", \"checknetisolation.exe\", \"chglogon.exe\", \"chgport.exe\", \"chgusr.exe\", \"chkdsk.exe\", \"chkntfs.exe\", \"choice.exe\", \"cidiag.exe\", \"cipher.exe\", \"cleanmgr.exe\", \"cliconfg.exe\", \"clip.exe\", \"clipup.exe\", \"cloudexperiencehostbroker.exe\", \"cloudnotifications.exe\", \"cmd.exe\", \"cmdkey.exe\", \"cmdl32.exe\", \"cmmon32.exe\", \"cmstp.exe\", \"cofire.exe\", \"colorcpl.exe\", \"comp.exe\", \"compact.exe\", \"compattelrunner.exe\", \"compmgmtlauncher.exe\", \"comppkgsrv.exe\", \"computerdefaults.exe\", \"conhost.exe\", \"consent.exe\", \"control.exe\", \"convert.exe\", \"convertvhd.exe\", \"coredpussvr.exe\", \"credentialenrollmentmanager.exe\", \"credentialuibroker.exe\", \"credwiz.exe\", \"cscript.exe\", \"csrss.exe\", \"ctfmon.exe\", \"cttune.exe\", \"cttunesvr.exe\", \"custominstallexec.exe\", \"customshellhost.exe\", \"dashost.exe\", \"dataexchangehost.exe\", \"datastorecachedumptool.exe\", \"dccw.exe\", \"dcomcnfg.exe\", \"ddodiag.exe\", \"defrag.exe\", \"deploymentcsphelper.exe\", \"desktopimgdownldr.exe\", \"devicecensus.exe\", \"devicecredentialdeployment.exe\", \"deviceeject.exe\", \"deviceenroller.exe\", \"devicepairingwizard.exe\", \"deviceproperties.exe\", \"dfdwiz.exe\", \"dfrgui.exe\", \"dialer.exe\", \"directxdatabaseupdater.exe\", \"diskpart.exe\", \"diskperf.exe\", \"diskraid.exe\", \"disksnapshot.exe\", \"dism.exe\", \"dispdiag.exe\", \"displayswitch.exe\", \"djoin.exe\", \"dllhost.exe\", \"dllhst3g.exe\", \"dmcertinst.exe\", \"dmcfghost.exe\", \"dmclient.exe\", \"dmnotificationbroker.exe\", \"dmomacpmo.exe\", \"dnscacheugc.exe\", \"doskey.exe\", \"dpapimig.exe\", \"dpiscaling.exe\", \"dpnsvr.exe\", \"driverquery.exe\", \"drvinst.exe\", \"dsmusertask.exe\", \"dsregcmd.exe\", \"dstokenclean.exe\", \"dusmtask.exe\", \"dvdplay.exe\", \"dwm.exe\", \"dwwin.exe\", \"dxdiag.exe\", \"dxgiadaptercache.exe\", \"dxpserver.exe\", \"eap3host.exe\", \"easeofaccessdialog.exe\", \"easinvoker.exe\", \"easpolicymanagerbrokerhost.exe\", \"edpcleanup.exe\", \"edpnotify.exe\", \"eduprintprov.exe\", \"efsui.exe\", \"ehstorauthn.exe\", \"eoaexperiences.exe\", \"esentutl.exe\", \"eudcedit.exe\", \"eventcreate.exe\", \"eventvwr.exe\", \"expand.exe\", \"extrac32.exe\", \"fc.exe\", \"fclip.exe\", \"fhmanagew.exe\", \"filehistory.exe\", \"find.exe\", \"findstr.exe\", \"finger.exe\", \"fixmapi.exe\", \"fltmc.exe\", \"fodhelper.exe\", \"fondue.exe\", \"fontdrvhost.exe\", \"fontview.exe\", \"forfiles.exe\", \"fsavailux.exe\", \"fsiso.exe\", \"fsquirt.exe\", \"fsutil.exe\", \"ftp.exe\", \"fvenotify.exe\", \"fveprompt.exe\", \"gamebarpresencewriter.exe\", \"gamepanel.exe\", \"genvalobj.exe\", \"getmac.exe\", \"gpresult.exe\", \"gpscript.exe\", \"gpupdate.exe\", \"grpconv.exe\", \"hdwwiz.exe\", \"help.exe\", \"hostname.exe\", \"hvax64.exe\", \"hvix64.exe\", \"hvsievaluator.exe\", \"icacls.exe\", \"icsentitlementhost.exe\", \"icsunattend.exe\", \"ie4uinit.exe\", \"ie4ushowie.exe\", \"iesettingsync.exe\", \"ieunatt.exe\", \"iexpress.exe\", \"immersivetpmvscmgrsvr.exe\", \"infdefaultinstall.exe\", \"inputswitchtoasthandler.exe\", \"iotstartup.exe\", \"ipconfig.exe\", \"iscsicli.exe\", \"iscsicpl.exe\", \"isoburn.exe\", \"klist.exe\", \"ksetup.exe\", \"ktmutil.exe\", \"label.exe\", \"languagecomponentsinstallercomhandler.exe\", \"launchtm.exe\", \"launchwinapp.exe\", \"legacynetuxhost.exe\", \"licensemanagershellext.exe\", \"licensingdiag.exe\", \"licensingui.exe\", \"locationnotificationwindows.exe\", \"locator.exe\", \"lockapphost.exe\", \"lockscreencontentserver.exe\", \"lodctr.exe\", \"logagent.exe\", \"logman.exe\", \"logoff.exe\", \"logonui.exe\", \"lpkinstall.exe\", \"lpksetup.exe\", \"lpremove.exe\", \"lsaiso.exe\", \"lsass.exe\", \"magnify.exe\", \"makecab.exe\", \"manage-bde.exe\", \"mavinject.exe\", \"mbaeparsertask.exe\", \"mblctr.exe\", \"mbr2gpt.exe\", \"mcbuilder.exe\", \"mdeserver.exe\", \"mdmagent.exe\", \"mdmappinstaller.exe\", \"mdmdiagnosticstool.exe\", \"mdres.exe\", \"mdsched.exe\", \"mfpmp.exe\", \"microsoft.uev.cscunpintool.exe\", \"microsoft.uev.synccontroller.exe\", \"microsoftedgebchost.exe\", \"microsoftedgecp.exe\", \"microsoftedgedevtools.exe\", \"microsoftedgesh.exe\", \"mmc.exe\", \"mmgaserver.exe\", \"mobsync.exe\", \"mountvol.exe\", \"mousocoreworker.exe\", \"mpnotify.exe\", \"mpsigstub.exe\", \"mrinfo.exe\", \"mschedexe.exe\", \"msconfig.exe\", \"msdt.exe\", \"msdtc.exe\", \"msfeedssync.exe\", \"msg.exe\", \"mshta.exe\", \"msiexec.exe\", \"msinfo32.exe\", \"mspaint.exe\", \"msra.exe\", \"msspellcheckinghost.exe\", \"mstsc.exe\", \"mtstocom.exe\", \"muiunattend.exe\", \"multidigimon.exe\", \"musnotification.exe\", \"musnotificationux.exe\", \"musnotifyicon.exe\", \"narrator.exe\", \"nbtstat.exe\", \"ndadmin.exe\", \"ndkping.exe\", \"net.exe\", \"net1.exe\", \"netbtugc.exe\", \"netcfg.exe\", \"netcfgnotifyobjecthost.exe\", \"netevtfwdr.exe\", \"nethost.exe\", \"netiougc.exe\", \"netplwiz.exe\", \"netsh.exe\", \"netstat.exe\", \"newdev.exe\", \"ngciso.exe\", \"nltest.exe\", \"notepad.exe\", \"nslookup.exe\", \"ntoskrnl.exe\", \"ntprint.exe\", \"odbcad32.exe\", \"odbcconf.exe\", \"ofdeploy.exe\", \"omadmclient.exe\", \"omadmprc.exe\", \"openfiles.exe\", \"openwith.exe\", \"optionalfeatures.exe\", \"osk.exe\", \"pacjsworker.exe\", \"packagedcwalauncher.exe\", \"packageinspector.exe\", \"passwordonwakesettingflyout.exe\", \"pathping.exe\", \"pcalua.exe\", \"pcaui.exe\", \"pcwrun.exe\", \"perfmon.exe\", \"phoneactivate.exe\", \"pickerhost.exe\", \"pinenrollmentbroker.exe\", \"ping.exe\", \"pkgmgr.exe\", \"pktmon.exe\", \"plasrv.exe\", \"pnpunattend.exe\", \"pnputil.exe\", \"poqexec.exe\", \"pospaymentsworker.exe\", \"powercfg.exe\", \"presentationhost.exe\", \"presentationsettings.exe\", \"prevhost.exe\", \"printbrmui.exe\", \"printfilterpipelinesvc.exe\", \"printisolationhost.exe\", \"printui.exe\", \"proquota.exe\", \"provlaunch.exe\", \"provtool.exe\", \"proximityuxhost.exe\", \"prproc.exe\", \"psr.exe\", \"pwlauncher.exe\", \"qappsrv.exe\", \"qprocess.exe\", \"query.exe\", \"quser.exe\", \"qwinsta.exe\", \"rasautou.exe\", \"rasdial.exe\", \"raserver.exe\", \"rasphone.exe\", \"rdpclip.exe\", \"rdpinit.exe\", \"rdpinput.exe\", \"rdpsa.exe\", \"rdpsaproxy.exe\", \"rdpsauachelper.exe\", \"rdpshell.exe\", \"rdpsign.exe\", \"rdrleakdiag.exe\", \"reagentc.exe\", \"recdisc.exe\", \"recover.exe\", \"recoverydrive.exe\", \"refsutil.exe\", \"reg.exe\", \"regedt32.exe\", \"regini.exe\", \"register-cimprovider.exe\", \"regsvr32.exe\", \"rekeywiz.exe\", \"relog.exe\", \"relpost.exe\", \"remoteapplifetimemanager.exe\", \"remoteposworker.exe\", \"repair-bde.exe\", \"replace.exe\", \"reset.exe\", \"resetengine.exe\", \"resmon.exe\", \"rmactivate.exe\", \"rmactivate_isv.exe\", \"rmactivate_ssp.exe\", \"rmactivate_ssp_isv.exe\", \"rmclient.exe\", \"rmttpmvscmgrsvr.exe\", \"robocopy.exe\", \"route.exe\", \"rpcping.exe\", \"rrinstaller.exe\", \"rstrui.exe\", \"runas.exe\", \"rundll32.exe\", \"runexehelper.exe\", \"runlegacycplelevated.exe\", \"runonce.exe\", \"runtimebroker.exe\", \"rwinsta.exe\", \"sc.exe\", \"schtasks.exe\", \"scriptrunner.exe\", \"sdbinst.exe\", \"sdchange.exe\", \"sdclt.exe\", \"sdiagnhost.exe\", \"searchfilterhost.exe\", \"searchindexer.exe\", \"searchprotocolhost.exe\", \"secedit.exe\", \"secinit.exe\", \"securekernel.exe\", \"securityhealthhost.exe\", \"securityhealthservice.exe\", \"securityhealthsystray.exe\", \"sensordataservice.exe\", \"services.exe\", \"sessionmsg.exe\", \"sethc.exe\", \"setspn.exe\", \"settingsynchost.exe\", \"setupcl.exe\", \"setupugc.exe\", \"setx.exe\", \"sfc.exe\", \"sgrmbroker.exe\", \"sgrmlpac.exe\", \"shellappruntime.exe\", \"shrpubw.exe\", \"shutdown.exe\", \"sigverif.exe\", \"sihclient.exe\", \"sihost.exe\", \"slidetoshutdown.exe\", \"slui.exe\", \"smartscreen.exe\", \"smss.exe\", \"sndvol.exe\", \"snippingtool.exe\", \"snmptrap.exe\", \"sort.exe\", \"spaceagent.exe\", \"spaceman.exe\", \"spatialaudiolicensesrv.exe\", \"spectrum.exe\", \"spoolsv.exe\", \"sppextcomobj.exe\", \"sppsvc.exe\", \"srdelayed.exe\", \"srtasks.exe\", \"stordiag.exe\", \"subst.exe\", \"svchost.exe\", \"sxstrace.exe\", \"syncappvpublishingserver.exe\", \"synchost.exe\", \"sysreseterr.exe\", \"systeminfo.exe\", \"systempropertiesadvanced.exe\", \"systempropertiescomputername.exe\", \"systempropertiesdataexecutionprevention.exe\", \"systempropertieshardware.exe\", \"systempropertiesperformance.exe\", \"systempropertiesprotection.exe\", \"systempropertiesremote.exe\", \"systemreset.exe\", \"systemsettingsadminflows.exe\", \"systemsettingsbroker.exe\", \"systemsettingsremovedevice.exe\", \"systemuwplauncher.exe\", \"systray.exe\", \"tabcal.exe\", \"takeown.exe\", \"tapiunattend.exe\", \"tar.exe\", \"taskhostw.exe\", \"taskkill.exe\", \"tasklist.exe\", \"taskmgr.exe\", \"tcblaunch.exe\", \"tcmsetup.exe\", \"tcpsvcs.exe\", \"thumbnailextractionhost.exe\", \"tieringengineservice.exe\", \"timeout.exe\", \"tokenbrokercookies.exe\", \"tpminit.exe\", \"tpmtool.exe\", \"tpmvscmgr.exe\", \"tpmvscmgrsvr.exe\", \"tracerpt.exe\", \"tracert.exe\", \"tscon.exe\", \"tsdiscon.exe\", \"tskill.exe\", \"tstheme.exe\", \"tswbprxy.exe\", \"ttdinject.exe\", \"tttracer.exe\", \"typeperf.exe\", \"tzsync.exe\", \"tzutil.exe\", \"ucsvc.exe\", \"uevagentpolicygenerator.exe\", \"uevappmonitor.exe\", \"uevtemplatebaselinegenerator.exe\", \"uevtemplateconfigitemgenerator.exe\", \"uimgrbroker.exe\", \"unlodctr.exe\", \"unregmp2.exe\", \"upfc.exe\", \"upgraderesultsui.exe\", \"upnpcont.exe\", \"upprinterinstaller.exe\", \"useraccountbroker.exe\", \"useraccountcontrolsettings.exe\", \"userinit.exe\", \"usoclient.exe\", \"utcdecoderhost.exe\", \"utilman.exe\", \"vaultcmd.exe\", \"vds.exe\", \"vdsldr.exe\", \"verclsid.exe\", \"verifier.exe\", \"verifiergui.exe\", \"vssadmin.exe\", \"vssvc.exe\", \"w32tm.exe\", \"waasmedicagent.exe\", \"waitfor.exe\", \"wallpaperhost.exe\", \"wbadmin.exe\", \"wbengine.exe\", \"wecutil.exe\", \"werfault.exe\", \"werfaultsecure.exe\", \"wermgr.exe\", \"wevtutil.exe\", \"wextract.exe\", \"where.exe\", \"whoami.exe\", \"wiaacmgr.exe\", \"wiawow64.exe\", \"wifitask.exe\", \"wimserv.exe\", \"winbiodatamodeloobe.exe\", \"windows.media.backgroundplayback.exe\", \"windows.warp.jitservice.exe\", \"windowsactiondialog.exe\", \"windowsupdateelevatedinstaller.exe\", \"wininit.exe\", \"winload.exe\", \"winlogon.exe\", \"winresume.exe\", \"winrs.exe\", \"winrshost.exe\", \"winrtnetmuahostserver.exe\", \"winsat.exe\", \"winver.exe\", \"wkspbroker.exe\", \"wksprt.exe\", \"wlanext.exe\", \"wlrmdr.exe\", \"wmpdmc.exe\", \"workfolders.exe\", \"wowreg32.exe\", \"wpcmon.exe\", \"wpctok.exe\", \"wpdshextautoplay.exe\", \"wpnpinst.exe\", \"wpr.exe\", \"write.exe\", \"wscadminui.exe\", \"wscollect.exe\", \"wscript.exe\", \"wsl.exe\", \"wsmanhttpconfig.exe\", \"wsmprovhost.exe\", \"wsqmcons.exe\", \"wsreset.exe\", \"wuapihost.exe\", \"wuauclt.exe\", \"wudfcompanionhost.exe\", \"wudfhost.exe\", \"wusa.exe\", \"wwahost.exe\", \"xblgamesavetask.exe\", \"xcopy.exe\", \"xwizard.exe\", \"aggregatorhost.exe\", \"diskusage.exe\", \"dtdump.exe\", \"ism.exe\", \"ndkperfcmd.exe\", \"ntkrla57.exe\", \"securekernella57.exe\", \"spaceutil.exe\", \"configure-smremoting.exe\", \"dcgpofix.exe\", \"dcpromo.exe\", \"dimc.exe\", \"diskshadow.exe\", \"drvcfg.exe\", \"escunattend.exe\", \"iashost.exe\", \"ktpass.exe\", \"lbfoadmin.exe\", \"netdom.exe\", \"rdspnf.exe\", \"rsopprov.exe\", \"sacsess.exe\", \"servermanager.exe\", \"servermanagerlauncher.exe\", \"setres.exe\", \"tsecimp.exe\", \"vssuirun.exe\", \"webcache.exe\", \"win32calc.exe\", \"certoc.exe\", \"sdndiagnosticstask.exe\", \"xpsrchvw.exe\"\n ) and\n not (\n process.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Publisher\"\n ) and process.code_signature.trusted == true\n ) and not process.code_signature.status: (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n not\n (\n process.executable: (\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\hostname.exe\",\n \"?:\\\\Windows\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\{*}\\\\taskkill.exe\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\ie4ushowIE.exe\",\n \"?:\\\\Program Files\\\\Git\\\\usr\\\\bin\\\\find.exe\",\n \"?:\\\\Program Files (x86)\\\\Axence\\\\nVision Agent 2\\\\nss\\\\certutil.exe\"\n )\n ) and\n not\n (\n (process.name: \"ucsvc.exe\" and process.code_signature.subject_name == \"Wellbia.com Co., Ltd.\" and process.code_signature.status: \"trusted\") or\n (process.name: \"pnputil.exe\" and process.code_signature.subject_name: (\"Lenovo\", \"HP Inc.\", \"Dell Inc\") and process.code_signature.status: \"trusted\") or\n (process.name: \"convert.exe\" and process.code_signature.subject_name: \"ImageMagick Studio LLC\" and process.code_signature.status: \"trusted\") or\n (process.name: \"systeminfo.exe\" and process.code_signature.subject_name: \"Arctic Wolf Networks, Inc.\" and process.code_signature.status: \"trusted\") or\n (\n process.name: \"certutil.exe\" and\n process.code_signature.subject_name: (\n \"Intel(R) Online Connect Access\",\n \"Fortinet Technologies (Canada) ULC\"\n ) and process.code_signature.status: \"trusted\"\n ) or\n (\n process.name: \"sfc.exe\" and\n process.code_signature.subject_name: (\n \"Cisco Systems, Inc.\",\n \"CISCO SYSTEMS CANADA CO\"\n ) and process.code_signature.status: \"trusted\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json deleted file mode 100644 index f72897a4fd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json deleted file mode 100644 index dac267e9c41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Exfiltration via Certreq", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_209.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_209.json deleted file mode 100644 index 241456e7469..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json deleted file mode 100644 index 90ca019d892..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Exfiltration via Certreq", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json deleted file mode 100644 index 5e7ce13147b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to exfiltrate data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Exfiltration via Certreq", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json deleted file mode 100644 index 67bf359e842..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6.json deleted file mode 100644 index 8c78cc586df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7.json deleted file mode 100644 index ce41a308986..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json deleted file mode 100644 index 55c14b4d1d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9.json b/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9.json deleted file mode 100644 index 81940474c8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Certreq making an HTTP Post request. Adversaries could abuse Certreq to download files or upload data to a remote URL.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential File Transfer via Certreq", "note": "## Triage and analysis\n\n### Investigating Potential File Transfer via Certreq\n\nCertreq is a command-line utility in Windows operating systems that allows users to request and manage certificates from certificate authorities. It is primarily used for generating certificate signing requests (CSRs) and installing certificates. However, adversaries may abuse Certreq's functionality to download files or upload data to a remote URL by making an HTTP POST request.\n\nThis rule identifies the potential abuse of Certreq to download files or upload data to a remote URL.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the details of the dropped file, and whether it was executed.\n- Check the reputation of the domain or IP address used to host the downloaded file or if the user downloaded the file from an internal system.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unusual but can be done by administrators. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"CertReq.exe\" or ?process.pe.original_file_name == \"CertReq.exe\") and process.args : \"-Post\"\n", "references": ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1567", "name": "Exfiltration Over Web Service", "reference": "https://attack.mitre.org/techniques/T1567/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json deleted file mode 100644 index 197fc8a3b67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json deleted file mode 100644 index 5139fcd4e8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and host.os.type:windows and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json deleted file mode 100644 index d9170f217b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json deleted file mode 100644 index 4aebf1f18ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json deleted file mode 100644 index 1b7f61ede91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json deleted file mode 100644 index 7389d625fdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Directory Service Changes\" and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_109.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_109.json deleted file mode 100644 index 9e930ea34e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_110.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_110.json deleted file mode 100644 index 7c41a20f26b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_111.json b/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_111.json deleted file mode 100644 index ceff312d498..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/79f97b31-480e-4e63-a7f4-ede42bf2c6de_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identify the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object. Attackers can abuse control over the object and create a key pair, append to raw public key in the attribute, and obtain persistent and stealthy access to the target user or computer object.", "false_positives": ["Modifications in the msDS-KeyCredentialLink attribute can be done legitimately by the Azure AD Connect synchronization account or the ADFS service account. These accounts can be added as Exceptions."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow Credentials added to AD Object", "note": "## Triage and analysis\n\n### Investigating Potential Shadow Credentials added to AD Object\n\nThe msDS-KeyCredentialLink is an Active Directory (AD) attribute that links cryptographic certificates to a user or computer for domain authentication.\n\nAttackers with write privileges on this attribute over an object can abuse it to gain access to the object or maintain persistence. This means they can authenticate and perform actions on behalf of the exploited identity, and they can use Shadow Credentials to request Ticket Granting Tickets (TGTs) on behalf of the identity.\n\n#### Possible investigation steps\n\n- Identify whether Windows Hello for Business (WHfB) and/or Azure AD is used in the environment.\n - Review the event ID 4624 for logon events involving the subject identity (`winlog.event_data.SubjectUserName`).\n - Check whether the `source.ip` is the server running Azure AD Connect.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review the event IDs 4768 and 4769 for suspicious ticket requests involving the modified identity (`winlog.event_data.ObjectDN`).\n - Extract the source IP addresses from these events and use them as indicators of compromise (IoCs) to investigate whether the host is compromised and to scope the attacker's access to the environment.\n\n### False positive analysis\n\n- Administrators might use custom accounts on Azure AD Connect. If this is the case, make sure the account is properly secured. You can also create an exception for the account if expected activity makes too much noise in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Remove the Shadow Credentials from the object.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"msDS-KeyCredentialLink\" and winlog.event_data.AttributeValue :B\\:828* and\n not winlog.event_data.SubjectUserName: MSOL_*\n", "references": ["https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab", "https://www.thehacker.recipes/ad/movement/kerberos/shadow-credentials", "https://github.com/OTRF/Set-AuditRule", "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover User objects, so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\nAs this specifies the msDS-KeyCredentialLink Attribute GUID, it is expected to be low noise.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=Users,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights WriteProperty -InheritanceFlags Children -AttributeGUID 5b47d60f-6090-40b2-9f37-2a4de88f3063 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "79f97b31-480e-4e63-a7f4-ede42bf2c6de_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8.json deleted file mode 100644 index b4e3ecae7e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation through Writable Docker Socket", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json deleted file mode 100644 index b18e7baffc3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation through Writable Docker Socket", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json deleted file mode 100644 index 2366da31ac4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation through Writable Docker Socket", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json deleted file mode 100644 index 5a0aa0d9328..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation through Writable Docker Socket", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json b/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json deleted file mode 100644 index 2efc67a1acd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the usage of Docker runtime sockets to escalate privileges on Linux systems. Docker sockets by default are only be writable by the root user and docker group. Attackers that have permissions to write to these sockets may be able to create and run a container that allows them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation through Writable Docker Socket", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n(\n (process.name == \"docker\" and process.args : \"run\" and process.args : \"-it\" and \n process.args : (\"unix://*/docker.sock\", \"unix://*/dockershim.sock\")) or \n (process.name == \"socat\" and process.args : (\"UNIX-CONNECT:*/docker.sock\", \"UNIX-CONNECT:*/dockershim.sock\"))\n) and not user.Ext.real.id : \"0\" and not group.Ext.real.id : \"0\"\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#automatic-enumeration-and-escape"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "7acb2de3-8465-472a-8d9c-ccd7b73d0ed8_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248.json deleted file mode 100644 index 45545911873..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution via XZBackdoor", "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and \n process.executable != \"/usr/sbin/sshd\"] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", "references": ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.exit_code", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json deleted file mode 100644 index 0fb90f44dfa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution via XZBackdoor", "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and \n process.executable != \"/usr/sbin/sshd\"] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", "references": ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.exit_code", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_2.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_2.json deleted file mode 100644 index 68b4b00f06b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution via XZBackdoor", "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and \n process.executable != null and \n not process.executable in (\"/usr/sbin/sshd\", \"/usr/sbin/unix_chkpwd\", \"/usr/bin/google_authorized_keys\", \"/usr/bin/fipscheck\") and \n process.command_line != \"sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new\"] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", "references": ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.exit_code", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_3.json b/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_3.json deleted file mode 100644 index 288fc8fd983..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7afc6cc9-8800-4c7f-be6b-b688d2dea248_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "It identifies potential malicious shell executions through remote SSH and detects cases where the sshd service suddenly terminates soon after successful execution, suggesting suspicious behavior similar to the XZ backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Execution via XZBackdoor", "query": "sequence by host.id, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"sshd\" and\n process.args == \"-D\" and process.args == \"-R\"] by process.pid, process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name == \"sshd\" and \n process.executable != null and \n not process.executable in (\"/usr/sbin/sshd\", \"/usr/sbin/unix_chkpwd\", \"/usr/bin/google_authorized_keys\", \"/usr/bin/fipscheck\") and \n process.command_line != \"sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new\"] by process.parent.pid, process.parent.entity_id\n [process where host.os.type == \"linux\" and event.action == \"end\" and process.name == \"sshd\" and process.exit_code != 0] by process.pid, process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"end\" and event.action == \"disconnect_received\" and process.name == \"sshd\"] by process.pid, process.entity_id\n", "references": ["https://github.com/amlweems/xzbot", "https://access.redhat.com/security/cve/CVE-2024-3094", "https://www.elastic.co/security-labs/500ms-to-midnight"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.exit_code", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "7afc6cc9-8800-4c7f-be6b-b688d2dea248_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json deleted file mode 100644 index d5648d7ec0f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been created.", "false_positives": ["A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json deleted file mode 100644 index 00fd255e78b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been created.", "false_positives": ["A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json deleted file mode 100644 index 259ea05c59d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been created.", "false_positives": ["A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json deleted file mode 100644 index 3fdbf7f1ef6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been created.", "false_positives": ["A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json b/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json deleted file mode 100644 index 007f0aab580..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an ElastiCache security group has been created.", "false_positives": ["A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS ElastiCache Security Group Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:\"Create Cache Security Group\" and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "7b3da11a-60a2-412e-8aa7-011e1eb9ed47_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json deleted file mode 100644 index 2d7755402df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\")) and\n not process.command_line : \"net view \\\\\\\\localhost \"\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json deleted file mode 100644 index 95a5efc510e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json deleted file mode 100644 index cf880f2e00b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json deleted file mode 100644 index 99380a48b41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json deleted file mode 100644 index 233b78dd448..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json deleted file mode 100644 index d65b518c11f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json deleted file mode 100644 index 9ff9ee75065..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json deleted file mode 100644 index c1fc52914aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\"))\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_111.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_111.json deleted file mode 100644 index 6ef79ddc0fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\")) and\n not process.command_line : \"net view \\\\\\\\localhost \"\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_112.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_112.json deleted file mode 100644 index ea5a3d7a0af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\")) and\n not process.command_line : \"net view \\\\\\\\localhost \"\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "references": ["https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_113.json b/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_113.json deleted file mode 100644 index 817e1fd59a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7b8bfc26-81d2-435e-965c-d722ee397ef1_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Network Enumeration", "note": "## Triage and analysis\n\n### Investigating Windows Network Enumeration\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` utility to enumerate servers in the environment that hosts shared drives or printers. This information is useful to attackers as they can identify targets for lateral movements and search for valuable shared data.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n (process.args : \"view\" or (process.args : \"time\" and process.args : \"\\\\\\\\*\")) and\n not process.command_line : \"net view \\\\\\\\localhost \"\n\n\n /* expand when ancestry is available\n and not descendant of [process where event.type == \"start\" and process.name : \"cmd.exe\" and\n ((process.parent.name : \"userinit.exe\") or\n (process.parent.name : \"gpscript.exe\") or\n (process.parent.name : \"explorer.exe\" and\n process.args : \"C:\\\\*\\\\Start Menu\\\\Programs\\\\Startup\\\\*.bat*\"))]\n */\n", "references": ["https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7b8bfc26-81d2-435e-965c-d722ee397ef1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "7b8bfc26-81d2-435e-965c-d722ee397ef1_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json deleted file mode 100644 index b14eaaa5160..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json deleted file mode 100644 index 0287d6633b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json deleted file mode 100644 index 37534c1ced5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json deleted file mode 100644 index 52b74cb91a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json deleted file mode 100644 index 6f57d2e31cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 206}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json deleted file mode 100644 index 9ccbbba61e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json b/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json deleted file mode 100644 index d00c3ca3240..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ba58110-ae13-439b-8192-357b0fcfa9d7_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value. This may indicate an attempt to leak an LSASS handle via abusing the Secondary Logon service in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious LSASS Access via MalSecLogon", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* seclogon service accessing lsass */\n winlog.event_data.CallTrace : \"*seclogon.dll*\" and process.name : \"svchost.exe\" and\n\n /* PROCESS_CREATE_PROCESS & PROCESS_DUP_HANDLE & PROCESS_QUERY_INFORMATION */\n winlog.event_data.GrantedAccess == \"0x14c0\"\n", "references": ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.GrantedAccess", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "7ba58110-ae13-439b-8192-357b0fcfa9d7", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "7ba58110-ae13-439b-8192-357b0fcfa9d7_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json deleted file mode 100644 index 757e2b48113..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Shell Command-Line History", "query": "process where event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and event.type == \"start\" and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.args : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json deleted file mode 100644 index 7021c1f806a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Bash Command-Line History", "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json deleted file mode 100644 index b3c509c9d5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Bash Command-Line History", "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json deleted file mode 100644 index 698b18a940f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Bash Command-Line History", "note": "", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json deleted file mode 100644 index 9c2aa8ba3a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Bash Command-Line History", "query": "process where event.type in (\"start\", \"process_started\") and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json deleted file mode 100644 index d69c7e939a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Shell Command-Line History", "query": "process where event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and event.type == \"start\" and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.name : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_106.json b/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_106.json deleted file mode 100644 index 415cf2cffbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7bcbb3ac-e533-41ad-a612-d6c3bf666aba_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to clear or disable the Bash command-line history in an attempt to evade detection or forensic investigations.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Tampering of Shell Command-Line History", "query": "process where event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and event.type == \"start\" and\n (\n ((process.args : (\"rm\", \"echo\") or\n (process.args : \"ln\" and process.args : \"-sf\" and process.args : \"/dev/null\") or\n (process.args : \"truncate\" and process.args : \"-s0\"))\n and process.args : (\".bash_history\", \"/root/.bash_history\", \"/home/*/.bash_history\",\"/Users/.bash_history\", \"/Users/*/.bash_history\",\n \".zsh_history\", \"/root/.zsh_history\", \"/home/*/.zsh_history\", \"/Users/.zsh_history\", \"/Users/*/.zsh_history\")) or\n (process.args : \"history\" and process.args : \"-c\") or\n (process.args : \"export\" and process.args : (\"HISTFILE=/dev/null\", \"HISTFILESIZE=0\")) or\n (process.args : \"unset\" and process.args : \"HISTFILE\") or\n (process.args : \"set\" and process.args : \"history\" and process.args : \"+o\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "7bcbb3ac-e533-41ad-a612-d6c3bf666aba_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b.json b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b.json deleted file mode 100644 index f1abece5b61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "APT Package Manager Configuration File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/apt/apt.conf.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/local/bin/apt-get\", \"/usr/bin/apt-get\"\n ) or\n file.path :(\"/etc/apt/apt.conf.d/*.tmp*\") or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json deleted file mode 100644 index b6406b310fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "APT Package Manager Configuration File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/apt/apt.conf.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/local/bin/apt-get\", \"/usr/bin/apt-get\"\n ) or\n file.path :(\"/etc/apt/apt.conf.d/*.tmp*\") or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7c2e1297-7664-42bc-af11-6d5d35220b6b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_2.json b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_2.json deleted file mode 100644 index 88c2c1650c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "APT Package Manager Configuration File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/apt/apt.conf.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/local/bin/apt-get\", \"/usr/bin/apt-get\"\n ) or\n file.path :(\"/etc/apt/apt.conf.d/*.tmp*\") or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7c2e1297-7664-42bc-af11-6d5d35220b6b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_3.json b/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_3.json deleted file mode 100644 index ba2b60ebc4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7c2e1297-7664-42bc-af11-6d5d35220b6b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects file creation events in the configuration directory for the APT package manager. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on (by default) Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "APT Package Manager Configuration File Creation", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/apt/apt.conf.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/local/bin/apt-get\", \"/usr/bin/apt-get\"\n ) or\n file.path :(\"/etc/apt/apt.conf.d/*.tmp*\") or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/*\", \"/usr/libexec/*\",\n \"/etc/kernel/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://packetstormsecurity.com/files/152668/APT-Package-Manager-Persistence.html", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7c2e1297-7664-42bc-af11-6d5d35220b6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "7c2e1297-7664-42bc-af11-6d5d35220b6b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json deleted file mode 100644 index 3cbd7189305..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", "false_positives": ["Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json deleted file mode 100644 index 907df1fa18c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", "false_positives": ["Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json deleted file mode 100644 index 3538f4a68ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", "false_positives": ["Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json deleted file mode 100644 index b642a32a18b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7caa8e60-2df0-11ed-b814-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Google Workspace administrators whom manage Windows devices and have Windows device management enabled may also enable BitLocker drive encryption to mitigate unauthorized data access on lost or stolen computers. Adversaries with valid account access may disable BitLocker to access sensitive data on an endpoint added to Google Workspace device management.", "false_positives": ["Administrators may temporarily disabled Bitlocker on managed devices for maintenance, testing or to resolve potential endpoint conflicts."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Bitlocker Setting Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace Bitlocker Setting Disabled\n\nBitLocker Drive Encryption is a data protection feature that integrates with the Windows operating system to address the data theft or exposure threats from lost, stolen, or inappropriately decommissioned computers. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, such as data encryption and rendering data inaccessible. Google Workspace can sync with Windows endpoints that are registered in inventory, where BitLocker can be enabled and disabled.\n\nDisabling Bitlocker on an endpoint decrypts data at rest and makes it accessible, which raises the risk of exposing sensitive endpoint data.\n\nThis rule identifies a user with administrative privileges and access to the admin console, disabling BitLocker for Windows endpoints.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to disable BitLocker on Windows endpoints.\n- From the Google Workspace admin console, review `Reporting > Audit` and `Investigation > Device` logs, filtering on the user email identified from the alert.\n - If a Google Workspace user logged into their account using a potentially compromised account, this will create an `Device sync event` event.\n\n### False positive analysis\n\n- An administrator may have intentionally disabled BitLocker for routine maintenance or endpoint updates.\n - Verify with the user that they intended to disable BitLocker on Windows endpoints.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.admin.new_value:\"Disabled\" and google_workspace.admin.setting.name:BitLocker*\n", "references": ["https://support.google.com/a/answer/9176657?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "7caa8e60-2df0-11ed-b814-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "7caa8e60-2df0-11ed-b814-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f.json b/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f.json deleted file mode 100644 index 9f8396b5e08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Child Process", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name in (\n \"applypatch-msg\", \"commit-msg\", \"fsmonitor-watchman\", \"post-update\", \"post-checkout\", \"post-commit\",\n \"pre-applypatch\", \"pre-commit\", \"pre-merge-commit\", \"prepare-commit-msg\", \"pre-push\", \"pre-rebase\", \"pre-receive\",\n \"push-to-checkout\", \"update\", \"post-receive\", \"pre-auto-gc\", \"post-rewrite\", \"sendemail-validate\", \"p4-pre-submit\",\n \"post-index-change\", \"post-merge\", \"post-applypatch\"\n) and (\n process.name in (\"nohup\", \"setsid\", \"disown\", \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") or \n process.name : (\"php*\", \"perl*\", \"ruby*\", \"lua*\") or \n process.executable : (\n \"/boot/*\", \"/dev/shm/*\", \"/etc/cron.*/*\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\",\n \"/run/*\", \"/srv/*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\"\n )\n) and not process.name in (\"git\", \"dirname\")\n", "references": ["https://git-scm.com/docs/githooks/2.26.0"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7ce5e1c7-6a49-45e6-a101-0720d185667f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7ce5e1c7-6a49-45e6-a101-0720d185667f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f_1.json b/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f_1.json deleted file mode 100644 index d776c391a6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ce5e1c7-6a49-45e6-a101-0720d185667f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects child processes spawned by Git hooks. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. The rule identifies child processes spawned by Git hooks that are not typically spawned by the Git process itself. This behavior may indicate an attacker attempting to hide malicious activity by leveraging the legitimate Git process to execute unauthorized commands.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Child Process", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name in (\n \"applypatch-msg\", \"commit-msg\", \"fsmonitor-watchman\", \"post-update\", \"post-checkout\", \"post-commit\",\n \"pre-applypatch\", \"pre-commit\", \"pre-merge-commit\", \"prepare-commit-msg\", \"pre-push\", \"pre-rebase\", \"pre-receive\",\n \"push-to-checkout\", \"update\", \"post-receive\", \"pre-auto-gc\", \"post-rewrite\", \"sendemail-validate\", \"p4-pre-submit\",\n \"post-index-change\", \"post-merge\", \"post-applypatch\"\n) and (\n process.name in (\"nohup\", \"setsid\", \"disown\", \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") or \n process.name : (\"php*\", \"perl*\", \"ruby*\", \"lua*\") or \n process.executable : (\n \"/boot/*\", \"/dev/shm/*\", \"/etc/cron.*/*\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\",\n \"/run/*\", \"/srv/*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/log/*\"\n )\n) and not process.name in (\"git\", \"dirname\")\n", "references": ["https://git-scm.com/docs/githooks/2.26.0"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7ce5e1c7-6a49-45e6-a101-0720d185667f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7ce5e1c7-6a49-45e6-a101-0720d185667f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json deleted file mode 100644 index 9d9b331f96c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", "false_positives": ["Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "7ceb2216-47dd-4e64-9433-cddc99727623", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json b/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json deleted file mode 100644 index ac3fb4b1368..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7ceb2216-47dd-4e64-9433-cddc99727623_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new service account is created in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. If service accounts are not tracked and managed properly, they can present a security risk. An adversary may create a new service account to use during their operations in order to avoid using a standard user account and attempt to evade detection.", "false_positives": ["Service accounts can be created by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "7ceb2216-47dd-4e64-9433-cddc99727623", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "7ceb2216-47dd-4e64-9433-cddc99727623_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc.json deleted file mode 100644 index a432e41a436..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function.", "false_positives": ["Lambda function owners may add layers to their functions for legitimate purposes."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Lambda Layer Added to Existing Function", "note": "## Triage and Analysis\n\n### Investigating AWS Lambda Layer Added to Existing Function\n\nThis rule detects when a Lambda layer is added to an existing Lambda function. AWS Lambda layers are a mechanism for sharing code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific layer added to the Lambda function. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the addition of the Lambda layer aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, remove the added layer from the Lambda function to mitigate any unintended code execution or persistence.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or layers.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of layers.\n- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda layers and persistence techniques:\n- [AWS Lambda Layers Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence)\n- [AWS API PublishLayerVersion](https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html)\n- [AWS API UpdateFunctionConfiguration](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html)\n\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: lambda.amazonaws.com\n and event.outcome: success\n and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence", "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html", "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7d091a76-0737-11ef-8469-f661ea17fbcc", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "7d091a76-0737-11ef-8469-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json deleted file mode 100644 index cf166bdfc3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7d091a76-0737-11ef-8469-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Lambda Layer is added to an existing Lambda function. AWS layers are a way to share code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function.", "false_positives": ["Lambda function owners may add layers to their functions for legitimate purposes."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Lambda Layer Added to Existing Function", "note": "\n## Triage and Analysis\n\n### Investigating AWS Lambda Layer Added to Existing Function\n\nThis rule detects when a Lambda layer is added to an existing Lambda function. AWS Lambda layers are a mechanism for sharing code and data across multiple functions. By adding a layer to an existing function, an attacker can persist or execute code in the context of the function. Understanding the context and legitimacy of such changes is crucial to determine if the action is benign or malicious.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific layer added to the Lambda function. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the addition of the Lambda layer aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, remove the added layer from the Lambda function to mitigate any unintended code execution or persistence.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive functions or layers.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning Lambda function management and the use of layers.\n- **Audit Lambda Functions and Policies**: Conduct a comprehensive audit of all Lambda functions and associated policies to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing Lambda functions and securing AWS environments, refer to the [AWS Lambda documentation](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on Lambda layers and persistence techniques:\n- [AWS Lambda Layers Persistence](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence)\n- [AWS API PublishLayerVersion](https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html)\n- [AWS API UpdateFunctionConfiguration](https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html)\n\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: lambda.amazonaws.com\n and event.outcome: success\n and event.action: (PublishLayerVersion* or UpdateFunctionConfiguration)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence", "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html", "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "7d091a76-0737-11ef-8469-f661ea17fbcc", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Lambda", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "7d091a76-0737-11ef-8469-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c.json b/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c.json deleted file mode 100644 index b28c1e08527..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.", "from": "now-9m", "index": ["logs-endpoint.events.file*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SSH Key Generated via ssh-keygen", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\nprocess.executable == \"/usr/bin/ssh-keygen\" and file.path : (\"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\") and\nnot file.name : \"known_hosts.*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json b/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json deleted file mode 100644 index 0db66bb01ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SSH Key Generated via ssh-keygen", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\nprocess.executable == \"/usr/bin/ssh-keygen\" and file.path : (\"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\") and\nnot file.name : \"known_hosts.*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_2.json b/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_2.json deleted file mode 100644 index 52e67fca562..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7df3cb8b-5c0c-4228-b772-bb6cd619053c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies the creation of SSH keys using the ssh-keygen tool, which is the standard utility for generating SSH keys. Users often create SSH keys for authentication with remote services. However, threat actors can exploit this tool to move laterally across a network or maintain persistence by generating unauthorized SSH keys, granting them SSH access to systems.", "from": "now-9m", "index": ["logs-endpoint.events.file*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SSH Key Generated via ssh-keygen", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\nprocess.executable == \"/usr/bin/ssh-keygen\" and file.path : (\"/home/*/.ssh/*\", \"/root/.ssh/*\", \"/etc/ssh/*\") and\nnot file.name : \"known_hosts.*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7df3cb8b-5c0c-4228-b772-bb6cd619053c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b.json b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b.json deleted file mode 100644 index d17463059c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through the kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process, and hijack the execution flow by hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Kworker UID Elevation", "query": "process where host.os.type == \"linux\" and event.action == \"session_id_change\" and process.name : \"kworker*\" and\nuser.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json b/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json deleted file mode 100644 index d845eb699e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Monitors for the elevation of regular user permissions to root permissions through the kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process, and hijack the execution flow by hooking certain functions/syscalls through a rootkit in order to provide easy access to root via a special modified command.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Kworker UID Elevation", "query": "process where host.os.type == \"linux\" and event.action == \"session_id_change\" and event.type == \"change\" and\nprocess.name : \"kworker*\" and user.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.013", "name": "KernelCallbackTable", "reference": "https://attack.mitre.org/techniques/T1574/013/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7dfaaa17-425c-4fe7-bd36-83705fde7c2b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853.json deleted file mode 100644 index 54e49a8dfba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 205}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_103.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_103.json deleted file mode 100644 index 6c755d19e81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_2.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_2.json deleted file mode 100644 index 5d3bc1cd6d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_204.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_204.json deleted file mode 100644 index e624f9a2747..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 204}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_205.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_205.json deleted file mode 100644 index 653c3031d57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 205}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_305.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_305.json deleted file mode 100644 index b1aca6ea7a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_305.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 305}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_305", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_306.json b/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_306.json deleted file mode 100644 index f4811b67514..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7e23dfef-da2c-4d64-b11d-5f285b638853_306.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to open a Microsoft Management Console File from untrusted paths. Adversaries may use MSC files for initial access and execution.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Management Console File from Unusual Path", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and process.args : \"*.msc\" and\n not process.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.elastic.co/security-labs/grimresource"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "7e23dfef-da2c-4d64-b11d-5f285b638853", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.014", "name": "MMC", "reference": "https://attack.mitre.org/techniques/T1218/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 306}, "id": "7e23dfef-da2c-4d64-b11d-5f285b638853_306", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json deleted file mode 100644 index 7b00afb6036..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : (\"* /format:table *\", \"* /format:table\")]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 109}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json deleted file mode 100644 index fc63afacc71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 103}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json deleted file mode 100644 index bed8f555a33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 104}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json deleted file mode 100644 index 8fa01e2d33e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 105}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json deleted file mode 100644 index 62dfbc0df46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : \"* /format:table *\"]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 106}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_107.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_107.json deleted file mode 100644 index 77b4be94ddc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : (\"* /format:table *\", \"* /format:table\")]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 107}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json deleted file mode 100644 index b55c52e4011..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : (\"* /format:table *\", \"* /format:table\")]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 108}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_109.json b/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_109.json deleted file mode 100644 index ca04ebfbb6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f370d54-c0eb-4270-ac5a-9a6020585dc6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting libraries it may be indicative of an allowlist bypass.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMIC XSL Script Execution", "query": "sequence by process.entity_id with maxspan = 2m\n[process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name : \"wmic.exe\") and\n process.args : (\"format*:*\", \"/format*:*\", \"*-format*:*\") and\n not process.command_line : (\"* /format:table *\", \"* /format:table\")]\n[any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"jscript.dll\", \"vbscript.dll\") or file.name : (\"jscript.dll\", \"vbscript.dll\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 109}, "id": "7f370d54-c0eb-4270-ac5a-9a6020585dc6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db.json deleted file mode 100644 index 11b327f135d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Discovery of Internet Capabilities via Built-in Tools", "new_terms_fields": ["host.id", "user.id", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.name.caseless:(\"ping.exe\" or \"tracert.exe\" or \"pathping.exe\") and\nnot process.args:(\"127.0.0.1\" or \"0.0.0.0\" or \"localhost\" or \"::1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 102}, "id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json deleted file mode 100644 index 9776c1833c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Discovery of Internet Capabilities via Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"ping.exe\", \"tracert.exe\", \"pathping.exe\") and\n not process.args : (\"127.0.0.1\", \"::1\", \"0.0.0.0\", \"192.168.*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json b/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json deleted file mode 100644 index 91fd2e86294..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and proxy servers.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Discovery of Internet Capabilities via Built-in Tools", "new_terms_fields": ["host.id", "user.id", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and \nprocess.name.caseless:(\"ping.exe\" or \"tracert.exe\" or \"pathping.exe\") and\nnot process.args:(\"127.0.0.1\" or \"0.0.0.0\" or \"localhost\" or \"1.1.1.1\" or \"1.2.3.4\" or \"::1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/", "subtechnique": [{"id": "T1016.001", "name": "Internet Connection Discovery", "reference": "https://attack.mitre.org/techniques/T1016/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 101}, "id": "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json deleted file mode 100644 index 603460cf402..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Timer Created", "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json deleted file mode 100644 index 765c14aaea8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_10.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_10.json deleted file mode 100644 index 086581bebe0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not (\n (process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\" or \"pacman\" or \"podman\" or \n \"pamac-daemon\"\n ))\n or (file.name:apt-*.timer)\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json deleted file mode 100644 index 7252aa7f78b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Timer Created", "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/usr/local/lib/systemd/system/*\", \"/lib/systemd/system/*\",\n \"/usr/lib/systemd/system/*\", \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_12.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_12.json deleted file mode 100644 index 61904749e88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Timer Created", "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_13.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_13.json deleted file mode 100644 index eaaf0ef21e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Timer Created", "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%'\\nOR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%'\\nOR path LIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%'\\nOR path LIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE\\n'/etc/systemd/user/%' OR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_14.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_14.json deleted file mode 100644 index b713269fe5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_14.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Systemd Timer Created", "note": "## Triage and analysis\n\n### Investigating Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE\\n'/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path LIKE\\n'/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%' OR\\npath LIKE '/usr/lib/systemd/user/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' OR path LIKE '/home/{{user.name}}/.local/share/systemd/user/%' OR path\\nLIKE '/root/.config/systemd/user/%' OR path LIKE '/root/.local/share/systemd/user/%' OR path LIKE '/etc/systemd/user/%'\\nOR path LIKE '/usr/lib/systemd/user/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/systemd/system/*\", \"/etc/systemd/user/*\", \"/usr/local/lib/systemd/system/*\",\n \"/lib/systemd/system/*\", \"/usr/lib/systemd/system/*\", \"/usr/lib/systemd/user/*\",\n \"/home/*/.config/systemd/user/*\", \"/home/*/.local/share/systemd/user/*\",\n \"/root/.config/systemd/user/*\", \"/root/.local/share/systemd/user/*\"\n) and file.extension == \"timer\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/bin/crio\", \"/usr/sbin/crond\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/kaniko/kaniko-executor\",\n \"/usr/local/bin/dockerd\", \"/usr/bin/podman\", \"/bin/install\", \"/proc/self/exe\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 14}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_14", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json deleted file mode 100644 index 3ff092b44cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json deleted file mode 100644 index 8962a8ebe2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json deleted file mode 100644 index b4ae9829840..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/proc/self/exe\" or \"/usr/sbin/dockerd\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json deleted file mode 100644 index fbbbb23f7f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\")\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json deleted file mode 100644 index 5e3729e2862..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\"\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json deleted file mode 100644 index f52a95eb525..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\"\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_8.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_8.json deleted file mode 100644 index 87bff05387f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not (\n (process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\" or \"pacman\" or \"podman\" or \n \"pamac-daemon\"\n ))\n or (file.name:apt-*.timer)\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json b/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json deleted file mode 100644 index 79d0e80555d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fb500fa-8e24-4bd1-9480-2a819352602c_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a systemd timer within any of the default systemd timer directories. Systemd timers can be used by an attacker to gain persistence, by scheduling the execution of a command or script. Similarly to cron/at, systemd timers can be set up to execute on boot time, or on a specific point in time, which allows attackers to regain access in case the connection to the infected asset was lost.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "New Systemd Timer Created", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating New Systemd Timer Created\n\nSystemd timers are used for scheduling and automating recurring tasks or services on Linux systems. \n\nAttackers can leverage systemd timers to run scripts, commands, or malicious software at system boot or on a set time interval by creating a systemd timer and a corresponding systemd service file. \n\nThis rule monitors the creation of new systemd timer files, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the timer file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate the currently enabled systemd timers through the following command `sudo systemctl list-timers`.\n- Search for the systemd service file named similarly to the timer that was created.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd timers for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"creation\" or \"file_create_event\") and file.extension : \"timer\" and\nfile.path : (/etc/systemd/system/* or /usr/local/lib/systemd/system/* or /lib/systemd/system/* or \n/usr/lib/systemd/system/* or /home/*/.config/systemd/user/*) and not (\n (process.name : (\n \"docker\" or \"dockerd\" or \"dnf\" or \"yum\" or \"rpm\" or \"dpkg\" or \"executor\" or \"cloudflared\" or \"pacman\" or \"podman\" or \n \"pamac-daemon\"\n ))\n or (file.name:apt-*.timer)\n)\n", "references": ["https://opensource.com/article/20/7/systemd-timers", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "7fb500fa-8e24-4bd1-9480-2a819352602c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.006", "name": "Systemd Timers", "reference": "https://attack.mitre.org/techniques/T1053/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "7fb500fa-8e24-4bd1-9480-2a819352602c_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce.json deleted file mode 100644 index cc94a04ee9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.", "false_positives": ["Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "note": "\n## Triage and Analysis\n\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\n\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "from logs-aws.cloudtrail-*\n\n// any successful uploads via S3 API requests\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutObject\"\n and event.outcome == \"success\"\n\n// abstract object name from API request parameters\n| dissect aws.cloudtrail.request_parameters \"%{?ignore_values}key=%{object_name}}\"\n\n// regex on common ransomware note extensions\n| where object_name rlike \"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\"\n and not object_name rlike \"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\"\n\n// aggregate by S3 bucket, resource and object name\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\n\n// filter for single occurrence to eliminate common upload operations\n| where note_upload_count == 1\n", "references": ["https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"], "risk_score": 47, "rule_id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce", "setup": "AWS S3 data types need to be enabled in the CloudTrail trail configuration.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json deleted file mode 100644 index 8f2fcd4445d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.", "false_positives": ["Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "note": "\n## Triage and Analysis\n\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\n\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "from logs-aws.cloudtrail-*\n\n// any successful uploads via S3 API requests\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutObject\"\n and event.outcome == \"success\"\n\n// abstract object name from API request parameters\n| dissect aws.cloudtrail.request_parameters \"%{?ignore_values}key=%{object_name}}\"\n\n// regex on common ransomware note extensions\n| where object_name rlike \"(.*).(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)\"\n\n// aggregate by S3 bucket, resource and object name\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\n\n// filter for single occurrence to eliminate common upload operations\n| where note_upload_count == 1\n", "references": ["https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"], "risk_score": 47, "rule_id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce", "setup": "AWS S3 data types need to be enabled in the CloudTrail trail configuration.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_2.json deleted file mode 100644 index 4bc472df965..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/7fda9bb2-fd28-11ee-85f9-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.", "false_positives": ["Administrators may legitimately access, delete, and replace objects in S3 buckets. Ensure that the sequence of events is not part of a legitimate operation before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Potential AWS S3 Bucket Ransomware Note Uploaded", "note": "\n## Triage and Analysis\n\n### Investigating Potential AWS S3 Bucket Ransomware Note Uploaded\n\nThis rule detects the `PutObject` S3 API call with a common ransomware note file extension such as `.ransom`, or `.lock`. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `PutObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the ransom note was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Inspect the Ransom Note**: Review the `aws.cloudtrail.request_parameters` for the `PutObject` action to identify the characteristics of the uploaded ransom note. Look for common ransomware file extensions such as `.txt`, `.note`, `.ransom`, or `.html`.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects before placing the ransom note.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `PutObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the activity was unauthorized, remove the uploaded ransom notes from the S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `PutObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [AWS S3 Ransomware Batch Deletion](https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "from logs-aws.cloudtrail-*\n\n// any successful uploads via S3 API requests\n| where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutObject\"\n and event.outcome == \"success\"\n\n// abstract object name from API request parameters\n| dissect aws.cloudtrail.request_parameters \"%{?ignore_values}key=%{object_name}}\"\n\n// regex on common ransomware note extensions\n| where object_name rlike \"(.*)(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue)(.*)\"\n and not object_name rlike \"(.*)(AWSLogs|CloudTrail|access-logs)(.*)\"\n\n// aggregate by S3 bucket, resource and object name\n| stats note_upload_count = count(*) by tls.client.server_name, aws.cloudtrail.user_identity.arn, object_name\n\n// filter for single occurrence to eliminate common upload operations\n| where note_upload_count == 1\n", "references": ["https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf", "https://stratus-red-team.cloud/attack-techniques/AWS/aws.impact.s3-ransomware-batch-deletion/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"], "risk_score": 47, "rule_id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce", "setup": "AWS S3 data types need to be enabled in the CloudTrail trail configuration.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "7fda9bb2-fd28-11ee-85f9-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json deleted file mode 100644 index ee36e4e1f9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\" and\nnot process.name:(grep or python* or chef-client)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "80084fa9-8677-4453-8680-b891d3c0c778", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json deleted file mode 100644 index 9778da1cb94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and \nfile.path == \"/proc/modules\" and not process.parent.pid == 1\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 47, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json deleted file mode 100644 index da5bf49db40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "new_terms_fields": ["host.id", "process.executable"], "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\"\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json deleted file mode 100644 index 551ef4f30e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\"\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json deleted file mode 100644 index 1c82881ed03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\"\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json deleted file mode 100644 index 6f950dfdf01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "new_terms_fields": ["host.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.action:\"opened-file\" and file.path:\"/proc/modules\" and\nnot process.name:(grep or python* or chef-client)\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "## Setup\n\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json deleted file mode 100644 index 09c28c21963..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and file.path == \"/proc/modules\" and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"SchedulerRunner\", \"grep\") or \n process.parent.pid == 1 or process.title : \"*grep*\"\n)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.title", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json b/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json deleted file mode 100644 index 5b1adb66fde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80084fa9-8677-4453-8680-b891d3c0c778_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module using the /proc/modules filesystem. This filesystem is used by utilities such as lsmod and kmod to list the available kernel modules.", "false_positives": ["Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username."], "from": "now-119m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Kernel Modules via Proc", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "file where host.os.type == \"linux\" and event.action == \"opened-file\" and file.path == \"/proc/modules\" and not \n(\n process.name in (\"auditbeat\", \"kmod\", \"modprobe\", \"lsmod\", \"insmod\", \"modinfo\", \"rmmod\", \"SchedulerRunner\", \"grep\") or \n process.parent.pid == 1 or process.title : \"*grep*\"\n)\n", "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.title", "type": "keyword"}], "risk_score": 21, "rule_id": "80084fa9-8677-4453-8680-b891d3c0c778", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "80084fa9-8677-4453-8680-b891d3c0c778_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44.json deleted file mode 100644 index c5f5e71b549..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies processes running with unusual extensions that are not typically valid for Windows executables.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Extension", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?*\" and \n not process.name : (\"*.exe\", \"*.com\", \"*.scr\", \"*.tmp\", \"*.dat\") and\n not process.executable : \n (\n \"MemCompression\",\n \"Registry\",\n \"vmmem\",\n \"vmmemWSL\",\n \"?:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\*.p5x\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\com.docker.service\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Intel\\\\AGS\\\\Libs\\\\AGSRunner.bin\",\n \"\\\\Device\\\\Mup\\\\*\\\\Software Management\\\\Select.Html.dep\",\n \"?:\\\\DJJApplications\\\\MedicalRecords\\\\bin\\\\Select.Html.dep\",\n \"?:\\\\ProgramData\\\\Software Management\\\\Select.Html.dep\",\n \"?:\\\\Program Files (x86)\\\\EnCase Applications\\\\Examiner Service\\\\EnCase64\\\\enhkey.dll\",\n \"?:\\\\Program Files (x86)\\\\Panda Security\\\\WAC\\\\PSNAEInj64.dll\",\n \"?:\\\\Program Files (x86)\\\\Johnson Controls\\\\LicenseActivator\\\\crp32002.ngn\"\n ) and\n not (\n (process.name : \"C9632CF058AE4321B6B0B5EA39B710FE\" and process.code_signature.subject_name == \"Dell Inc\") or\n (process.name : \"*.upd\" and process.code_signature.subject_name == \"Bloomberg LP\") or\n (process.name: \"FD552E21-686E-413C-931D-3B82A9D29F3B\" and process.code_signature.subject_name: \"Adobe Inc.\") or\n (process.name: \"3B91051C-AE82-43C9-BCEF-0309CD2DD9EB\" and process.code_signature.subject_name: \"McAfee, LLC\") or\n (process.name: \"soffice.bin\" and process.code_signature.subject_name: \"The Document Foundation\") or\n (process.name: (\"VeeamVixProxy_*\", \"{????????-????-????-????-????????????}\") and process.code_signature.subject_name: \"Veeam Software Group GmbH\") or\n (process.name: \"1cv8p64.bin\" and process.code_signature.subject_name: \"LLC 1C-Soft\") or\n (process.name: \"AGSRunner.bin\" and process.code_signature.subject_name: \"Intel Corporation\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json deleted file mode 100644 index 8cf8e6bcdcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies processes running with unusual extensions that are not typically valid for Windows executables.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Extension", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?*\" and \n not process.name : (\"*.exe\", \"*.com\", \"*.scr\", \"*.tmp\", \"*.dat\") and\n not process.executable : \n (\n \"MemCompression\",\n \"Registry\",\n \"vmmem\",\n \"vmmemWSL\",\n \"?:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\*.p5x\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\com.docker.service\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Intel\\\\AGS\\\\Libs\\\\AGSRunner.bin\"\n ) and\n not (\n (process.name : \"C9632CF058AE4321B6B0B5EA39B710FE\" and process.code_signature.subject_name == \"Dell Inc\") or\n (process.name : \"*.upd\" and process.code_signature.subject_name == \"Bloomberg LP\") or\n (process.name: \"FD552E21-686E-413C-931D-3B82A9D29F3B\" and process.code_signature.subject_name: \"Adobe Inc.\") or\n (process.name: \"3B91051C-AE82-43C9-BCEF-0309CD2DD9EB\" and process.code_signature.subject_name: \"McAfee, LLC\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "800e01be-a7a4-46d0-8de9-69f3c9582b44_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json deleted file mode 100644 index c0a8a9925b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies processes running with unusual extensions that are not typically valid for Windows executables.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Extension", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?*\" and \n not process.name : (\"*.exe\", \"*.com\", \"*.scr\", \"*.tmp\", \"*.dat\") and\n not process.executable : \n (\n \"MemCompression\",\n \"Registry\",\n \"vmmem\",\n \"vmmemWSL\",\n \"?:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\*.p5x\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\com.docker.service\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Intel\\\\AGS\\\\Libs\\\\AGSRunner.bin\"\n ) and\n not (\n (process.name : \"C9632CF058AE4321B6B0B5EA39B710FE\" and process.code_signature.subject_name == \"Dell Inc\") or\n (process.name : \"*.upd\" and process.code_signature.subject_name == \"Bloomberg LP\") or\n (process.name: \"FD552E21-686E-413C-931D-3B82A9D29F3B\" and process.code_signature.subject_name: \"Adobe Inc.\") or\n (process.name: \"3B91051C-AE82-43C9-BCEF-0309CD2DD9EB\" and process.code_signature.subject_name: \"McAfee, LLC\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "800e01be-a7a4-46d0-8de9-69f3c9582b44_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json b/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json deleted file mode 100644 index 2988da08d4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/800e01be-a7a4-46d0-8de9-69f3c9582b44_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies processes running with unusual extensions that are not typically valid for Windows executables.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Process Extension", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"?*\" and \n not process.name : (\"*.exe\", \"*.com\", \"*.scr\", \"*.tmp\", \"*.dat\") and\n not process.executable : \n (\n \"MemCompression\",\n \"Registry\",\n \"vmmem\",\n \"vmmemWSL\",\n \"?:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\*.p5x\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\com.docker.service\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Intel\\\\AGS\\\\Libs\\\\AGSRunner.bin\"\n ) and\n not (\n (process.name : \"C9632CF058AE4321B6B0B5EA39B710FE\" and process.code_signature.subject_name == \"Dell Inc\") or\n (process.name : \"*.upd\" and process.code_signature.subject_name == \"Bloomberg LP\") or\n (process.name: \"FD552E21-686E-413C-931D-3B82A9D29F3B\" and process.code_signature.subject_name: \"Adobe Inc.\") or\n (process.name: \"3B91051C-AE82-43C9-BCEF-0309CD2DD9EB\" and process.code_signature.subject_name: \"McAfee, LLC\") or\n (process.name: \"soffice.bin\" and process.code_signature.subject_name: \"The Document Foundation\") or\n (process.name: (\"VeeamVixProxy_*\", \"{????????-????-????-????-????????????}\") and process.code_signature.subject_name: \"Veeam Software Group GmbH\") or\n (process.name: \"1cv8p64.bin\" and process.code_signature.subject_name: \"LLC 1C-Soft\") or\n (process.name: \"AGSRunner.bin\" and process.code_signature.subject_name: \"Intel Corporation\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "800e01be-a7a4-46d0-8de9-69f3c9582b44", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "800e01be-a7a4-46d0-8de9-69f3c9582b44_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a.json b/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a.json deleted file mode 100644 index 75194f81a5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Obfuscated Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[string]::join\" or\n \"-Join\" or\n \"[convert]::toint16\" or\n \"[char][int]$_\" or\n (\"ConvertTo-SecureString\" and \"PtrToStringAuto\") or\n \".GetNetworkCredential().password\" or\n \"-BXor\" or\n (\"replace\" and \"char\") or\n \"[array]::reverse\"\n ) and\n powershell.file.script_block_text : (\n (\"$pSHoMe[\" and \"+$pSHoMe[\") or\n (\"$ShellId[\" and \"+$ShellId[\") or\n (\"$env:ComSpec[4\" and \"25]-Join\") or\n ((\"Set-Variable\" or \"SV\" or \"Set-Item\") and \"OFS\") or\n (\"*MDR*\" and \"Name[3,11,2]\") or\n (\"$VerbosePreference\" and \"[1,3]+'X'-Join''\") or\n (\"rahc\" or \"ekovin\" or \"gnirts\" or \"ecnereferpesobrev\" or \"ecalper\" or \"cepsmoc\" or \"dillehs\")\n )\n", "references": ["https://github.com/danielbohannon/Invoke-Obfuscation"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_1.json b/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_1.json deleted file mode 100644 index d3b259dd806..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Obfuscated Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[string]::join\" or\n \"-Join\" or\n \"[convert]::toint16\" or\n \"[char][int]$_\" or\n (\"ConvertTo-SecureString\" and \"PtrToStringAuto\") or\n \".GetNetworkCredential().password\" or\n \"-BXor\" or\n (\"replace\" and \"char\") or\n \"[array]::reverse\"\n ) and\n powershell.file.script_block_text : (\n (\"$pSHoMe[\" and \"+$pSHoMe[\") or\n (\"$ShellId[\" and \"+$ShellId[\") or\n (\"$env:ComSpec[4\" and \"25]-Join\") or\n ((\"Set-Variable\" or \"SV\" or \"Set-Item\") and \"OFS\") or\n (\"*MDR*\" and \"Name[3,11,2]\") or\n (\"$VerbosePreference\" and \"[1,3]+'X'-Join''\") or\n (\"rahc\" or \"ekovin\" or \"gnirts\" or \"ecnereferpesobrev\" or \"ecalper\" or \"cepsmoc\" or \"dillehs\")\n )\n", "references": ["https://github.com/danielbohannon/Invoke-Obfuscation"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_2.json b/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_2.json deleted file mode 100644 index f32f07abed6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8025db49-c57c-4fc0-bd86-7ccd6d10a35a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scripts that contain patterns and known methods that obfuscate PowerShell code. Attackers can use obfuscation techniques to bypass PowerShell security protections such as Antimalware Scan Interface (AMSI).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Obfuscated Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[string]::join\" or\n \"-Join\" or\n \"[convert]::toint16\" or\n \"[char][int]$_\" or\n (\"ConvertTo-SecureString\" and \"PtrToStringAuto\") or\n \".GetNetworkCredential().password\" or\n \"-BXor\" or\n (\"replace\" and \"char\") or\n \"[array]::reverse\"\n ) and\n powershell.file.script_block_text : (\n (\"$pSHoMe[\" and \"+$pSHoMe[\") or\n (\"$ShellId[\" and \"+$ShellId[\") or\n (\"$env:ComSpec[4\" and \"25]-Join\") or\n ((\"Set-Variable\" or \"SV\" or \"Set-Item\") and \"OFS\") or\n (\"*MDR*\" and \"Name[3,11,2]\") or\n (\"$VerbosePreference\" and \"[1,3]+'X'-Join''\") or\n (\"rahc\" or \"ekovin\" or \"gnirts\" or \"ecnereferpesobrev\" or \"ecalper\" or \"cepsmoc\" or \"dillehs\")\n )\n", "references": ["https://github.com/danielbohannon/Invoke-Obfuscation"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "8025db49-c57c-4fc0-bd86-7ccd6d10a35a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/804a7ac8-fc00-11ee-924b-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/804a7ac8-fc00-11ee-924b-f661ea17fbce.json deleted file mode 100644 index 6ed3e4bceeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/804a7ac8-fc00-11ee-924b-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of an AWS resource establishing a session via SSM to an EC2 instance. Adversaries may use AWS Systems Manager to establish a session to an EC2 instance to execute commands on the instance. This can be used to gain access to the instance and perform actions such as privilege escalation. This rule helps detect the first occurrence of this activity for a given AWS resource.", "false_positives": ["Legitimate use of AWS Systems Manager to establish a session to an EC2 instance."], "from": "now-60m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "SSM Session Started to EC2 Instance", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "## Triage and Analysis\n\n### Investigating SSM Session Started to EC2 Instance\n\nThis rule detects the first instance of an AWS resource initiating an SSM session to an EC2 instance, which could be indicative of legitimate administrative activities or potential malicious actions like command execution or lateral movement.\n\n#### Possible Investigation Steps\n\n- **Examine the Session Start Event**: Review the AWS CloudTrail log for the event.\n - Look for the `StartSession` action and verify details such as the `user_identity.arn`, `event.action`, and the target EC2 instance (`aws.cloudtrail.flattened.request_parameters`).\n- **Verify User Identity and Role**: Check the user\u2019s ARN and access key ID (`aws.cloudtrail.user_identity.access_key_id`).\n - Cross-reference this with IAM to verify if the user had the necessary permissions and if their role typically requires initiating SSM sessions.\n- **Assess Geographic and IP Context**: Analyze the source IP (`source.ip`) and geographic location (`source.geo`) from which the session was initiated.\n - Determine if these are consistent with typical user locations or if they raise suspicions of compromise or misuse.\n- **Review Session Details**: Examine details like the session ID and stream URL (`aws.cloudtrail.flattened.response_elements`) to understand the scope and nature of the session.\n - Check if any commands executed during the session were unauthorized or out of ordinary practices.\n- **Correlate with Other Security Events**: Look for other related security events around the time of the session start to identify any pattern or broader attack vector that may involve this user or EC2 instance.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Activities**: Confirm whether the SSM session was initiated for valid administrative purposes such as system maintenance, patching, or configuration updates. Verify with the respective teams or personnel.\n\n### Response and Remediation\n\n- **Immediate Session Review**: If the session initiation seems suspicious, review all actions taken during the session.\n - If possible, terminate the session to prevent any potential harm.\n- **Validate and Reinforce Security Policies**: Ensure that policies around SSM session initiation are strict and adhere to the principle of least privilege.\n - Update IAM policies if necessary to tighten controls.\n- **Incident Response Activation**: If malicious intent or actions are confirmed, activate the incident response protocol.\n - This includes containment of the threat, eradication of the adversary\u2019s presence, recovery of affected systems, and a thorough investigation.\n- **Enhance Monitoring and Alerts**: Improve monitoring of SSM sessions, particularly focusing on sessions that involve sensitive or critical EC2 instances.\n - Adjust alerting mechanisms to flag unusual session initiations promptly.\n\n### Additional Information\n\nFor more in-depth understanding of managing SSM sessions and security best practices, refer to the [AWS Systems Manager documentation](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html). Additionally, consider the security implications and best practices outlined in [AWS SSM privilege escalation techniques](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc).\n\n", "query": "event.dataset:\"aws.cloudtrail\" and event.provider:\"ssm.amazonaws.com\"\n and event.action:\"StartSession\" and event.outcome:\"success\"\n", "references": ["https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_StartSession.html", "https://hackingthe.cloud/aws/post_exploitation/intercept_ssm_communications/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "804a7ac8-fc00-11ee-924b-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS SSM", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.007", "name": "Cloud Services", "reference": "https://attack.mitre.org/techniques/T1021/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "804a7ac8-fc00-11ee-924b-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc.json b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc.json deleted file mode 100644 index ef242ece036..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Troubleshooting Pack Cabinet Execution", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : \"msdt.exe\" or ?process.pe.original_file_name == \"msdt.exe\") and process.args : \"/cab\" and\n process.parent.name : (\n \"firefox.exe\", \"chrome.exe\", \"msedge.exe\", \"explorer.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\",\n \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\",\n \"winrar.exe\", \"winrar.exe\", \"7zFM.exe\", \"outlook.exe\", \"winword.exe\", \"excel.exe\"\n ) and\n process.args : (\n \"?:\\\\Users\\\\*\",\n \"\\\\\\\\*\",\n \"http*\",\n \"ftp://*\"\n )\n", "references": ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "808291d3-e918-4a3a-86cd-73052a0c9bdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "808291d3-e918-4a3a-86cd-73052a0c9bdc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json deleted file mode 100644 index 771a50bf9f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Troubleshooting Pack Cabinet Execution", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : \"msdt.exe\" or process.pe.original_file_name == \"msdt.exe\") and process.args : \"/cab\" and\n process.parent.name : (\n \"firefox.exe\", \"chrome.exe\", \"msedge.exe\", \"explorer.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\",\n \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\",\n \"winrar.exe\", \"winrar.exe\", \"7zFM.exe\", \"outlook.exe\", \"winword.exe\", \"excel.exe\"\n ) and\n process.args : (\n \"?:\\\\Users\\\\*\",\n \"\\\\\\\\*\",\n \"http*\",\n \"ftp://*\"\n )\n", "references": ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "808291d3-e918-4a3a-86cd-73052a0c9bdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "808291d3-e918-4a3a-86cd-73052a0c9bdc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_2.json b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_2.json deleted file mode 100644 index c595889165c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Troubleshooting Pack Cabinet Execution", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : \"msdt.exe\" or ?process.pe.original_file_name == \"msdt.exe\") and process.args : \"/cab\" and\n process.parent.name : (\n \"firefox.exe\", \"chrome.exe\", \"msedge.exe\", \"explorer.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\",\n \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\",\n \"winrar.exe\", \"winrar.exe\", \"7zFM.exe\", \"outlook.exe\", \"winword.exe\", \"excel.exe\"\n ) and\n process.args : (\n \"?:\\\\Users\\\\*\",\n \"\\\\\\\\*\",\n \"http*\",\n \"ftp://*\"\n )\n", "references": ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "808291d3-e918-4a3a-86cd-73052a0c9bdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "808291d3-e918-4a3a-86cd-73052a0c9bdc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_3.json b/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_3.json deleted file mode 100644 index 1c3a29d911b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/808291d3-e918-4a3a-86cd-73052a0c9bdc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of the Microsoft Diagnostic Wizard to open a diagcab file from a suspicious path and with an unusual parent process. This may indicate an attempt to execute malicious Troubleshooting Pack Cabinet files.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Troubleshooting Pack Cabinet Execution", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : \"msdt.exe\" or ?process.pe.original_file_name == \"msdt.exe\") and process.args : \"/cab\" and\n process.parent.name : (\n \"firefox.exe\", \"chrome.exe\", \"msedge.exe\", \"explorer.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\",\n \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"iexplore\", \"firefox.exe\", \"waterfox.exe\", \"iexplore.exe\",\n \"winrar.exe\", \"winrar.exe\", \"7zFM.exe\", \"outlook.exe\", \"winword.exe\", \"excel.exe\"\n ) and\n process.args : (\n \"?:\\\\Users\\\\*\",\n \"\\\\\\\\*\",\n \"http*\",\n \"ftp://*\"\n )\n", "references": ["https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "808291d3-e918-4a3a-86cd-73052a0c9bdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "808291d3-e918-4a3a-86cd-73052a0c9bdc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json deleted file mode 100644 index 288507293ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 209}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json deleted file mode 100644 index 40e3588b8b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"], "type": "machine_learning", "version": 104}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json deleted file mode 100644 index f0804bf9c3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 105}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_106.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_106.json deleted file mode 100644 index ccfca6299f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 106}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_107.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_107.json deleted file mode 100644 index f9a49d9dd01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 107}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_208.json b/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_208.json deleted file mode 100644 index 46da888d664..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/809b70d3-e2c3-455e-af1b-2626a5a1a276_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_city", "name": "Unusual City For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual City For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives can occur if activity is coming from new employees based in a city with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "809b70d3-e2c3-455e-af1b-2626a5a1a276", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 208}, "id": "809b70d3-e2c3-455e-af1b-2626a5a1a276_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json deleted file mode 100644 index 1e0580b610b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "80c52164-c82a-402c-9964-852533d58be1", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "80c52164-c82a-402c-9964-852533d58be1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json deleted file mode 100644 index 788923c6947..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "80c52164-c82a-402c-9964-852533d58be1", "severity": "high", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "query", "version": 100}, "id": "80c52164-c82a-402c-9964-852533d58be1_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json deleted file mode 100644 index 2061c0c4fac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "80c52164-c82a-402c-9964-852533d58be1", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "query", "version": 101}, "id": "80c52164-c82a-402c-9964-852533d58be1_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_102.json b/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_102.json deleted file mode 100644 index be63eacee60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/80c52164-c82a-402c-9964-852533d58be1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "80c52164-c82a-402c-9964-852533d58be1", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "80c52164-c82a-402c-9964-852533d58be1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e.json deleted file mode 100644 index 69821065299..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_extension_remote_transfer", "name": "Unusual Remote File Extension", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json deleted file mode 100644 index 495c46610a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_extension_remote_transfer", "name": "Unusual Remote File Extension", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_2.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_2.json deleted file mode 100644 index 08ec83b3b7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_extension_remote_transfer", "name": "Unusual Remote File Extension", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json b/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json deleted file mode 100644 index adcb37e03f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential lateral movement activity on the host.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_extension_remote_transfer", "name": "Unusual Remote File Extension", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "814d96c7-2068-42aa-ba8e-fe0ddd565e2e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json deleted file mode 100644 index a30edc5e5d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json deleted file mode 100644 index ee1e96956a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json deleted file mode 100644 index 968e872f469..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json deleted file mode 100644 index e114ca5b030..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json deleted file mode 100644 index 6278cbe2c1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json deleted file mode 100644 index 74c327ccb57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json deleted file mode 100644 index f275bf66ba2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_110.json b/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_110.json deleted file mode 100644 index 0882500de6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/818e23e6-2094-4f0e-8c01-22d30f3506c6_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable PowerShell Script Block Logging via registry modification. Attackers may disable this logging to conceal their activities in the host and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "PowerShell Script Block Logging Disabled", "note": "## Triage and analysis\n\n### Investigating PowerShell Script Block Logging Disabled\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available in various environments and creating an attractive way for attackers to execute code.\n\nPowerShell Script Block Logging is a feature of PowerShell that records the content of all script blocks that it processes, giving defenders visibility of PowerShell scripts and sequences of executed commands.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether it makes sense for the user to use PowerShell to complete tasks.\n- Investigate if PowerShell scripts were run after logging was disabled.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n- PowerShell Suspicious Script with Audio Capture Capabilities - 2f2f4939-0b34-40c2-a0a3-844eb7889f43\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell Suspicious Script with Screenshot Capabilities - 959a7353-1129-4aa7-9084-30746b256a70\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows\\\\PowerShell\\\\ScriptBlockLogging\\\\EnableScriptBlockLogging\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableScriptBlockLogging"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "818e23e6-2094-4f0e-8c01-22d30f3506c6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "818e23e6-2094-4f0e-8c01-22d30f3506c6_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json deleted file mode 100644 index d46fbc13bf4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 212}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json deleted file mode 100644 index 2ec0db6f30d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json deleted file mode 100644 index 27e386cb1b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json deleted file mode 100644 index edd8cf9c644..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json deleted file mode 100644 index 0f6c6187659..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and not \n (user.id:(\"S-1-5-18\" or \"S-1-5-19\") and\n file.directory: \"C:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\")\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json deleted file mode 100644 index d82d98d54af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json deleted file mode 100644 index 9a2d061c8f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json deleted file mode 100644 index 5795bb29a49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not file.path: ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\Downloads\\\\\\\\* and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json deleted file mode 100644 index d4d31c1fdf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 211}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_212.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_212.json deleted file mode 100644 index 5bb59373b04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 212}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_213.json b/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_213.json deleted file mode 100644 index 970fd583665..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81fe9dc6-a2d7-4192-a2d8-eed98afc766a_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses.", "false_positives": ["Legitimate PowerShell Scripts which makes use of compression and encoding."], "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Payload Encoded and Compressed", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Payload Encoded and Compressed\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can embed compressed and encoded payloads in scripts to load directly into the memory without touching the disk. This strategy can circumvent string and file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"System.IO.Compression.DeflateStream\" or\n \"System.IO.Compression.GzipStream\" or\n \"IO.Compression.DeflateStream\" or\n \"IO.Compression.GzipStream\"\n ) and\n FromBase64String\n ) and\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 213}, "id": "81fe9dc6-a2d7-4192-a2d8-eed98afc766a_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json deleted file mode 100644 index 1a0d1239340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 8}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json deleted file mode 100644 index be4212377c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 4}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json deleted file mode 100644 index a094993d8b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 5}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json deleted file mode 100644 index 4c4bc8ce756..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 6}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json deleted file mode 100644 index e8797b367e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 7}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8.json b/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8.json deleted file mode 100644 index eb79205ac82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation and deletion of a scheduled task within a short time interval. Adversaries can use these to proxy malicious execution via the schedule service and perform clean up.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Temporarily Scheduled Task Creation", "query": "sequence by winlog.computer_name, winlog.event_data.TaskName with maxspan=5m\n [iam where event.action == \"scheduled-task-created\" and not user.name : \"*$\"]\n [iam where event.action == \"scheduled-task-deleted\" and not user.name : \"*$\"]\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 8}, "id": "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json deleted file mode 100644 index 51d5dc0d8ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\" and\n not process.parent.name : \"Electron\" and\n not process.Ext.effective_parent.executable : (\"/Applications/Visual Studio Code.app/Contents/MacOS/Electron\",\n \"/Applications/OpenVPN Connect/Uninstall OpenVPN Connect.app/Contents/MacOS/uninstaller\")\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json deleted file mode 100644 index 01e385c7893..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json deleted file mode 100644 index e61a9e6ffa6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json deleted file mode 100644 index fb2595cc417..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json deleted file mode 100644 index 4cdab5d2d81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json deleted file mode 100644 index 310fc9b193c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json b/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json deleted file mode 100644 index f297a5b0bf5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/827f8d8f-4117-4ae4-b551-f56d54b9da6b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Apple Scripting Execution with Administrator Privileges", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*with administrator privileges\"\n", "references": ["https://discussions.apple.com/thread/2266150"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "827f8d8f-4117-4ae4-b551-f56d54b9da6b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1.json deleted file mode 100644 index bdb41bd7d18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\", \"ma\", \"gitlab-runner\",\n \"updatedb.findutils\", \"cron\"\n )\n ] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 6}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json deleted file mode 100644 index 41ac4a11ad0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.name with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and \n event.action == \"exec\" and process.name == \"su\" ] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 1}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json deleted file mode 100644 index a5e9ea75c38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\"\n )] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 2}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json deleted file mode 100644 index fbe6797f230..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\"\n )] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 3}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json deleted file mode 100644 index 9737d780e86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\"\n )] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 4}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json deleted file mode 100644 index 589624bbc58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\", \"ma\", \"gitlab-runner\",\n \"updatedb.findutils\", \"cron\"\n )\n ] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 5}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json b/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json deleted file mode 100644 index 740bd250b65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/835c0622-114e-40b5-a346-f843ea5d01f1_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive login attempts executed by one process targeting a local linux user account within a short time interval. Adversaries might brute force login attempts across different users with a default wordlist or a set of customly crafted passwords in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Local Account Brute Force Detected", "query": "sequence by host.id, process.parent.executable, user.id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"su\" and \n not process.parent.name in (\n \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"clickhouse-server\", \"ma\", \"gitlab-runner\",\n \"updatedb.findutils\", \"cron\"\n )\n ] with runs=10\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "835c0622-114e-40b5-a346-f843ea5d01f1", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}]}]}], "type": "eql", "version": 6}, "id": "835c0622-114e-40b5-a346-f843ea5d01f1_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json deleted file mode 100644 index 3c8a842e94c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.", "false_positives": ["Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Pods Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "83a1931d-8136-46fc-b7b9-2db4f639e014", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json b/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json deleted file mode 100644 index e051dbedc1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83a1931d-8136-46fc-b7b9-2db4f639e014_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior of the environment.", "false_positives": ["Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Pods Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "83a1931d-8136-46fc-b7b9-2db4f639e014", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "83a1931d-8136-46fc-b7b9-2db4f639e014_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_101.json b/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_101.json deleted file mode 100644 index c5b754dbdf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Windows Powershell Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"powershell.exe\" and \n (\n process.command_line :\n (\n \"*^*^*^*^*^*^*^*^*^*\",\n \"*`*`*`*`*\",\n \"*+*+*+*+*+*+*\",\n \"*[char[]](*)*-join*\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Compression.*\",\n \"*-join($*\",\n \"*.replace*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -enc *\",\n \"* -ec *\",\n \"* /e *\",\n \"* /enc *\",\n \"* /ec *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"* iex*\",\n \"* iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*$env:temp\\\\*start*\",\n \"*powercat*\",\n \"*nslookup -q=txt*\",\n \"*$host.UI.PromptForCredential*\",\n \"*Net.Sockets.TCPClient*\",\n \"*curl *;Start*\",\n \"powershell.exe \\\"<#*\",\n \"*ssh -p *\",\n \"*http*|iex*\",\n \"*@SSL\\\\DavWWWRoot\\\\*.ps1*\",\n \"*.lnk*.Seek(0x*\",\n \"*[string]::join(*\",\n \"*[Array]::Reverse($*\",\n \"* hidden $(gc *\",\n \"*=wscri& set*\",\n \"*http'+'s://*\",\n \"*.content|i''Ex*\",\n \"*//:sptth*\",\n \"*//:ptth*\",\n \"*$*=Get-Content*AppData*.SubString(*$*\",\n \"*=cat *AppData*.substring(*);*$*\"\n ) or\n\n (process.args : \"-c\" and process.args : \"&{'*\") or\n\n (process.args : \"-Outfile\" and process.args : \"Start*\") or\n\n (process.args : \"-bxor\" and process.args : \"0x*\") or\n\n process.args : \"$*$*;set-alias\" or\n\n (process.parent.name : (\"explorer.exe\", \"cmd.exe\") and \n process.command_line : (\"*-encodedCommand*\", \"*Invoke-webrequest*\", \"*WebClient*\", \"*Reflection.Assembly*\"))\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "83bf249e-4348-47ba-9741-1202a09556ad", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "83bf249e-4348-47ba-9741-1202a09556ad_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_201.json b/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_201.json deleted file mode 100644 index adcf8b7880e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83bf249e-4348-47ba-9741-1202a09556ad_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Windows Powershell Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"powershell.exe\" and \n (\n process.command_line :\n (\n \"*^*^*^*^*^*^*^*^*^*\",\n \"*`*`*`*`*\",\n \"*+*+*+*+*+*+*\",\n \"*[char[]](*)*-join*\",\n \"*Base64String*\",\n \"*[*Convert]*\",\n \"*.Compression.*\",\n \"*-join($*\",\n \"*.replace*\",\n \"*MemoryStream*\",\n \"*WriteAllBytes*\",\n \"* -enc *\",\n \"* -ec *\",\n \"* /e *\",\n \"* /enc *\",\n \"* /ec *\",\n \"*WebClient*\",\n \"*DownloadFile*\",\n \"*DownloadString*\",\n \"* iex*\",\n \"* iwr*\",\n \"*Reflection.Assembly*\",\n \"*Assembly.GetType*\",\n \"*$env:temp\\\\*start*\",\n \"*powercat*\",\n \"*nslookup -q=txt*\",\n \"*$host.UI.PromptForCredential*\",\n \"*Net.Sockets.TCPClient*\",\n \"*curl *;Start*\",\n \"powershell.exe \\\"<#*\",\n \"*ssh -p *\",\n \"*http*|iex*\",\n \"*@SSL\\\\DavWWWRoot\\\\*.ps1*\",\n \"*.lnk*.Seek(0x*\",\n \"*[string]::join(*\",\n \"*[Array]::Reverse($*\",\n \"* hidden $(gc *\",\n \"*=wscri& set*\",\n \"*http'+'s://*\",\n \"*.content|i''Ex*\",\n \"*//:sptth*\",\n \"*//:ptth*\",\n \"*$*=Get-Content*AppData*.SubString(*$*\",\n \"*=cat *AppData*.substring(*);*$*\"\n ) or\n\n (process.args : \"-c\" and process.args : \"&{'*\") or\n\n (process.args : \"-Outfile\" and process.args : \"Start*\") or\n\n (process.args : \"-bxor\" and process.args : \"0x*\") or\n\n process.args : \"$*$*;set-alias\" or\n\n (process.parent.name : (\"explorer.exe\", \"cmd.exe\") and \n process.command_line : (\"*-encodedCommand*\", \"*Invoke-webrequest*\", \"*WebClient*\", \"*Reflection.Assembly*\"))\n )\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "83bf249e-4348-47ba-9741-1202a09556ad", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 201}, "id": "83bf249e-4348-47ba-9741-1202a09556ad_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json deleted file mode 100644 index 77a3a1070b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args in (\"-F\", \"--flush\", \"-X\", \"--delete-chain\") and process.args_count == 2) or\n (process.name in (\"iptables\", \"ip6tables\") and process.parent.args == \"force-stop\")\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\", \"firewalld.service\", \"ip6tables.service\", \"iptables.service\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json deleted file mode 100644 index 7acc71927a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json deleted file mode 100644 index 6ebdd14648a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json deleted file mode 100644 index 95e55d39685..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json deleted file mode 100644 index 584fed72c39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json deleted file mode 100644 index fbfa6fc63de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json deleted file mode 100644 index 1c659532707..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json deleted file mode 100644 index 7deb1ab382a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args == \"-F\" and process.args_count == 2)\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8.json b/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8.json deleted file mode 100644 index 89f263367be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Disable IPTables or Firewall", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n (\n /* disable FW */\n (\n (process.name == \"ufw\" and process.args == \"disable\") or\n (process.name == \"iptables\" and process.args in (\"-F\", \"--flush\", \"-X\", \"--delete-chain\") and process.args_count == 2) or\n (process.name in (\"iptables\", \"ip6tables\") and process.parent.args == \"force-stop\")\n ) or\n\n /* stop FW service */\n (\n ((process.name == \"service\" and process.args == \"stop\") or\n (process.name == \"chkconfig\" and process.args == \"off\") or\n (process.name == \"systemctl\" and process.args in (\"disable\", \"stop\", \"kill\"))) and\n process.args in (\"firewalld\", \"ip6tables\", \"iptables\", \"firewalld.service\", \"ip6tables.service\", \"iptables.service\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}], "risk_score": 21, "rule_id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce.json deleted file mode 100644 index e6572223203..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.", "from": "now-9m", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Admin Credential Fetch via Assumed Role", "new_terms_fields": ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"], "note": "## Triage and Analysis\n\n### Investigating AWS EC2 Admin Credential Fetch via Assumed Role\n\nThis rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances.\n\nThis is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.\n\n#### Possible Investigation Steps\n\n- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user.\n- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password.\n- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident.\n- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance.\n- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata.\n- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS.\n- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates.\n- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes.\n\n### Response and Remediation\n\n- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions.\n- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials.\n- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse.\n- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances.\n- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems.\n- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`.\n\n### Additional Information\n\nRefer to resources like [AWS privilege escalation methods](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) and the MITRE ATT&CK technique [T1552.005 - Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005/) for more details on potential vulnerabilities and mitigation strategies.\n\n", "query": "event.dataset:\"aws.cloudtrail\"\n and event.provider:\"ec2.amazonaws.com\" and event.action:\"GetPasswordData\"\n and aws.cloudtrail.user_identity.type:\"AssumedRole\" and aws.cloudtrail.error_code:\"Client.UnauthorizedOperation\"\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8446517c-f789-11ee-8ad0-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon EC2", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "8446517c-f789-11ee-8ad0-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce_2.json deleted file mode 100644 index 9585cb21b6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8446517c-f789-11ee-8ad0-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the first occurrence of a user identity in AWS using `GetPassword` for the administrator password of an EC2 instance with an assumed role. Adversaries may use this API call to escalate privileges or move laterally within EC2 instances.", "from": "now-9m", "history_window_start": "now-7d", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Admin Credential Fetch via Assumed Role", "new_terms_fields": ["aws.cloudtrail.user_identity.session_context.session_issuer.arn"], "note": "\n## Triage and Analysis\n\n### Investigating AWS EC2 Admin Credential Fetch via Assumed Role\n\nThis rule detects the first occurrence of a user identity using the `GetPasswordData` API call in AWS, which retrieves the administrator password of an EC2 instance. This can be an indicator of an adversary attempting to escalate privileges or move laterally within EC2 instances.\n\nThis is a New Terms rule, which means it will only trigger once for each unique value of the `aws.cloudtrail.user_identity.session_context.session_issuer.arn` field that has not been seen making this API request within the last 7 days. This field contains the Amazon Resource Name (ARN) of the assumed role that triggered the API call.\n\n#### Possible Investigation Steps\n\n- **Identify the User Identity and Role**: Examine the AWS CloudTrail logs to determine the user identity that made the `GetPasswordData` request. Pay special attention to the role and permissions associated with the user.\n- **Review Request and Response Parameters**: Analyze the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields to understand the context of the API call and the retrieved password.\n- **Contextualize with User Behavior**: Compare this activity against the user's typical behavior patterns. Look for unusual login times, IP addresses, or other anomalous actions taken by the user or role prior to and following the incident.\n- **Review EC2 Instance Details**: Check the details of the EC2 instance from which the password was retrieved. Assess the criticality and sensitivity of the applications running on this instance.\n- **Examine Related CloudTrail Events**: Search for other API calls made by the same user identity, especially those modifying security groups, network access controls, or instance metadata.\n- **Check for Lateral Movement**: Look for evidence that the obtained credentials have been used to access other resources or services within AWS.\n- **Investigate the Origin of the API Call**: Analyze the IP address and geographical location from which the request originated. Determine if it aligns with expected locations for legitimate administrative activity.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Actions**: Ensure that the activity was not part of legitimate administrative tasks such as system maintenance or updates.\n- **Automation Scripts**: Verify if the activity was generated by automation or deployment scripts that are authorized to use `GetPasswordData` for legitimate purposes.\n\n### Response and Remediation\n\n- **Immediate Isolation**: If suspicious, isolate the affected instance to prevent any potential lateral movement or further unauthorized actions.\n- **Credential Rotation**: Rotate credentials of the affected instance or assumed role and any other potentially compromised credentials.\n- **User Account Review**: Review the permissions of the implicated user identity. Apply the principle of least privilege by adjusting permissions to prevent misuse.\n- **Enhanced Monitoring**: Increase monitoring on the user identity that triggered the rule and similar EC2 instances.\n- **Incident Response**: If malicious intent is confirmed, initiate the incident response protocol. This includes further investigation, containment of the threat, eradication of any threat actor presence, and recovery of affected systems.\n- **Preventative Measures**: Implement or enhance security measures such as multi-factor authentication and continuous audits of sensitive operations like `GetPasswordData`.\n\n### Additional Information\n\nRefer to resources like [AWS privilege escalation methods](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc) and the MITRE ATT&CK technique [T1552.005 - Cloud Instance Metadata API](https://attack.mitre.org/techniques/T1552/005/) for more details on potential vulnerabilities and mitigation strategies.\n\n", "query": "event.dataset:\"aws.cloudtrail\"\n and event.provider:\"ec2.amazonaws.com\" and event.action:\"GetPasswordData\"\n and aws.cloudtrail.user_identity.type:\"AssumedRole\" and aws.cloudtrail.error_code:\"Client.UnauthorizedOperation\"\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8446517c-f789-11ee-8ad0-f661ea17fbce", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon EC2", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "8446517c-f789-11ee-8ad0-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81.json deleted file mode 100644 index 79ba2e41b68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json deleted file mode 100644 index 696e25afc3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "note": "## Setup", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json deleted file mode 100644 index c0b2083dcaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json deleted file mode 100644 index b3a5d3bbf39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json deleted file mode 100644 index 379e4c576e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_5.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_5.json deleted file mode 100644 index 1be63da9922..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_6.json b/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_6.json deleted file mode 100644 index dc0e451ea22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/846fe13f-6772-4c83-bd39-9d16d4ad1a81_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1"}}}}], "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Exchange Transport Agent Install Script", "query": "event.category: \"process\" and host.os.type:windows and\n powershell.file.script_block_text : (\n (\n \"Install-TransportAgent\" or\n \"Enable-TransportAgent\"\n )\n ) and\n not user.id : \"S-1-5-18\" and\n not powershell.file.script_block_text : (\n \"'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase',\" or\n \"'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig',\" or\n (\"scriptCmd.GetSteppablePipeline\" and \"ForwardHelpTargetName Install-TransportAgent\")\n )\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\nSteps to implement the logging policy via registry:\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.002", "name": "Transport Agent", "reference": "https://attack.mitre.org/techniques/T1505/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "846fe13f-6772-4c83-bd39-9d16d4ad1a81_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71.json b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71.json deleted file mode 100644 index d8019e7e951..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "At Job Created or Modified", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : \"/var/spool/cron/atjobs/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "84755a05-78c8-4430-8681-89cd6c857d71", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "84755a05-78c8-4430-8681-89cd6c857d71", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json b/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json deleted file mode 100644 index 20770e752a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84755a05-78c8-4430-8681-89cd6c857d71_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for at jobs being created or renamed. Linux at jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "At Job Created or Modified", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : \"/var/spool/cron/atjobs/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "84755a05-78c8-4430-8681-89cd6c857d71", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "84755a05-78c8-4430-8681-89cd6c857d71_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2.json deleted file mode 100644 index b8f45d29f9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Upgrade of Non-interactive Shell", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "84d1f8db-207f-45ab-a578-921d91c23eb2", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "84d1f8db-207f-45ab-a578-921d91c23eb2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json deleted file mode 100644 index 4b180fbf1bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Upgrade of Non-interactive Shell", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "84d1f8db-207f-45ab-a578-921d91c23eb2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "84d1f8db-207f-45ab-a578-921d91c23eb2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json b/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json deleted file mode 100644 index 231930d7675..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84d1f8db-207f-45ab-a578-921d91c23eb2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a non-interactive terminal (tty) is being upgraded to a fully interactive shell. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host, in order to obtain a more stable connection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Upgrade of Non-interactive Shell", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and (\n (process.name == \"stty\" and process.args == \"raw\" and process.args == \"-echo\" and process.args_count >= 3) or\n (process.name == \"script\" and process.args in (\"-qc\", \"-c\") and process.args == \"/dev/null\" and \n process.args_count == 4)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "84d1f8db-207f-45ab-a578-921d91c23eb2", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "84d1f8db-207f-45ab-a578-921d91c23eb2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json deleted file mode 100644 index 0d08bddb935..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json deleted file mode 100644 index 044c79a9c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json deleted file mode 100644 index 021ec3a9c40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json deleted file mode 100644 index b63128f88ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json deleted file mode 100644 index a0b306cbb09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json deleted file mode 100644 index 2693a86f08e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_109.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_109.json deleted file mode 100644 index 360d507941e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json deleted file mode 100644 index db9ad89707e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_111.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_111.json deleted file mode 100644 index da58c4f2f18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_112.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_112.json deleted file mode 100644 index 4979398f001..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_213.json b/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_213.json deleted file mode 100644 index 89db3842c95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/84da2554-e12a-11ec-b896-f661ea17fbcd_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of nltest.exe for domain trust discovery purposes. Adversaries may use this command-line utility to enumerate domain trusts and gain insight into trust relationships, as well as the state of Domain Controller (DC) replication in a Microsoft Windows NT Domain.", "false_positives": ["Domain administrators may use this command-line utility for legitimate information gathering purposes, but it is not common for environments with Windows Server 2012 and newer."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumerating Domain Trusts via NLTEST.EXE", "note": "## Triage and analysis\n\n### Investigating Enumerating Domain Trusts via NLTEST.EXE\n\nActive Directory (AD) domain trusts define relationships between domains within a Windows AD environment. In this setup, a \"trusting\" domain permits users from a \"trusted\" domain to access resources. These trust relationships can be configurable as one-way, two-way, transitive, or non-transitive, enabling controlled access and resource sharing across domains.\n\nThis rule identifies the usage of the `nltest.exe` utility to enumerate domain trusts. Attackers can use this information to enable the next actions in a target environment, such as lateral movement.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation and are done within the user business context (e.g., an administrator in this context). As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Enumerating Domain Trusts via DSQUERY.EXE - 06a7a03c-c735-47a6-a313-51c354aef6c3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"nltest.exe\" and process.args : (\n \"/DCLIST:*\", \"/DCNAME:*\", \"/DSGET*\",\n \"/LSAQUERYFTI:*\", \"/PARENTDOMAIN\",\n \"/DOMAIN_TRUSTS\", \"/BDC_QUERY:*\"\n ) and \nnot process.parent.name : \"PDQInventoryScanner.exe\" and \nnot user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "84da2554-e12a-11ec-b896-f661ea17fbcd", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 213}, "id": "84da2554-e12a-11ec-b896-f661ea17fbcd_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json deleted file mode 100644 index 6b264fd594e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "## Setup\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json deleted file mode 100644 index 51fb4402a08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where host.os.type == \"windows\" and event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 105}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json deleted file mode 100644 index 48d41df0458..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 106}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json deleted file mode 100644 index 63fb40dea4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by host.id, user.id with maxspan=1m\n [authentication where\n event.outcome == \"success\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and not user.name == \"ANONYMOUS LOGON\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"]\n [file where event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n not file.path :\n (\"?:\\\\Windows\\\\system32\\\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat\",\n \"?:\\\\Users\\\\*\\\\ntuser.dat.LOG?\",\n \"?:\\\\Users\\\\*\\\\NTUSER.DAT\")]\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 107}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json deleted file mode 100644 index fd221797fe5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json deleted file mode 100644 index a07a6966aa1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json b/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json deleted file mode 100644 index 42dfd54dede..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/850d901a-2a3c-46c6-8b22-55398a01aad8_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM) registry hive in preparation for credential access and privileges elevation.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Credential Access via Registry", "note": "## Triage and analysis\n\n### Investigating Potential Remote Credential Access via Registry\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can use tools like secretsdump.py or CrackMapExec to dump the registry hives remotely, and use dumped credentials to access other systems in the domain.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as their role, criticality, and associated users.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Determine the privileges of the compromised accounts.\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine if other hosts were compromised.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Ensure that the machine has the latest security updates and is not running unsupported Windows versions.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and\n event.action == \"creation\" and process.name : \"svchost.exe\" and\n file.Ext.header_bytes : \"72656766*\" and user.id : (\"S-1-5-21-*\", \"S-1-12-1-*\") and file.size >= 30000 and\n file.path : (\"?:\\\\Windows\\\\system32\\\\*.tmp\", \"?:\\\\WINDOWS\\\\Temp\\\\*.tmp\")\n", "references": ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "850d901a-2a3c-46c6-8b22-55398a01aad8", "setup": "## Setup\n\nThis rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "850d901a-2a3c-46c6-8b22-55398a01aad8_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json deleted file mode 100644 index f3b6679defb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.library-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:library and \n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and \n not (\n process.code_signature.subject_name:(\"Microsoft Corporation\" or \"Microsoft Dynamic Code Publisher\" or \"Microsoft Windows\") and process.code_signature.trusted:true and not process.name.caseless:(\"regsvr32.exe\" or \"rundll32.exe\")\n ) and \n not (\n process.executable.caseless:(C\\:\\\\Program*Files*\\(x86\\)\\\\*.exe or C\\:\\\\Program*Files\\\\*.exe) and\n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: C\\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and \n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: \"C:\\\\ProgramData\\\\chocolatey\\\\choco.exe\" and\n process.code_signature.subject_name:\"Chocolatey Software, Inc.\" and process.code_signature.trusted:true\n ) and not process.executable.caseless : \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": false, "name": "process.executable.caseless", "type": "unknown"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json deleted file mode 100644 index 24ea12c691c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json deleted file mode 100644 index 0bd8565e6ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json deleted file mode 100644 index cb8f27abbcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "any where host.os.type == \"windows\" and (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") or\n file.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\")) and\n\n/* add false positives relevant to your environment here */\nnot process.executable : (\"C:\\\\Windows\\\\System32\\\\RemoteFXvGPUDisablement.exe\", \"C:\\\\Windows\\\\System32\\\\sdiagnhost.exe\") and\nnot process.executable regex~ \"\"\"C:\\\\Program Files( \\(x86\\))?\\\\*\\.exe\"\"\" and\n not process.name :\n (\n \"Altaro.SubAgent.exe\",\n \"AppV_Manage.exe\",\n \"azureadconnect.exe\",\n \"CcmExec.exe\",\n \"configsyncrun.exe\",\n \"choco.exe\",\n \"ctxappvservice.exe\",\n \"DVLS.Console.exe\",\n \"edgetransport.exe\",\n \"exsetup.exe\",\n \"forefrontactivedirectoryconnector.exe\",\n \"InstallUtil.exe\",\n \"JenkinsOnDesktop.exe\",\n \"Microsoft.EnterpriseManagement.ServiceManager.UI.Console.exe\",\n \"mmc.exe\",\n \"mscorsvw.exe\",\n \"msexchangedelivery.exe\",\n \"msexchangefrontendtransport.exe\",\n \"msexchangehmworker.exe\",\n \"msexchangesubmission.exe\",\n \"msiexec.exe\",\n \"MsiExec.exe\",\n \"noderunner.exe\",\n \"NServiceBus.Host.exe\",\n \"NServiceBus.Host32.exe\",\n \"NServiceBus.Hosting.Azure.HostProcess.exe\",\n \"OuiGui.WPF.exe\",\n \"powershell.exe\",\n \"powershell_ise.exe\",\n \"pwsh.exe\",\n \"SCCMCliCtrWPF.exe\",\n \"ScriptEditor.exe\",\n \"ScriptRunner.exe\",\n \"sdiagnhost.exe\",\n \"servermanager.exe\",\n \"setup100.exe\",\n \"ServiceHub.VSDetouredHost.exe\",\n \"SPCAF.Client.exe\",\n \"SPCAF.SettingsEditor.exe\",\n \"SQLPS.exe\",\n \"Ssms.exe\",\n \"telemetryservice.exe\",\n \"UMWorkerProcess.exe\",\n \"w3wp.exe\",\n \"wsmprovhost.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json deleted file mode 100644 index bdb8a27da5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "library where host.os.type == \"windows\" and\n dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n not \n (\n /* MS Signed Binaries */\n (\n process.code_signature.subject_name : (\n \"Microsoft Windows\",\n \"Microsoft Dynamic Code Publisher\",\n \"Microsoft Corporation\"\n ) and process.code_signature.trusted == true and not process.name : (\"rundll32.exe\", \"regsvr32.exe\")\n ) or\n\n /* Signed Executables from the Program Files folder */\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\"\n ) and process.code_signature.trusted == true\n ) or\n\n /* Lenovo */\n (\n process.executable : (\n \"?:\\\\Windows\\\\Lenovo\\\\*.exe\"\n ) and (process.code_signature.subject_name : \"Lenovo\" and process.code_signature.trusted == true) \n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json deleted file mode 100644 index f81c02428fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "library where host.os.type == \"windows\" and\n dll.name : (\"System.Management.Automation.ni.dll\", \"System.Management.Automation.dll\") and\n not \n (\n /* MS Signed Binaries */\n (\n process.code_signature.subject_name : (\n \"Microsoft Windows\",\n \"Microsoft Dynamic Code Publisher\",\n \"Microsoft Corporation\"\n ) and process.code_signature.trusted == true and not process.name : (\"rundll32.exe\", \"regsvr32.exe\")\n ) or\n\n /* Signed Executables from the Program Files folder */\n (\n process.executable : (\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\"\n ) and process.code_signature.trusted == true\n ) or\n\n /* Lenovo */\n (\n process.executable : (\n \"?:\\\\Windows\\\\Lenovo\\\\*.exe\"\n ) and (process.code_signature.subject_name : \"Lenovo\" and process.code_signature.trusted == true) \n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json deleted file mode 100644 index 0bb2af788f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:library and \n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and \n not (process.code_signature.subject_name:(\"Microsoft Corporation\" or \"Microsoft Dynamic Code Publisher\" or \"Microsoft Windows\") and process.code_signature.trusted:true and not process.name.caseless:(\"regsvr32.exe\" or \"rundll32.exe\")) and \n not (process.executable.caseless:(?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe) and process.code_signature.trusted:true) and \n not (process.executable.caseless:?\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and \n process.code_signature.trusted:true) and not process.executable.caseless : \"C:\\\\Windows\\\\System32\\\\powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": false, "name": "process.executable.caseless", "type": "unknown"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_209.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_209.json deleted file mode 100644 index 01305e0c6d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:library and \n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and \n not (\n process.code_signature.subject_name:(\"Microsoft Corporation\" or \"Microsoft Dynamic Code Publisher\" or \"Microsoft Windows\") and process.code_signature.trusted:true and not process.name.caseless:(\"regsvr32.exe\" or \"rundll32.exe\")\n ) and \n not (\n process.executable.caseless:(?\\:\\\\\\\\Program?Files?\\(x86\\)\\\\\\\\*.exe or ?\\:\\\\\\\\Program?Files\\\\\\\\*.exe) and\n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless:?\\:\\\\\\\\Windows\\\\\\\\Lenovo\\\\\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and \n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless:?\\:\\\\\\\\ProgramData\\\\\\\\chocolatey\\\\\\\\choco.exe* and\n process.code_signature.subject_name:\"Chocolatey Software, Inc.\" and process.code_signature.trusted:true\n ) and not process.executable.caseless : \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": false, "name": "process.executable.caseless", "type": "unknown"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json b/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json deleted file mode 100644 index 9fad4a85cdb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/852c1f19-68e8-43a6-9dce-340771fe1be3_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the PowerShell engine being invoked by unexpected processes. Rather than executing PowerShell functionality with powershell.exe, some attackers do this to operate more stealthily.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.library-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious PowerShell Engine ImageLoad", "new_terms_fields": ["host.id", "process.executable", "user.id"], "note": "## Triage and analysis\n\n### Investigating Suspicious PowerShell Engine ImageLoad\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use PowerShell without having to execute `PowerShell.exe` directly. This technique, often called \"PowerShell without PowerShell,\" works by using the underlying System.Management.Automation namespace and can bypass application allowlisting and PowerShell security features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Retrieve the implementation (DLL, executable, etc.) and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity can happen legitimately. Some vendors have their own PowerShell implementations that are shipped with some products. These benign true positives (B-TPs) can be added as exceptions if necessary after analysis.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:library and \n dll.name:(\"System.Management.Automation.dll\" or \"System.Management.Automation.ni.dll\") and \n not (\n process.code_signature.subject_name:(\"Microsoft Corporation\" or \"Microsoft Dynamic Code Publisher\" or \"Microsoft Windows\") and process.code_signature.trusted:true and not process.name.caseless:(\"regsvr32.exe\" or \"rundll32.exe\")\n ) and \n not (\n process.executable.caseless:(C\\:\\\\Program*Files*\\(x86\\)\\\\*.exe or C\\:\\\\Program*Files\\\\*.exe) and\n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: C\\:\\\\Windows\\\\Lenovo\\\\*.exe and process.code_signature.subject_name:\"Lenovo\" and \n process.code_signature.trusted:true\n ) and \n not (\n process.executable.caseless: \"C:\\\\ProgramData\\\\chocolatey\\\\choco.exe\" and\n process.code_signature.subject_name:\"Chocolatey Software, Inc.\" and process.code_signature.trusted:true\n ) and not process.executable.caseless : \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": false, "name": "process.executable.caseless", "type": "unknown"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 47, "rule_id": "852c1f19-68e8-43a6-9dce-340771fe1be3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "852c1f19-68e8-43a6-9dce-340771fe1be3_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json deleted file mode 100644 index fd4a8389d78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", "false_positives": ["Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json deleted file mode 100644 index f50c2e446f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", "false_positives": ["Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json deleted file mode 100644 index 01333d445af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", "false_positives": ["Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json deleted file mode 100644 index a26f045c3ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", "false_positives": ["Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json b/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json deleted file mode 100644 index 4d7a76d7263..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8623535c-1e17-44e1-aa97-7a0699c3037d_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries.", "false_positives": ["Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Network Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(DeleteNetworkAcl or DeleteNetworkAclEntry) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl-entry.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAclEntry.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "8623535c-1e17-44e1-aa97-7a0699c3037d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "8623535c-1e17-44e1-aa97-7a0699c3037d_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json deleted file mode 100644 index 53c2aabf452..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "863cdf31-7fd3-41cf-a185-681237ea277b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json deleted file mode 100644 index ed76908d0d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "863cdf31-7fd3-41cf-a185-681237ea277b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json deleted file mode 100644 index 92ab9738240..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "863cdf31-7fd3-41cf-a185-681237ea277b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json deleted file mode 100644 index 9f41ba71cf0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "863cdf31-7fd3-41cf-a185-681237ea277b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json b/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json deleted file mode 100644 index 5803e5ecac3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/863cdf31-7fd3-41cf-a185-681237ea277b_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Security group.", "false_positives": ["An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Security Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:DeleteDBSecurityGroup and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "863cdf31-7fd3-41cf-a185-681237ea277b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "863cdf31-7fd3-41cf-a185-681237ea277b_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json deleted file mode 100644 index 3283038b598..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", "false_positives": ["A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json deleted file mode 100644 index b1a764afadc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", "false_positives": ["A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json deleted file mode 100644 index 3fa4bcece00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", "false_positives": ["A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json deleted file mode 100644 index 24bbb3479ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", "false_positives": ["A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json b/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json deleted file mode 100644 index a5453ecf7c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/867616ec-41e5-4edc-ada2-ab13ab45de8a_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure.", "false_positives": ["A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Group Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:DeleteGroup and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "867616ec-41e5-4edc-ada2-ab13ab45de8a", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "867616ec-41e5-4edc-ada2-ab13ab45de8a_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json deleted file mode 100644 index 8df11e4807f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : (\"/Library/Application Support/*\", \"/opt/McAfee/agent/scripts/ma\") and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n ) or\n (process.parent.command_line : (\n \"\"\"sh -c printf \"command_start_%s\"*; perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \"command_done_%s*\"\"\",\n \"\"\"bash -c perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\"\"\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json deleted file mode 100644 index bb5bcdbe9c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json deleted file mode 100644 index 3cc0dc442bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json deleted file mode 100644 index 25f67055385..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (process.args : \"Avast\" and process.args : \"Passwords\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json deleted file mode 100644 index bdba75ddec4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json deleted file mode 100644 index 52bb24ca98c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : \"/Library/Application Support/*\" and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_108.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_108.json deleted file mode 100644 index 1613f5b78c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : (\"/Library/Application Support/*\", \"/opt/McAfee/agent/scripts/ma\") and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n ) or\n (process.parent.command_line : (\n \"\"\"sh -c printf \"command_start_%s\"*; perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \"command_done_%s*\"\"\",\n \"\"\"bash -c perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\"\"\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json b/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json deleted file mode 100644 index 24e09fcc0a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/870aecc0-cea4-4110-af3f-e02e9b373655_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the grep command to discover known third-party macOS and Linux security tools, such as Antivirus or Host Firewall details.", "false_positives": ["Endpoint Security installers, updaters and post installation verification scripts."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Security Software Discovery via Grep", "note": "## Triage and analysis\n\n### Investigating Security Software Discovery via Grep\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `grep` utility with arguments compatible to the enumeration of the security software installed on the host. Attackers can use this information to decide whether or not to infect a system, disable protections, use bypasses, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type == \"start\" and\nprocess.name : \"grep\" and user.id != \"0\" and\n not process.parent.executable : (\"/Library/Application Support/*\", \"/opt/McAfee/agent/scripts/ma\") and\n process.args :\n (\"Little Snitch*\",\n \"Avast*\",\n \"Avira*\",\n \"ESET*\",\n \"BlockBlock*\",\n \"360Sec*\",\n \"LuLu*\",\n \"KnockKnock*\",\n \"kav\",\n \"KIS\",\n \"RTProtectionDaemon*\",\n \"Malware*\",\n \"VShieldScanner*\",\n \"WebProtection*\",\n \"webinspectord*\",\n \"McAfee*\",\n \"isecespd*\",\n \"macmnsvc*\",\n \"masvc*\",\n \"kesl*\",\n \"avscan*\",\n \"guard*\",\n \"rtvscand*\",\n \"symcfgd*\",\n \"scmdaemon*\",\n \"symantec*\",\n \"sophos*\",\n \"osquery*\",\n \"elastic-endpoint*\"\n ) and\n not (\n (process.args : \"Avast\" and process.args : \"Passwords\") or\n (process.parent.args : \"/opt/McAfee/agent/scripts/ma\" and process.parent.args : \"checkhealth\") or\n (process.command_line : (\n \"grep ESET Command-line scanner, version %s -A2\",\n \"grep -i McAfee Web Gateway Core version:\",\n \"grep --color=auto ESET Command-line scanner, version %s -A2\"\n )\n ) or\n (process.parent.command_line : (\n \"\"\"sh -c printf \"command_start_%s\"*; perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1; printf \"command_done_%s*\"\"\",\n \"\"\"bash -c perl -pe 's/[^ -~]/\\n/g' < /opt/eset/esets/sbin/esets_scan | grep 'ESET Command-line scanner, version %s' -A2 | tail -1\"\"\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "870aecc0-cea4-4110-af3f-e02e9b373655", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1518", "name": "Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/", "subtechnique": [{"id": "T1518.001", "name": "Security Software Discovery", "reference": "https://attack.mitre.org/techniques/T1518/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "870aecc0-cea4-4110-af3f-e02e9b373655_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json deleted file mode 100644 index 18702a7db74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "871ea072-1b71-4def-b016-6278b505138d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json deleted file mode 100644 index f932dfab603..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "871ea072-1b71-4def-b016-6278b505138d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json deleted file mode 100644 index f4f45ca0350..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "871ea072-1b71-4def-b016-6278b505138d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json deleted file mode 100644 index 16b3f0ca128..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "871ea072-1b71-4def-b016-6278b505138d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json deleted file mode 100644 index 4ff576bc92a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n) and not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "871ea072-1b71-4def-b016-6278b505138d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json deleted file mode 100644 index d80e67374e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\") and\n not process.args : \"/add\")\n\n or\n\n ((process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\"))\n) and not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "871ea072-1b71-4def-b016-6278b505138d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_110.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_110.json deleted file mode 100644 index 081b792dddc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "871ea072-1b71-4def-b016-6278b505138d_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json deleted file mode 100644 index eff0911e38c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "871ea072-1b71-4def-b016-6278b505138d_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json deleted file mode 100644 index 009c4d1d228..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "871ea072-1b71-4def-b016-6278b505138d_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_113.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_113.json deleted file mode 100644 index 10cef3d631d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "871ea072-1b71-4def-b016-6278b505138d_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_214.json b/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_214.json deleted file mode 100644 index dbf306a4f72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/871ea072-1b71-4def-b016-6278b505138d_214.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of lower privilege accounts enumerating Administrator accounts or groups using built-in Windows tools.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Enumeration of Administrator Accounts", "note": "## Triage and analysis\n\n### Investigating Enumeration of Administrator Accounts\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- AdFind Command Activity - eda499b8-a073-4e35-9733-22ec71f57f3a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (\n (process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or\n ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and not process.parent.name : \"net.exe\")\n ) and\n process.args : (\"group\", \"user\", \"localgroup\") and\n process.args : (\"*admin*\", \"Domain Admins\", \"Remote Desktop Users\", \"Enterprise Admins\", \"Organization Management\")\n and not process.args : (\"/add\", \"/delete\")\n ) or\n (\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : (\"group\", \"useraccount\")\n )\n) and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "871ea072-1b71-4def-b016-6278b505138d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 214}, "id": "871ea072-1b71-4def-b016-6278b505138d_214", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc.json deleted file mode 100644 index 5e29b4675f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/873b5452-074e-11ef-852e-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. This action could indicate an adversary attempting to maintain access to the instance. The rule also detects the `SendSerialConsoleSSHPublicKey` API action, which could be used for privilege escalation if the serial console is enabled. Monitoring these activities helps ensure unauthorized access attempts are detected and mitigated promptly.", "false_positives": ["Administrators may upload SSH public keys to EC2 instances for legitimate purposes."], "from": "now-9m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "note": "## Triage and Analysis\n\n### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded\n\nThis rule detects when a new SSH public key is uploaded to an AWS EC2 instance using the EC2 Instance Connect service. Adversaries may upload SSH public keys to EC2 instances to maintain access to the instance. The rule also covers cases where the `SendSerialConsoleSSHPublicKey` API action is used to upload an SSH public key to a serial connection, which can be exploited for privilege escalation.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the SSH public key upload. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the SSH public key was uploaded. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Serial Console Access**: If the `SendSerialConsoleSSHPublicKey` action was used, verify if the `ec2:EnableSerialConsoleAccess` permission was also used, which might indicate an attempt to enable and exploit the serial console.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the SSH public key upload aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the upload was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the upload was unauthorized, remove the uploaded SSH public key from the EC2 instance and review the instance's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive instances or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning SSH key management and the risks of unauthorized key uploads.\n- **Audit EC2 Instance Policies and Permissions**: Conduct a comprehensive audit of all EC2 instance policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing EC2 instances and securing AWS environments, refer to the [AWS EC2 Instance Connect documentation](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html) and AWS best practices for security. Additionally, consult the following resources for specific details on SSH key management and privilege escalation techniques:\n- [Stratus Red Team - AWS EC2 Instance Connect](https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/)\n- [HackTricks - AWS EC2 Privilege Escalation](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)\n- [AWS EC2 Instance Connect API Reference](https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html)\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: ec2-instance-connect.amazonaws.com\n and event.action: (SendSSHPublicKey or SendSerialConsoleSSHPublicKey)\n and event.outcome: success\n", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.lateral-movement.ec2-instance-connect/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc", "https://medium.parttimepolymath.net/aws-ec2-instance-connect-a-very-neat-trick-4d2fc0c28010", "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSSHPublicKey.html", "https://docs.aws.amazon.com/ec2-instance-connect/latest/APIReference/API_SendSerialConsoleSSHPublicKey.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "873b5452-074e-11ef-852e-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "873b5452-074e-11ef-852e-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json deleted file mode 100644 index 677c1bce2e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", "false_positives": ["EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-20m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json deleted file mode 100644 index 5c3002bf026..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", "false_positives": ["EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json deleted file mode 100644 index e6bd430ffa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", "false_positives": ["EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json deleted file mode 100644 index aa1198319b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", "false_positives": ["EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json b/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json deleted file mode 100644 index c5ff4141f22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/87594192-4539-4bc4-8543-23bc3d5bd2b4_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services.", "false_positives": ["EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS EventBridge Rule Disabled or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DeleteRule.html", "https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "87594192-4539-4bc4-8543-23bc3d5bd2b4", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "87594192-4539-4bc4-8543-23bc3d5bd2b4_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82.json deleted file mode 100644 index ec825f03de4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "from": "now-119m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Potential Suspicious Clipboard Activity Detected", "new_terms_fields": ["host.id", "process.group_leader.executable"], "query": "event.category:process and host.os.type:\"linux\" and\nevent.type:\"start\" and event.action:(\"exec\" or \"exec_event\" or \"executed\" or \"process_started\") and\nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json deleted file mode 100644 index 19a91515ab0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "from": "now-119m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Potential Suspicious Clipboard Activity Detected", "new_terms_fields": ["host.id", "process.group_leader.executable"], "query": "event.category:process and host.os.type:\"linux\" and event.action:\"exec\" and event.type:\"start\" and \nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}], "type": "new_terms", "version": 1}, "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json deleted file mode 100644 index 179d20f0bde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "from": "now-119m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Potential Suspicious Clipboard Activity Detected", "new_terms_fields": ["host.id", "process.group_leader.executable"], "query": "event.category:process and host.os.type:\"linux\" and event.action:\"exec\" and event.type:\"start\" and \nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}], "type": "new_terms", "version": 2}, "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_3.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_3.json deleted file mode 100644 index b0538fd7d1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "from": "now-119m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Potential Suspicious Clipboard Activity Detected", "new_terms_fields": ["host.id", "process.group_leader.executable"], "query": "event.category:process and host.os.type:\"linux\" and event.action:\"exec\" and event.type:\"start\" and\nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json b/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json deleted file mode 100644 index 4c30f46fa86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/884e87cc-c67b-4c90-a4ed-e1e24a940c82_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group leader. Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "from": "now-119m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Potential Suspicious Clipboard Activity Detected", "new_terms_fields": ["host.id", "process.group_leader.executable"], "query": "event.category:process and host.os.type:\"linux\" and\nevent.type:\"start\" and event.action:(\"exec\" or \"exec_event\" or \"executed\" or \"process_started\") and\nprocess.name:(\"xclip\" or \"xsel\" or \"wl-clipboard\" or \"clipman\" or \"copyq\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "884e87cc-c67b-4c90-a4ed-e1e24a940c82_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json deleted file mode 100644 index 33a0273de36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "88671231-6626-4e1b-abb7-6e361a171fbb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json deleted file mode 100644 index 88f34876ea8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "88671231-6626-4e1b-abb7-6e361a171fbb_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json deleted file mode 100644 index b590cbeaac6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "88671231-6626-4e1b-abb7-6e361a171fbb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json deleted file mode 100644 index 2374ac85b32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "88671231-6626-4e1b-abb7-6e361a171fbb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json b/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json deleted file mode 100644 index 6058b3f8b06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88671231-6626-4e1b-abb7-6e361a171fbb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources.", "from": "now-25m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Global Administrator Role Assigned", "note": "", "query": "event.dataset:o365.audit and event.code:\"AzureActiveDirectory\" and event.action:\"Add member to role.\" and\no365.audit.ModifiedProperties.Role_DisplayName.NewValue:\"Global Administrator\"\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "o365.audit.ModifiedProperties.Role_DisplayName.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "88671231-6626-4e1b-abb7-6e361a171fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "88671231-6626-4e1b-abb7-6e361a171fbb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json deleted file mode 100644 index 8c3816192b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json deleted file mode 100644 index 252a430a34c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json deleted file mode 100644 index 06a0a231ed3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json deleted file mode 100644 index 0bb135a116d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json deleted file mode 100644 index e062760c712..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json deleted file mode 100644 index dfca6acc5ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json b/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json deleted file mode 100644 index 245b1b840c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88817a33-60d3-411f-ba79-7c905d865b2a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Sublime Plugin or Application Script Modification", "query": "file where host.os.type == \"macos\" and event.type in (\"change\", \"creation\") and file.extension : \"py\" and\n file.path :\n (\n \"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py\",\n \"/Applications/Sublime Text.app/Contents/MacOS/sublime.py\"\n ) and\n not process.executable :\n (\n \"/Applications/Sublime Text*.app/Contents/*\",\n \"/usr/local/Cellar/git/*/bin/git\",\n \"/Library/Developer/CommandLineTools/usr/bin/git\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper\"\n )\n", "references": ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "88817a33-60d3-411f-ba79-7c905d865b2a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "88817a33-60d3-411f-ba79-7c905d865b2a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce.json deleted file mode 100644 index 4703f5cb62a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Hijacking", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and\nfile.path in (\"/usr/bin/sudo\", \"/bin/sudo\") and not (\n file.Ext.original.path in (\"/usr/bin/sudo\", \"/bin/sudo\") or\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/bin/pacman\", \"/usr/bin/pacman\",\n \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/apt\",\n \"/usr/sbin/pacman\", \"/usr/bin/microdnf\", \"/usr/local/bin/dockerd\", \"/usr/local/bin/podman\", \"/usr/local/bin/dnf\",\n \"/kaniko/executor\", \"/proc/self/exe\", \"/usr/bin/apt-get\", \"/usr/bin/apt-cache\", \"/usr/bin/apt-mark\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/var/lib/docker/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\")\n)\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json deleted file mode 100644 index 58e01a097c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Hijacking Detected", "query": "file where event.type in (\"creation\", \"file_create_event\") and file.path == \"/usr/bin/sudo\"\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json deleted file mode 100644 index 818596ab0f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Sudo Hijacking Detected", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.type:(\"creation\" or \"file_create_event\") and\nfile.path:(\"/usr/bin/sudo\" or \"/bin/sudo\") and not process.name:(docker or dockerd)\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json deleted file mode 100644 index fffc279034e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Sudo Hijacking Detected", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.type:(\"creation\" or \"file_create_event\") and\nfile.path:(\"/usr/bin/sudo\" or \"/bin/sudo\") and not process.name:(docker or dockerd)\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json deleted file mode 100644 index 99e259ae7d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Sudo Hijacking Detected", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:file and event.type:(\"creation\" or \"file_create_event\") and\nfile.path:(\"/usr/bin/sudo\" or \"/bin/sudo\") and not process.name:(docker or dockerd or pacman)\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json deleted file mode 100644 index a6c5da3c112..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Hijacking", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"rename\") and\nfile.path in (\"/usr/bin/sudo\", \"/bin/sudo\") and not (\n file.Ext.original.path in (\"/usr/bin/sudo\", \"/bin/sudo\") or\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\", \"/bin/dnf\", \"/usr/bin/dnf\",\n \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\", \"/bin/pacman\", \"/usr/bin/pacman\",\n \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/apt\",\n \"/usr/sbin/pacman\", \"/usr/bin/microdnf\", \"/usr/local/bin/dockerd\", \"/usr/local/bin/podman\", \"/usr/local/bin/dnf\",\n \"/kaniko/executor\", \"/proc/self/exe\", \"/usr/bin/apt-get\", \"/usr/bin/apt-cache\", \"/usr/bin/apt-mark\"\n ) or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/var/lib/docker/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\")\n)\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json b/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json deleted file mode 100644 index 72773fce1e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a sudo binary located at /usr/bin/sudo. Attackers may hijack the default sudo binary and replace it with a custom binary or script that can read the user's password in clear text to escalate privileges or enable persistence onto the system every time the sudo binary is executed.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Hijacking Detected", "query": "file where event.type in (\"creation\", \"file_create_event\") and file.path == \"/usr/bin/sudo\"\n", "references": ["https://eapolsniper.github.io/2020/08/17/Sudo-Hijacking/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "88fdcb8c-60e5-46ee-9206-2663adf1b1ce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json deleted file mode 100644 index 861caf8da1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json deleted file mode 100644 index a6c8b3e1114..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json deleted file mode 100644 index cd41fa7f2bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json deleted file mode 100644 index 40fcaa566fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json deleted file mode 100644 index cf8a3968998..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json deleted file mode 100644 index e5b1f78b556..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json b/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json deleted file mode 100644 index ded214b87c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/891cb88e-441a-4c3e-be2d-120d99fe7b0d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from Microsoft Office products.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Image Load from MS Office", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "891cb88e-441a-4c3e-be2d-120d99fe7b0d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b.json b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b.json deleted file mode 100644 index 6996f0e3807..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WPAD Spoofing via DNS Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectDN : \"DC=wpad,*\"\n", "references": ["https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 47, "rule_id": "894326d2-56c0-4342-b553-4abfaf421b5b", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "894326d2-56c0-4342-b553-4abfaf421b5b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json deleted file mode 100644 index 2d44b92bc28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WPAD Spoofing via DNS Record Creation", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and winlog.event_data.ObjectDN : \"DC=wpad,*\"\n", "references": ["https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 47, "rule_id": "894326d2-56c0-4342-b553-4abfaf421b5b", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "894326d2-56c0-4342-b553-4abfaf421b5b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_2.json b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_2.json deleted file mode 100644 index a96cdec0d8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WPAD Spoofing via DNS Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectDN : \"DC=wpad,*\"\n", "references": ["https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 47, "rule_id": "894326d2-56c0-4342-b553-4abfaf421b5b", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "894326d2-56c0-4342-b553-4abfaf421b5b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_3.json b/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_3.json deleted file mode 100644 index 86e192d0033..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/894326d2-56c0-4342-b553-4abfaf421b5b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a DNS record that is potentially meant to enable WPAD spoofing. Attackers can disable the Global Query Block List (GQBL) and create a \"wpad\" record to exploit hosts running WPAD with default settings for privilege escalation and lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WPAD Spoofing via DNS Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and winlog.event_data.ObjectDN : \"DC=wpad,*\"\n", "references": ["https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing#through-adidns-spoofing", "https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 47, "rule_id": "894326d2-56c0-4342-b553-4abfaf421b5b", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "894326d2-56c0-4342-b553-4abfaf421b5b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json deleted file mode 100644 index 7ab96b5c1dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json deleted file mode 100644 index 22952fc2c2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json deleted file mode 100644 index 0b030972e7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json deleted file mode 100644 index d058f12fc5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json deleted file mode 100644 index bb8571a7c95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction : (\"outgoing\", \"egress\") and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and \n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"System\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\", \n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\", \n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\"\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json deleted file mode 100644 index 38aa00bdf8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json deleted file mode 100644 index 97d20e6bf80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json b/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json deleted file mode 100644 index 876d9cc8773..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/897dc6b5-b39f-432a-8d75-d3730d50c782_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies network connections to the standard Kerberos port from an unusual process. On Windows, the only process that normally performs Kerberos traffic from a domain joined host is lsass.exe.", "false_positives": ["HTTP traffic on a non standard port. Verify that the destination IP address is not related to a Domain Controller."], "from": "now-9m", "index": ["logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Kerberos Traffic from Unusual Process", "note": "## Triage and analysis\n\n### Investigating Kerberos Traffic from Unusual Process\n\nKerberos is the default authentication protocol in Active Directory, designed to provide strong authentication for client/server applications by using secret-key cryptography.\n\nDomain-joined hosts usually perform Kerberos traffic using the `lsass.exe` process. This rule detects the occurrence of traffic on the Kerberos port (88) by processes other than `lsass.exe` to detect the unusual request and usage of Kerberos tickets.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check if the Destination IP is related to a Domain Controller.\n- Review event ID 4769 for suspicious ticket requests.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This rule uses a Kerberos-related port but does not identify the protocol used on that port. HTTP traffic on a non-standard port or destination IP address unrelated to Domain controllers can create false positives.\n- Exceptions can be added for noisy/frequent connections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n - Ticket requests can be used to investigate potentially compromised accounts.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "network where host.os.type == \"windows\" and event.type == \"start\" and network.direction == \"egress\" and\n destination.port == 88 and source.port >= 49152 and process.pid != 4 and destination.address : \"*\" and\n not \n (\n process.executable : (\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\program files (x86)\\\\nmap oem\\\\nmap.exe\",\n \"\\\\device\\\\harddiskvolume?\\\\windows\\\\system32\\\\lsass.exe\",\n \"?:\\\\Program Files\\\\Amazon Corretto\\\\jdk1*\\\\bin\\\\java.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Proxy Server\\\\bin\\\\prunsrv.exe\",\n \"?:\\\\Program Files\\\\BlackBerry\\\\UEM\\\\Core\\\\tomcat-core\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files\\\\DBeaver\\\\dbeaver.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.backend.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\com.docker.vpnkit.exe\",\n \"?:\\\\Program Files\\\\Docker\\\\Docker\\\\resources\\\\vpnkit.exe\",\n \"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files\\\\JetBrains\\\\PyCharm Community Edition*\\\\bin\\\\pycharm64.exe\",\n \"?:\\\\Program Files\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Program Files\\\\Oracle\\\\VirtualBox\\\\VirtualBoxVM.exe\",\n \"?:\\\\Program Files\\\\Puppet Labs\\\\Puppet\\\\puppet\\\\bin\\\\ruby.exe\",\n \"?:\\\\Program Files\\\\rapid7\\\\nexpose\\\\nse\\\\.DLLCACHE\\\\nseserv.exe\",\n \"?:\\\\Program Files\\\\Silverfort\\\\Silverfort AD Adapter\\\\SilverfortServer.exe\",\n \"?:\\\\Program Files\\\\Tenable\\\\Nessus\\\\nessusd.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware View\\\\Server\\\\bin\\\\ws_TomcatService.exe\",\n \"?:\\\\Program Files (x86)\\\\Advanced Port Scanner\\\\advanced_port_scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\bin\\\\dcpatchscan.exe\",\n \"?:\\\\Program Files (x86)\\\\GFI\\\\LanGuard 12 Agent\\\\lnsscomm.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeUpdate\\\\MicrosoftEdgeUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft Silverlight\\\\sllauncher.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap OEM\\\\nmap.exe\",\n \"?:\\\\Program Files (x86)\\\\nwps\\\\NetScanTools Pro\\\\NSTPRO.exe\",\n \"?:\\\\Program Files (x86)\\\\SAP BusinessObjects\\\\tomcat\\\\bin\\\\tomcat9.exe\",\n \"?:\\\\Program Files (x86)\\\\SuperScan\\\\scanner.exe\",\n \"?:\\\\Program Files (x86)\\\\Zscaler\\\\ZSATunnel\\\\ZSATunnel.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\System32\\\\MicrosoftEdgeCP.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\vmnat.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\Microsoft.MicrosoftEdge_*\\\\MicrosoftEdge.exe\",\n \"System\"\n ) and process.code_signature.trusted == true\n ) and\n destination.address != \"127.0.0.1\" and destination.address != \"::1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.address", "type": "keyword"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "897dc6b5-b39f-432a-8d75-d3730d50c782", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "897dc6b5-b39f-432a-8d75-d3730d50c782_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json deleted file mode 100644 index d580095b5a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : (\n \"wpad\", \"localhost\", \"ocsp.comodoca.com\", \"ocsp.digicert.com\", \"ocsp.sectigo.com\", \"crl.comodoca.com\"\n )]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 108}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json deleted file mode 100644 index 299ed17896b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 102}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json deleted file mode 100644 index c71ea8563f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 103}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json deleted file mode 100644 index 7b1b3871735..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 104}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json deleted file mode 100644 index c87ec90d8e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 105}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_106.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_106.json deleted file mode 100644 index 396118f1832..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : (\n \"wpad\", \"localhost\", \"ocsp.comodoca.com\", \"ocsp.digicert.com\", \"ocsp.sectigo.com\", \"crl.comodoca.com\"\n )]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 106}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json deleted file mode 100644 index b5a7088d110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : (\n \"wpad\", \"localhost\", \"ocsp.comodoca.com\", \"ocsp.digicert.com\", \"ocsp.sectigo.com\", \"crl.comodoca.com\"\n )]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 107}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_108.json b/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_108.json deleted file mode 100644 index de5261d7988..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a remote URL.", "false_positives": ["Administrators may use the command prompt for regular administrative tasks. It's important to baseline your environment for network connections being made from the command prompt to determine any abnormal use of this tool."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Prompt Network Connection", "note": "## Triage and analysis\n\n### Investigating Command Prompt Network Connection\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using a command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThis rule looks for a network connection to an external address from the `cmd.exe` utility, which can indicate the abuse of the utility to download malicious files and tools.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine if any file was downloaded and check if it is an executable or script.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the downloaded file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and file name conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"cmd.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"cmd.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : (\n \"wpad\", \"localhost\", \"ocsp.comodoca.com\", \"ocsp.digicert.com\", \"ocsp.sectigo.com\", \"crl.comodoca.com\"\n )]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 108}, "id": "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json deleted file mode 100644 index 8f4db09a30f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via DirectoryService Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", "references": ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json deleted file mode 100644 index 3abd1bc6830..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via DirectoryService Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", "references": ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json deleted file mode 100644 index fcb97fca992..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via DirectoryService Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", "references": ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json deleted file mode 100644 index 7715310406c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via DirectoryService Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", "references": ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json b/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json deleted file mode 100644 index b3d450d8260..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/89fa6cb7-6b53-4de2-b604-648488841ab8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via DirectoryService Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:/Library/DirectoryServices/PlugIns/*.dsplug\n", "references": ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "89fa6cb7-6b53-4de2-b604-648488841ab8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "89fa6cb7-6b53-4de2-b604-648488841ab8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6.json deleted file mode 100644 index 20bb5cce167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.name == \"ln\" and process.args in (\"-s\", \"-sf\") and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json deleted file mode 100644 index e92f57e86a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and \nevent.type == \"start\" and process.name == \"ln\" and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \nnot user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json deleted file mode 100644 index f068bab043b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and \nevent.type == \"start\" and process.name == \"ln\" and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json deleted file mode 100644 index 64afa1b55a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\nevent.type == \"start\" and process.name == \"ln\" and process.args in (\"-s\", \"-sf\") and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json deleted file mode 100644 index b87fabf7343..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\nevent.type == \"start\" and process.name == \"ln\" and process.args in (\"-s\", \"-sf\") and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json b/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json deleted file mode 100644 index 7061899fa27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a024633-c444-45c0-a4fe-78128d8c1ab6_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a symbolic link to a suspicious file or location. A symbolic link is a reference to a file or directory that acts as a pointer or shortcut, allowing users to access the target file or directory from a different location in the file system. An attacker can potentially leverage symbolic links for privilege escalation by tricking a privileged process into following the symbolic link to a sensitive file, giving the attacker access to data or capabilities they would not normally have.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Symbolic Link Created", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"ln\" and process.args in (\"-s\", \"-sf\") and \n (\n /* suspicious files */\n (process.args in (\"/etc/shadow\", \"/etc/shadow-\", \"/etc/shadow~\", \"/etc/gshadow\", \"/etc/gshadow-\") or \n (process.working_directory == \"/etc\" and process.args in (\"shadow\", \"shadow-\", \"shadow~\", \"gshadow\", \"gshadow-\"))) or \n \n /* suspicious bins */\n (process.args in (\"/bin/bash\", \"/bin/dash\", \"/bin/sh\", \"/bin/tcsh\", \"/bin/csh\", \"/bin/zsh\", \"/bin/ksh\", \"/bin/fish\") or \n (process.working_directory == \"/bin\" and process.args : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or \n (process.args in (\"/usr/bin/bash\", \"/usr/bin/dash\", \"/usr/bin/sh\", \"/usr/bin/tcsh\", \"/usr/bin/csh\", \"/usr/bin/zsh\", \"/usr/bin/ksh\", \"/usr/bin/fish\") or \n (process.working_directory == \"/usr/bin\" and process.args in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"))) or\n \n /* suspicious locations */\n (process.args : (\"/etc/cron.d/*\", \"/etc/cron.daily/*\", \"/etc/cron.hourly/*\", \"/etc/cron.weekly/*\", \"/etc/cron.monthly/*\")) or\n (process.args : (\"/home/*/.ssh/*\", \"/root/.ssh/*\",\"/etc/sudoers.d/*\", \"/dev/shm/*\"))\n ) and \n process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 21, "rule_id": "8a024633-c444-45c0-a4fe-78128d8c1ab6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "8a024633-c444-45c0-a4fe-78128d8c1ab6_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd.json deleted file mode 100644 index 4320c776c4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 3}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json deleted file mode 100644 index 0beb0274f7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "unknown"}, {"ecs": false, "name": "okta.event_type", "type": "unknown"}, {"ecs": false, "name": "okta.outcome.result", "type": "unknown"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 1}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_106.json new file mode 100644 index 00000000000..9e362e2186a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_106.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "event_category_override": "event.category", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Okta MFA Bombing via Push Notifications", + "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", + "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", + "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1621", + "name": "Multi-Factor Authentication Request Generation", + "reference": "https://attack.mitre.org/techniques/T1621/" + } + ] + } + ], + "type": "eql", + "version": 106 + }, + "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_106", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json deleted file mode 100644 index 0417698b3fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 2}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json deleted file mode 100644 index 2d1cff98c8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 3}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_4.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_4.json deleted file mode 100644 index 6bf4bcdfa22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 4}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_6.json b/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_6.json deleted file mode 100644 index 524228d4a75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fbd26-867f-11ee-947c-f661ea17fbcd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Okta MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Okta MFA Bombing via Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.\n", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\"\n and okta.event_type == \"user.mfa.okta_verify.deny_push\"] with runs=5\n until [authentication where event.dataset == \"okta.system\"\n and (okta.event_type: (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 6}, "id": "8a0fbd26-867f-11ee-947c-f661ea17fbcd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9.json b/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9.json deleted file mode 100644 index e81956aa669..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Access to private GitHub organization resources was revoked for a PAT.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub PAT Access Revoked", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"personal_access_token.access_revoked\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_1.json b/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_1.json deleted file mode 100644 index 26affc26f10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Access to private GitHub organization resources was revoked for a PAT.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub PAT Access Revoked", "query": "configuration where event.dataset == \"github.audit\" and event.action == \"personal_access_token.access_revoked\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Impact", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_103.json b/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_103.json new file mode 100644 index 00000000000..ce376cd2fcf --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a0fd93a-7df8-410d-8808-4cc5e340f2b9_103.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Access to private GitHub organization resources was revoked for a PAT.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub PAT Access Revoked", + "query": "configuration where event.dataset == \"github.audit\" and event.action == \"personal_access_token.access_revoked\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Impact", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1531", + "name": "Account Access Removal", + "reference": "https://attack.mitre.org/techniques/T1531/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "8a0fd93a-7df8-410d-8808-4cc5e340f2b9_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json deleted file mode 100644 index 98086088fcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "SUID/SGID Bit Set", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"chmod\" and (process.args : (\"+s\", \"u+s\", \"g+s\") or process.args regex \"[24][0-9]{3}\")) or\n (process.name == \"install\" and process.args : \"-m\" and\n (process.args : (\"+s\", \"u+s\", \"g+s\") or process.args regex \"[24][0-9]{3}\"))\n) and not (\n process.parent.executable : (\n \"/usr/NX/*\", \"/var/lib/docker/*\", \"/var/lib/dpkg/info*\", \"/tmp/newroot/*\",\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n ) or\n process.args : (\n \"/run/*\", \"/var/run/*\", \"/usr/bin/keybase-redirector\", \"/usr/local/share/fonts\", \"/usr/bin/ssh-agent\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json deleted file mode 100644 index 080e4d1b2e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "max_signals": 33, "name": "Setuid / Setgid Bit Set via chmod", "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", "related_integrations": [], "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json deleted file mode 100644 index bb7919dcdd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "max_signals": 33, "name": "Setuid / Setgid Bit Set via chmod", "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", "related_integrations": [], "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json deleted file mode 100644 index baf39195b78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "max_signals": 33, "name": "Setuid / Setgid Bit Set via chmod", "query": "event.category:process AND event.type:(start OR process_started) AND\n process.name:chmod AND process.args:(\"+s\" OR \"u+s\" OR /4[0-9]{3}/ OR g+s OR /2[0-9]{3}/) AND\n NOT process.args:\n (\n /.*\\/Applications\\/VirtualBox.app\\/.+/ OR\n /\\/usr\\/local\\/lib\\/python.+/ OR\n /\\/var\\/folders\\/.+\\/FP.*nstallHelper/ OR\n /\\/Library\\/Filesystems\\/.+/ OR\n /\\/usr\\/lib\\/virtualbox\\/.+/ OR\n /\\/Library\\/Application.*/ OR\n \"/run/postgresql\" OR\n \"/var/crash\" OR\n \"/var/run/postgresql\" OR\n /\\/usr\\/bin\\/.+/ OR /\\/usr\\/local\\/share\\/.+/ OR\n /\\/Applications\\/.+/ OR /\\/usr\\/libexec\\/.+/ OR\n \"/var/metrics\" OR /\\/var\\/lib\\/dpkg\\/.+/ OR\n /\\/run\\/log\\/journal\\/.*/ OR\n \\/Users\\/*\\/.minikube\\/bin\\/docker-machine-driver-hyperkit\n ) AND\n NOT process.parent.executable:\n (\n /\\/var\\/lib\\/docker\\/.+/ OR\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\" OR\n \"/var/lib/dpkg/info/whoopsie.postinst\"\n )\n", "related_integrations": [], "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_104.json b/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_104.json deleted file mode 100644 index 19e2b68b0c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1b0278-0f9a-487d-96bd-d4833298e87a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may add the setuid or setgid bit to a file or directory in order to run a file with the privileges of the owning user or group. An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setuid or setgid bit to get code running in a different user\u2019s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "SUID/SGID Bit Set", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"chmod\" and (process.args : (\"+s\", \"u+s\", \"g+s\") or process.args regex \"[24][0-9]{3}\")) or\n (process.name == \"install\" and process.args : \"-m\" and\n (process.args : (\"+s\", \"u+s\", \"g+s\") or process.args regex \"[24][0-9]{3}\"))\n) and not (\n process.parent.executable : (\n \"/usr/NX/*\", \"/var/lib/docker/*\", \"/var/lib/dpkg/info*\", \"/tmp/newroot/*\",\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n ) or\n process.args : (\n \"/run/*\", \"/var/run/*\", \"/usr/bin/keybase-redirector\", \"/usr/local/share/fonts\", \"/usr/bin/ssh-agent\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8a1b0278-0f9a-487d-96bd-d4833298e87a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8a1b0278-0f9a-487d-96bd-d4833298e87a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json deleted file mode 100644 index a0fd9955904..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json deleted file mode 100644 index e20329e0376..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json deleted file mode 100644 index cd90726925c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json deleted file mode 100644 index c32e0574cba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json deleted file mode 100644 index 9a8c588e127..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json deleted file mode 100644 index 0d40bb80e88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json deleted file mode 100644 index e1a5ca8e2f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json b/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json deleted file mode 100644 index 6d5910cd75e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a1d4831-3ce6-4859-9891-28931fa6101d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from a Mounted Device", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.executable : \"C:\\\\*\" and\n (process.working_directory : \"?:\\\\\" and not process.working_directory: \"C:\\\\\") and\n process.parent.name : \"explorer.exe\" and\n process.name : (\"rundll32.exe\", \"mshta.exe\", \"powershell.exe\", \"pwsh.exe\", \"cmd.exe\", \"regsvr32.exe\",\n \"cscript.exe\", \"wscript.exe\")\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "8a1d4831-3ce6-4859-9891-28931fa6101d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8a1d4831-3ce6-4859-9891-28931fa6101d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json deleted file mode 100644 index 89163cb8de0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json deleted file mode 100644 index 41b3dfce348..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json deleted file mode 100644 index 7d1d2dd6427..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json deleted file mode 100644 index 460fd498780..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json deleted file mode 100644 index 630a43489d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json deleted file mode 100644 index 838167d5caf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_207.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_207.json deleted file mode 100644 index 8b6c4dc20a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_209.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_209.json deleted file mode 100644 index b5f5d6fdbd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_309.json b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_309.json new file mode 100644 index 00000000000..cf04c9b0794 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/8a5c1e5f-ad63-481e-b53a-ef959230f7f1_309.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Network Zone", + "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Network Zone\n\nThe Okta network zones can be configured to restrict or limit access to a network based on IP addresses or geolocations. Deactivating a network zone in Okta may remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps\n\n- Identify the actor related to the alert by reviewing the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deactivation of a network zone.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the network zone that was deactivated.\n- Investigate the `event.time` field to understand when the event happened.\n- Review the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis\n\n- Check the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's normal behavior, it might be a false positive.\n- Check if the actor is a known administrator or part of the IT team who might have a legitimate reason to deactivate a network zone.\n- Verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor account and require a password change.\n- Re-enable the deactivated network zone if it was deactivated without authorization.\n- Review and update the privileges of the actor who initiated the deactivation.\n- Check the security policies and procedures to identify any gaps and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", + "query": "event.dataset:okta.system and event.action:zone.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "8a5c1e5f-ad63-481e-b53a-ef959230f7f1_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json deleted file mode 100644 index 8dbd707a80c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "new_terms_fields": ["host.id", "process.command_line"], "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\n nc or netcat or ncat or telnet or awk or socat or wget or curl\n) and process.args :(\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\n)\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json deleted file mode 100644 index 10413c84cb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json deleted file mode 100644 index ed96f1a41cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json deleted file mode 100644 index 4bbd17a144d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.parent.name : \"java\" and\n process.name : (\"sh\", \"bash\", \"dash\", \"ksh\", \"tcsh\", \"zsh\", \"curl\", \"wget\")\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json deleted file mode 100644 index 12326f141c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "new_terms_fields": ["host.id", "process.command_line"], "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n \"sh\" or \"bash\" or \"dash\" or \"ksh\" or \"tcsh\" or \"zsh\" or \"curl\" or \"wget\"\n)\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 205}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json deleted file mode 100644 index 7ed27216bad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "new_terms_fields": ["host.id", "process.command_line"], "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n \"sh\" or \"bash\" or \"dash\" or \"ksh\" or \"tcsh\" or \"zsh\" or \"curl\" or \"wget\"\n)\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_207.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_207.json deleted file mode 100644 index 1fab62b5970..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "new_terms_fields": ["host.id", "process.command_line", "process.parent.command_line"], "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n \"sh\" or \"bash\" or \"dash\" or \"ksh\" or \"tcsh\" or \"zsh\" or \"curl\" or \"wget\"\n)\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json b/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json deleted file mode 100644 index 4b75d159517..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8acb7614-1d92-4359-bfcf-478b6d9de150_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of the Java interpreter process. This may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a JAVA specific vulnerability.", "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious JAVA Child Process", "new_terms_fields": ["host.id", "process.command_line"], "note": "## Triage and analysis\n\n### Investigating Suspicious Java Child Process\n\nThis rule identifies a suspicious child process of the Java interpreter process. It may indicate an attempt to execute a malicious JAR file or an exploitation attempt via a Java specific vulnerability.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n- Examine the command line to determine if the command executed is potentially harmful or malicious.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and event.type:(\"start\" or \"process_started\") and process.parent.name:\"java\" and process.name:(\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or python* or php* or perl or ruby or lua* or openssl or\n nc or netcat or ncat or telnet or awk or socat or wget or curl\n) and process.args :(\n whoami or id or uname or cat or hostname or ip or curl or wget or pwd or ls or cd or python* or php* or perl or\n ruby or lua* or openssl or nc or netcat or ncat or telnet or awk or socat\n)\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8acb7614-1d92-4359-bfcf-478b6d9de150", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "8acb7614-1d92-4359-bfcf-478b6d9de150_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288.json deleted file mode 100644 index fc2dcb51b74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command \"sudo -u#-1\" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"sudo\" and process.args == \"-u#-1\"\n", "references": ["https://www.exploit-db.com/exploits/47502"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json deleted file mode 100644 index 168c8dad9c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command \"sudo -u#-1\" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"sudo\" and process.args == \"-u#-1\"\n", "references": ["https://www.exploit-db.com/exploits/47502"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json deleted file mode 100644 index 27127c3c762..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command \"sudo -u#-1\" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"sudo\" and process.args == \"-u#-1\"\n", "references": ["https://www.exploit-db.com/exploits/47502"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json b/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json deleted file mode 100644 index 8de2d2b7875..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8af5b42f-8d74-48c8-a8d0-6d14b4197288_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID that can be chosen arbitrarily. By using the sudo privileges, the command \"sudo -u#-1\" translates to an ID of 0, representing the root user. This exploit may work for sudo versions prior to v1.28.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Privilege Escalation via CVE-2019-14287", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"sudo\" and process.args == \"-u#-1\"\n", "references": ["https://www.exploit-db.com/exploits/47502"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8af5b42f-8d74-48c8-a8d0-6d14b4197288_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json deleted file mode 100644 index 258f49432d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json deleted file mode 100644 index cc7ab9ed53a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json deleted file mode 100644 index 415a3233f14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json deleted file mode 100644 index 7f33ac81d77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "note": "", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json deleted file mode 100644 index 7f305638585..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json deleted file mode 100644 index 1fc7b0a427c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json deleted file mode 100644 index 99b653f15fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\") and\n not process.executable : (\"/bin/sh\", \"/usr/sbin/MailScanner\", \"/usr/bin/perl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_109.json b/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_109.json deleted file mode 100644 index 9f7eefe5b79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b2b3a62-a598-4293-bc14-3d5fa22bb98f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Masquerading can allow an adversary to evade defenses and better blend in with the environment. One way it occurs is when the name or location of a file is manipulated as a means of tricking a user into executing what they think is a benign file type but is actually executable code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable File Creation with Multiple Extensions", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"exe\" and\n file.name regex~ \"\"\".*\\.(vbs|vbe|bat|js|cmd|wsh|ps1|pdf|docx?|xlsx?|pptx?|txt|rtf|gif|jpg|png|bmp|hta|txt|img|iso)\\.exe\"\"\" and\n not (process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Users\\\\*\\\\QGIS_SCCM\\\\Files\\\\QGIS-OSGeo4W-*-Setup-x86_64.exe\") and\n file.path : \"?:\\\\Program Files\\\\QGIS *\\\\apps\\\\grass\\\\*.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.007", "name": "Double File Extension", "reference": "https://attack.mitre.org/techniques/T1036/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "8b2b3a62-a598-4293-bc14-3d5fa22bb98f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json deleted file mode 100644 index c55c1685624..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json deleted file mode 100644 index 6d66aae4106..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json deleted file mode 100644 index 618c652f28a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json deleted file mode 100644 index 9abd1859571..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json deleted file mode 100644 index 9f8d55ffe62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json deleted file mode 100644 index 0b4c15a5189..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json deleted file mode 100644 index effdbda4e18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_110.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_110.json deleted file mode 100644 index d57f712c865..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_310.json b/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_310.json deleted file mode 100644 index 0a5c58a31db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b4f0816-6a65-4630-86a6-c21c179c0d09_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the netsh.exe program to enable host discovery via the network. Attackers can use this command-line tool to weaken the host firewall settings.", "false_positives": ["Host Windows Firewall planned system administration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Enable Host Network Discovery via Netsh", "note": "## Triage and analysis\n\n### Investigating Enable Host Network Discovery via Netsh\n\nThe Windows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can enable Network Discovery on the Windows firewall to find other systems present in the same network. Systems with this setting enabled will communicate with other systems using broadcast messages, which can be used to identify targets for lateral movement. This rule looks for the setup of this setting using the netsh utility.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the Administrator is aware of the activity and there are justifications for this configuration.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable Network Discovery:\n - Using netsh: `netsh advfirewall firewall set rule group=\"Network Discovery\" new enable=No`\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\nprocess.name : \"netsh.exe\" and\nprocess.args : (\"firewall\", \"advfirewall\") and process.args : \"group=Network Discovery\" and process.args : \"enable=Yes\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8b4f0816-6a65-4630-86a6-c21c179c0d09", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "8b4f0816-6a65-4630-86a6-c21c179c0d09_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json deleted file mode 100644 index 8475bbb9386..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", "false_positives": ["Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Events Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json b/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json deleted file mode 100644 index dc2764f7b28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.", "false_positives": ["Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Kubernetes Events Deleted", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE\" and\nevent.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "8b64d36a-1307-4b2e-a77b-a0027e4d27c8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json deleted file mode 100644 index cc719d54553..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json deleted file mode 100644 index 7a566777c57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json deleted file mode 100644 index 91dd700300c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json deleted file mode 100644 index bc2d5da8569..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json b/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json deleted file mode 100644 index 8c7041ac0f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c1bdde8-4204-45c0-9e0c-c85ca3902488_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of RDP traffic from the Internet. RDP is commonly used by system administrators to remotely control a system for maintenance or to use shared resources. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector.", "false_positives": ["Some network security policies allow RDP directly from the Internet but usage that is unfamiliar to server or network owners can be unexpected and suspicious. RDP services may be exposed directly to the Internet in some networks such as cloud environments. In such cases, only RDP gateways, bastions or jump servers may be expected expose RDP directly to the Internet and can be exempted from this rule. RDP may be required by some work-flows such as remote access and support for specialized software products and servers. Such work-flows are usually known and not unexpected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "RDP (Remote Desktop Protocol) from the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and\n not source.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n destination.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488", "severity": "medium", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timeline_id": "300afc76-072d-4261-864d-4149714bf3f1", "timeline_title": "Comprehensive Network Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8c1bdde8-4204-45c0-9e0c-c85ca3902488_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json deleted file mode 100644 index 372117a0b61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json deleted file mode 100644 index f5a5e7f9b4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json deleted file mode 100644 index 33c27accdc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json deleted file mode 100644 index 4fae275bf8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json deleted file mode 100644 index 444af79a522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json deleted file mode 100644 index 8eef6a30ffe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json deleted file mode 100644 index 30a84d3d166..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json deleted file mode 100644 index 9e2181c2155..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_111.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_111.json deleted file mode 100644 index 981fbbd6df4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_311.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_311.json deleted file mode 100644 index 43760f97370..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_312.json b/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_312.json deleted file mode 100644 index 01aceee3e67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote code execution or other forms of exploitation.", "false_positives": ["Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe to spawn."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process of dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual Child Process of dns.exe\n\nSIGRed (CVE-2020-1350) is a wormable, critical vulnerability in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response. Because the service is running in elevated privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure.\n\nThis rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes.\n - Any suspicious or abnormal child process spawned from dns.exe should be carefully reviewed and investigated. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (`whoami.exe`, `netstat.exe`, `systeminfo.exe`, `tasklist.exe`).\n - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: `mshta.exe`, `powershell.exe`, `regsvr32.exe`, `rundll32.exe`, `wscript.exe`, `wmic.exe`.\n - If a denial-of-service (DoS) exploit is successful and DNS Server service crashes, be mindful of potential child processes related to `werfault.exe` occurring.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the host during the past 48 hours.\n- Check whether the server is vulnerable to CVE-2020-1350.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised server to a clean state.\n- Install the latest patches on systems that run Microsoft DNS Server.\n- Consider the implementation of a patch management system, such as the Windows Server Update Services (WSUS).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"dns.exe\" and\n not process.name : \"conhost.exe\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json deleted file mode 100644 index 0e470e539f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and event.type == \"change\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 107}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json deleted file mode 100644 index 757985d5137..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 103}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json deleted file mode 100644 index 7b46daf5c46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 104}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json deleted file mode 100644 index 3811a868340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 105}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_106.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_106.json deleted file mode 100644 index 64761936ce4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 106}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_107.json b/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_107.json deleted file mode 100644 index bb5002ffe96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8c81e506-6e82-4884-9b9a-75d3d252f967_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SharpRDP Behavior", "query": "/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */\n\nsequence by host.id with maxspan=1m\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"svchost.exe\" and destination.port == 3389 and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n\n [registry where host.os.type == \"windows\" and event.type == \"change\" and process.name : \"explorer.exe\" and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\RunMRU\\\\*\") and\n registry.data.strings : (\"cmd.exe*\", \"powershell.exe*\", \"taskmgr*\", \"\\\\\\\\tsclient\\\\*.exe\\\\*\")\n ]\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"taskmgr.exe\") or process.args : (\"\\\\\\\\tsclient\\\\*.exe\")) and\n not process.name : \"conhost.exe\"\n ]\n", "references": ["https://posts.specterops.io/revisiting-remote-desktop-lateral-movement-8fb905cb46c3", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral%20Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "8c81e506-6e82-4884-9b9a-75d3d252f967", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "type": "eql", "version": 107}, "id": "8c81e506-6e82-4884-9b9a-75d3d252f967_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json deleted file mode 100644 index 33cb821f9b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json deleted file mode 100644 index 19c2ff96b1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "severity": "critical", "tags": ["Elastic", "Elastic Endgame"], "type": "query", "version": 100}, "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json deleted file mode 100644 index fd207ffc41e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "type": "query", "version": 101}, "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_102.json b/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_102.json deleted file mode 100644 index caba91a2415..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 99, "rule_id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd", "severity": "critical", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json deleted file mode 100644 index e1652179145..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful SSH Brute Force Attack", "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 11}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json deleted file mode 100644 index 88f544124b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful SSH Brute Force Attack", "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json deleted file mode 100644 index 9cfbe81c0df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH Password Guessing", "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=2\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json deleted file mode 100644 index b2c9f038d10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH Password Guessing", "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=2\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json deleted file mode 100644 index fc8b1e8049f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential SSH Password Guessing", "note": "## Triage and analysis\n\n### Investigating Potential SSH Password Guessing Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json deleted file mode 100644 index d3dbfe3a5a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful SSH Brute Force Attack", "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=3s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json deleted file mode 100644 index f2b4f397b63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful SSH Brute Force Attack", "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 8}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json b/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json deleted file mode 100644 index eb41367b9fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cb84371-d053-4f4f-bce0-c74990e28f28_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can attempt to login into multiple users with a common or known password to gain access to accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Successful SSH Brute Force Attack", "note": "## Triage and analysis\n\n### Investigating Potential Successful SSH Brute Force Attack\n\nThe rule identifies consecutive SSH login failures followed by a successful login from the same source IP address to the same target host indicating a successful attempt of brute force password guessing.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Ensure active session(s) on the host(s) are terminated as the attacker could have gained initial access to the system(s).\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"failure\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ] with runs=10\n\n [authentication where host.os.type == \"linux\" and event.action in (\"ssh_login\", \"user_login\") and\n event.outcome == \"success\" and source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::\" ]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "8cb84371-d053-4f4f-bce0-c74990e28f28", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Filebeat\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 9}, "id": "8cb84371-d053-4f4f-bce0-c74990e28f28_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf.json b/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf.json deleted file mode 100644 index 45d7a4ad8c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPM Package Installed by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\nprocess.args:(\"-i\" or \"--install\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1.json b/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1.json deleted file mode 100644 index 8c749f846c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the new_terms rule type to identify the installation of RPM packages by an unusual parent process. RPM is a package management system used in Linux systems such as Red Hat, CentOS and Fedora. Attacks may backdoor RPM packages to gain initial access or install malicious RPM packages to maintain persistence.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "RPM Package Installed by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:rpm and\nprocess.args:(\"-i\" or \"--install\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5.json b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5.json deleted file mode 100644 index a6e406f773f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.", "from": "now-119m", "index": ["logs-endpoint.events.file-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File with Suspicious Extension Downloaded", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier > 1 and\n not\n (\n (\n file.extension : \"msix\" and \n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\WinGet\\\\State\\\\defaultState\\\\Microsoft.PreIndexed.Package\\\\Microsoft.Winget.Source*\"\n )\n ) or\n (\n process.name : \"Teams.exe\" and process.code_signature.trusted == true and\n file.extension : \"msix\" and \n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Teams\\\\tmp\\\\*\"\n )\n )\n", "references": ["https://x.com/Laughing_Mantis/status/1518766501385318406", "https://wikileaks.org/ciav7p1/cms/page_13763375.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8d366588-cbd6-43ba-95b4-0971c3f906e5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8d366588-cbd6-43ba-95b4-0971c3f906e5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json deleted file mode 100644 index febc8875b40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File with Suspicious Extension Downloaded", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier > 1 and\n not\n (\n file.extension : \"msix\" and file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\"\n )\n", "references": ["https://x.com/Laughing_Mantis/status/1518766501385318406", "https://wikileaks.org/ciav7p1/cms/page_13763375.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "8d366588-cbd6-43ba-95b4-0971c3f906e5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8d366588-cbd6-43ba-95b4-0971c3f906e5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json b/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json deleted file mode 100644 index 7004b48fee3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8d366588-cbd6-43ba-95b4-0971c3f906e5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual files downloaded from outside the local network that have the potential to be abused for code execution.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File with Suspicious Extension Downloaded", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n file.extension : (\n \"appinstaller\", \"application\", \"appx\", \"appxbundle\", \"cpl\", \"diagcab\", \"diagpkg\", \"diagcfg\", \"manifest\",\n \"msix\", \"pif\", \"search-ms\", \"searchConnector-ms\", \"settingcontent-ms\", \"symlink\", \"theme\", \"themepack\" \n ) and file.Ext.windows.zone_identifier > 1 and\n not\n (\n file.extension : \"msix\" and \n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\WinGet\\\\Microsoft.Winget.Source*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\Microsoft\\\\WinGet\\\\State\\\\defaultState\\\\Microsoft.PreIndexed.Package\\\\Microsoft.Winget.Source*\"\n )\n )\n", "references": ["https://x.com/Laughing_Mantis/status/1518766501385318406", "https://wikileaks.org/ciav7p1/cms/page_13763375.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "8d366588-cbd6-43ba-95b4-0971c3f906e5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8d366588-cbd6-43ba-95b4-0971c3f906e5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470.json b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470.json deleted file mode 100644 index 11d7b0c0432..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.", "false_positives": ["Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Interactive Shell Spawned From Inside A Container", "query": "process where container.id: \"*\" and\nevent.type== \"start\" and \n\n/*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/\nevent.action in (\"fork\", \"exec\") and event.action != \"end\"\n and process.entry_leader.same_as_process== false and\n(\n(process.executable: \"*/*sh\" and process.args: (\"-i\", \"-it\")) or\nprocess.args: \"*/*sh\"\n)\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "8d3d0794-c776-476b-8674-ee2e685f6470", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8d3d0794-c776-476b-8674-ee2e685f6470", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json b/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json deleted file mode 100644 index 152f5ab0f45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8d3d0794-c776-476b-8674-ee2e685f6470_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when an interactive shell is spawned inside a running container. This could indicate a potential container breakout attempt or an attacker's attempt to gain unauthorized access to the underlying host.", "false_positives": ["Legitimate users and processes, such as system administration tools, may utilize shell utilities inside a container resulting in false positives."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Suspicious Interactive Shell Spawned From Inside A Container", "query": "process where container.id: \"*\" and\nevent.type== \"start\" and \n\n/*D4C consolidates closely spawned event.actions, this excludes end actions to only capture ongoing processes*/\nevent.action in (\"fork\", \"exec\") and event.action != \"end\"\n and process.entry_leader.same_as_process== false and\n(\n(process.executable: \"*/*sh\" and process.args: (\"-i\", \"-it\")) or\nprocess.args: \"*/*sh\"\n)\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "8d3d0794-c776-476b-8674-ee2e685f6470", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8d3d0794-c776-476b-8674-ee2e685f6470_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json deleted file mode 100644 index 8292dc93bec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json deleted file mode 100644 index e77afafb85e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json deleted file mode 100644 index 73b571f21cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json deleted file mode 100644 index bdc42acd191..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json deleted file mode 100644 index 77b200576fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json b/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json deleted file mode 100644 index 860e5aa2998..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via PKEXEC", "query": "file where host.os.type == \"linux\" and file.path : \"/*GCONV_PATH*\"\n", "references": ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/blasty-vs-pkexec.c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json deleted file mode 100644 index 949e4fc591a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Deleted", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json b/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json deleted file mode 100644 index 95edc68b575..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8ddab73b-3d15-4e5d-9413-47f05553c1d7_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Runbook Deleted", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE\" and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "8ddab73b-3d15-4e5d-9413-47f05553c1d7_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846.json b/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846.json deleted file mode 100644 index dc8b917eb8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WSUS Abuse for Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wuauclt.exe\" and\nprocess.executable : \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\*\" and\n(process.name : \"psexec64.exe\" or ?process.pe.original_file_name : \"psexec.c\")\n", "references": ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_103.json b/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_103.json deleted file mode 100644 index 3b3d8a660ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WSUS Abuse for Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wuauclt.exe\" and\nprocess.executable : \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\*\" and\n(process.name : \"psexec64.exe\" or ?process.pe.original_file_name : \"psexec.c\")\n", "references": ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8e2485b6-a74f-411b-bf7f-38b819f3a846_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_104.json b/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_104.json deleted file mode 100644 index e7ca95becf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WSUS Abuse for Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wuauclt.exe\" and\nprocess.executable : \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\*\" and\n(process.name : \"psexec64.exe\" or ?process.pe.original_file_name : \"psexec.c\")\n", "references": ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8e2485b6-a74f-411b-bf7f-38b819f3a846_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_2.json b/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_2.json deleted file mode 100644 index c432f6229c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WSUS Abuse for Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wuauclt.exe\" and\nprocess.executable : \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\*\" and\n(process.name : \"psexec64.exe\" or ?process.pe.original_file_name : \"psexec.c\")\n", "references": ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8e2485b6-a74f-411b-bf7f-38b819f3a846_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_204.json b/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_204.json deleted file mode 100644 index 41ee9670644..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e2485b6-a74f-411b-bf7f-38b819f3a846_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Windows Server Update Services (WSUS) abuse to execute psexec to enable for lateral movement. WSUS is limited to executing Microsoft signed binaries, which limits the executables that can be used to tools published by Microsoft.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential WSUS Abuse for Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"wuauclt.exe\" and\nprocess.executable : \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\Install\\\\*\" and\n(process.name : \"psexec64.exe\" or ?process.pe.original_file_name : \"psexec.c\")\n", "references": ["https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/wsus-spoofing"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "8e2485b6-a74f-411b-bf7f-38b819f3a846", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 204}, "id": "8e2485b6-a74f-411b-bf7f-38b819f3a846_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65.json deleted file mode 100644 index 076bb2f42e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.network-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Outgoing RDP Connection by Unusual Process", "query": "network where host.os.type == \"windows\" and\n event.action == \"connection_attempted\" and destination.port == 3389 and\n destination.ip != \"::1\" and destination.ip != \"127.0.0.1\" and\n not (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Program Files (x86)\\\\mRemoteNG\\\\mRemoteNG.exe\",\n \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Remote Desktop Connection Manager\\\\RDCMan.exe\",\n \"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent*\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Devolutions\\\\Remote Desktop Manager\\\\RemoteDesktopManager.exe\",\n \"?:\\\\Program Files (x86)\\\\Devolutions\\\\Remote Desktop Manager\\\\RemoteDesktopManager.exe\"\n ) and process.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json deleted file mode 100644 index 2712d5f5e96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Outgoing RDP Connection by Unusual Process", "query": "network where host.os.type == \"windows\" and\n event.action == \"connection_attempted\" and destination.port == 3389 and\n not process.executable : \"?:\\\\Windows\\\\System32\\\\mstsc.exe\" and\n destination.ip != \"::1\" and destination.ip != \"127.0.0.1\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8e39f54e-910b-4adb-a87e-494fbba5fb65_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json deleted file mode 100644 index 2dc645ea542..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Outgoing RDP Connection by Unusual Process", "query": "network where host.os.type == \"windows\" and\n event.action == \"connection_attempted\" and destination.port == 3389 and\n destination.ip != \"::1\" and destination.ip != \"127.0.0.1\" and\n not (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Program Files (x86)\\\\mRemoteNG\\\\mRemoteNG.exe\",\n \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Remote Desktop Connection Manager\\\\RDCMan.exe\"\n ) and process.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8e39f54e-910b-4adb-a87e-494fbba5fb65_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_3.json b/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_3.json deleted file mode 100644 index c9933c5ee9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8e39f54e-910b-4adb-a87e-494fbba5fb65_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to connect to a remote system over Windows Remote Desktop Protocol (RDP) to achieve lateral movement. Adversaries may avoid using the Microsoft Terminal Services Client (mstsc.exe) binary to establish an RDP connection to evade detection.", "from": "now-119m", "index": ["logs-endpoint.events.network-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Outgoing RDP Connection by Unusual Process", "query": "network where host.os.type == \"windows\" and\n event.action == \"connection_attempted\" and destination.port == 3389 and\n destination.ip != \"::1\" and destination.ip != \"127.0.0.1\" and\n not (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Program Files (x86)\\\\mRemoteNG\\\\mRemoteNG.exe\",\n \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\PRTG Probe.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files (x86)\\\\Microsoft\\\\Remote Desktop Connection Manager\\\\RDCMan.exe\",\n \"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent*\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Devolutions\\\\Remote Desktop Manager\\\\RemoteDesktopManager.exe\",\n \"?:\\\\Program Files (x86)\\\\Devolutions\\\\Remote Desktop Manager\\\\RemoteDesktopManager.exe\"\n ) and process.code_signature.trusted == true\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "8e39f54e-910b-4adb-a87e-494fbba5fb65", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8e39f54e-910b-4adb-a87e-494fbba5fb65_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9.json deleted file mode 100644 index 6d96d69bee1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Bitsadmin Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"bitsadmin.exe\" and process.args : (\n \"*Transfer*\", \"*Create*\", \"AddFile\", \"*SetNotifyFlags*\", \"*SetNotifyCmdLine*\",\n \"*SetMinRetryDelay*\", \"*SetCustomHeaders*\", \"*Resume*\")\n ) or\n (process.name : \"powershell.exe\" and process.args : (\n \"*Start-BitsTransfer*\", \"*Add-BitsFile*\",\n \"*Resume-BitsTransfer*\", \"*Set-BitsTransfer*\", \"*BITS.Manager*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json deleted file mode 100644 index 37beb4b1e9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Bitsadmin Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"bitsadmin.exe\" and process.args : (\n \"*Transfer*\", \"*Create*\", \"AddFile\", \"*SetNotifyFlags*\", \"*SetNotifyCmdLine*\",\n \"*SetMinRetryDelay*\", \"*SetCustomHeaders*\", \"*Resume*\")\n ) or\n (process.name : \"powershell.exe\" and process.args : (\n \"*Start-BitsTransfer*\", \"*Add-BitsFile*\",\n \"*Resume-BitsTransfer*\", \"*Set-BitsTransfer*\", \"*BITS.Manager*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8eec4df1-4b4b-4502-b6c3-c788714604c9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_2.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_2.json deleted file mode 100644 index efae3aa7c00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Bitsadmin Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"bitsadmin.exe\" and process.args : (\n \"*Transfer*\", \"*Create*\", \"AddFile\", \"*SetNotifyFlags*\", \"*SetNotifyCmdLine*\",\n \"*SetMinRetryDelay*\", \"*SetCustomHeaders*\", \"*Resume*\")\n ) or\n (process.name : \"powershell.exe\" and process.args : (\n \"*Start-BitsTransfer*\", \"*Add-BitsFile*\",\n \"*Resume-BitsTransfer*\", \"*Set-BitsTransfer*\", \"*BITS.Manager*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8eec4df1-4b4b-4502-b6c3-c788714604c9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_3.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_3.json deleted file mode 100644 index e59eac604ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Bitsadmin Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"bitsadmin.exe\" and process.args : (\n \"*Transfer*\", \"*Create*\", \"AddFile\", \"*SetNotifyFlags*\", \"*SetNotifyCmdLine*\",\n \"*SetMinRetryDelay*\", \"*SetCustomHeaders*\", \"*Resume*\")\n ) or\n (process.name : \"powershell.exe\" and process.args : (\n \"*Start-BitsTransfer*\", \"*Add-BitsFile*\",\n \"*Resume-BitsTransfer*\", \"*Set-BitsTransfer*\", \"*BITS.Manager*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8eec4df1-4b4b-4502-b6c3-c788714604c9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_4.json b/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_4.json deleted file mode 100644 index 1d4f791fb05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8eec4df1-4b4b-4502-b6c3-c788714604c9_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism. Adversaries may abuse BITS to persist, download, execute, and even clean up after running malicious code.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Bitsadmin Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"bitsadmin.exe\" and process.args : (\n \"*Transfer*\", \"*Create*\", \"AddFile\", \"*SetNotifyFlags*\", \"*SetNotifyCmdLine*\",\n \"*SetMinRetryDelay*\", \"*SetCustomHeaders*\", \"*Resume*\")\n ) or\n (process.name : \"powershell.exe\" and process.args : (\n \"*Start-BitsTransfer*\", \"*Add-BitsFile*\",\n \"*Resume-BitsTransfer*\", \"*Set-BitsTransfer*\", \"*BITS.Manager*\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "8eec4df1-4b4b-4502-b6c3-c788714604c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "8eec4df1-4b4b-4502-b6c3-c788714604c9_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd.json b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd.json deleted file mode 100644 index 6e9808ee47e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and startsWith(winlog.event_data.ObjectDN, \"DC=*,\")\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "8f242ffb-b191-4803-90ec-0f19942e17fd", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8f242ffb-b191-4803-90ec-0f19942e17fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json deleted file mode 100644 index f60074d7362..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Changes\" and\n event.code == \"5137\" and startsWith(winlog.event_data.ObjectDN, \"DC=*,\")\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "8f242ffb-b191-4803-90ec-0f19942e17fd", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "8f242ffb-b191-4803-90ec-0f19942e17fd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_2.json b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_2.json deleted file mode 100644 index 6a93bb7b241..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and startsWith(winlog.event_data.ObjectDN, \"DC=*,\")\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "8f242ffb-b191-4803-90ec-0f19942e17fd", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "8f242ffb-b191-4803-90ec-0f19942e17fd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_3.json b/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_3.json deleted file mode 100644 index 10b889fa3d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f242ffb-b191-4803-90ec-0f19942e17fd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential ADIDNS Poisoning via Wildcard Record Creation", "query": "any where host.os.type == \"windows\" and event.action in (\"Directory Service Changes\", \"directory-service-object-modified\") and\n event.code == \"5137\" and startsWith(winlog.event_data.ObjectDN, \"DC=*,\")\n", "references": ["https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ObjectDN", "type": "unknown"}], "risk_score": 73, "rule_id": "8f242ffb-b191-4803-90ec-0f19942e17fd", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nThe above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.\n\n```\nSet-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "8f242ffb-b191-4803-90ec-0f19942e17fd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json deleted file mode 100644 index 5a070c4d9fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json deleted file mode 100644 index b92ab472cb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json deleted file mode 100644 index c116823bed6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json deleted file mode 100644 index c83b065b904..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json deleted file mode 100644 index 165958a846e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json deleted file mode 100644 index 82efa292315..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_107.json b/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_107.json deleted file mode 100644 index 077aa1c99bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f3e91c7-d791-4704-80a1-42c160d7aa27_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies port monitor and print processor registry modifications. Adversaries may abuse port monitor and print processors to run malicious DLLs during system boot that will be executed as SYSTEM for privilege escalation and/or persistence, if permissions allow writing a fully-qualified pathname for that DLL.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Port Monitor or Print Processor Registration Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Monitors\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Print\\\\Environments\\\\Windows*\\\\Print Processors\\\\*\"\n ) and registry.data.strings : \"*.dll\" and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "8f3e91c7-d791-4704-80a1-42c160d7aa27", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.010", "name": "Port Monitors", "reference": "https://attack.mitre.org/techniques/T1547/010/"}, {"id": "T1547.012", "name": "Print Processors", "reference": "https://attack.mitre.org/techniques/T1547/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "8f3e91c7-d791-4704-80a1-42c160d7aa27_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json deleted file mode 100644 index 8588ac4bc78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 107}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json deleted file mode 100644 index b930f6d4489..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 103}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json deleted file mode 100644 index 26322e38388..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 104}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json deleted file mode 100644 index 144f38c4ec9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 105}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json deleted file mode 100644 index cb962f1f85b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 106}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_107.json b/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_107.json deleted file mode 100644 index a516cbdca4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8f919d4b-a5af-47ca-a594-6be59cd924a4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of Distributed Component Object Model (DCOM) to run commands from a remote host, which are launched via the ShellBrowserWindow or ShellWindows Application COM Object. This behavior may indicate an attacker abusing a DCOM application to stealthily move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows", "query": "sequence by host.id with maxspan=5s\n [network where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port > 49151 and destination.port > 49151 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"explorer.exe\"\n ] by process.parent.entity_id\n", "references": ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "8f919d4b-a5af-47ca-a594-6be59cd924a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.003", "name": "Distributed Component Object Model", "reference": "https://attack.mitre.org/techniques/T1021/003/"}]}]}], "type": "eql", "version": 107}, "id": "8f919d4b-a5af-47ca-a594-6be59cd924a4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json deleted file mode 100644 index 7087cf1eccf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", "false_positives": ["Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json b/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json deleted file mode 100644 index 47e41fff56f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/8fb75dda-c47a-4e34-8ecd-34facf7aad13_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a service account is deleted in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may delete a service account in order to disrupt their target's business operations.", "false_positives": ["Service accounts may be deleted by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "8fb75dda-c47a-4e34-8ecd-34facf7aad13_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json deleted file mode 100644 index 0af482a06b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"hping\", \"hping2\", \"hping3\")\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json deleted file mode 100644 index 22400939807..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json deleted file mode 100644 index b65afe45365..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(hping or hping2 or hping3)\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json deleted file mode 100644 index 9420514d928..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\"\nand process.name in (\"hping\", \"hping2\", \"hping3\")\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json deleted file mode 100644 index c0c678ba909..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\"\nand process.name in (\"hping\", \"hping2\", \"hping3\")\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json b/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json deleted file mode 100644 index 530ff9db108..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90169566-2260-4824-b8e4-8615c3b4ed52_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Hping ran on a Linux host. Hping is a FOSS command-line packet analyzer and has the ability to construct network packets for a wide variety of network security testing applications, including scanning and firewall auditing.", "false_positives": ["Normal use of hping is uncommon apart from security testing and research. Use by non-security engineers is very uncommon."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Hping Process Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\"\nand process.name in (\"hping\", \"hping2\", \"hping3\")\n", "references": ["https://en.wikipedia.org/wiki/Hping"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "90169566-2260-4824-b8e4-8615c3b4ed52", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "90169566-2260-4824-b8e4-8615c3b4ed52_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json deleted file mode 100644 index 6840d802f8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", "false_positives": ["Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json deleted file mode 100644 index 618b6a01581..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", "false_positives": ["Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json deleted file mode 100644 index e1fe9c90d1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", "false_positives": ["Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json deleted file mode 100644 index 52b5412b228..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", "false_positives": ["Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json b/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json deleted file mode 100644 index eecb57e3a2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9055ece6-2689-4224-a0e0-b04881e1f8ad_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance.", "false_positives": ["Clusters or instances may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Deletion of RDS Instance or Cluster", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance)\nand event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteGlobalCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9055ece6-2689-4224-a0e0-b04881e1f8ad", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "9055ece6-2689-4224-a0e0-b04881e1f8ad_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json deleted file mode 100644 index 847f293ce87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "query": "process where host.os.type == \"macos\" and event.action == \"exec\" and\n process.name : \"security\" and\n process.args : (\"-wa\", \"-ga\") and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.command_line : (\"*Chrome*\", \"*Chromium*\", \"*Opera*\", \"*Safari*\", \"*Brave*\", \"*Microsoft Edge*\", \"*Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json deleted file mode 100644 index 6fb6d41eec1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json deleted file mode 100644 index 7f81a718349..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json deleted file mode 100644 index 9357fa6e3f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "note": "", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json deleted file mode 100644 index 61e949cb142..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json deleted file mode 100644 index efc5c5b7fd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json b/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json deleted file mode 100644 index e0d4ac9b7a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9092cd6c-650f-4fa3-8a8a-28256c7489c9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.", "false_positives": ["Applications for password management."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Keychain Password Retrieval via Command Line", "query": "process where host.os.type == \"macos\" and event.type == \"start\" and\n process.name : \"security\" and process.args : \"-wa\" and process.args : (\"find-generic-password\", \"find-internet-password\") and\n process.args : (\"Chrome*\", \"Chromium\", \"Opera\", \"Safari*\", \"Brave\", \"Microsoft Edge\", \"Edge\", \"Firefox*\") and\n not process.parent.executable : \"/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*\"\n", "references": ["https://www.netmeister.org/blog/keychain-passwords.html", "https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py", "https://ss64.com/osx/security.html", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.003", "name": "Credentials from Web Browsers", "reference": "https://attack.mitre.org/techniques/T1555/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9092cd6c-650f-4fa3-8a8a-28256c7489c9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98.json b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98.json deleted file mode 100644 index 7db4c82cc71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"installutil.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "90babaa8-5216-4568-992d-d4a01a105d98", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "90babaa8-5216-4568-992d-d4a01a105d98", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json deleted file mode 100644 index e9af31612c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"installutil.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "90babaa8-5216-4568-992d-d4a01a105d98", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "90babaa8-5216-4568-992d-d4a01a105d98_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_2.json b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_2.json deleted file mode 100644 index 08a5f65fb3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"installutil.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "90babaa8-5216-4568-992d-d4a01a105d98", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "90babaa8-5216-4568-992d-d4a01a105d98_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_3.json b/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_3.json deleted file mode 100644 index 312fac72141..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/90babaa8-5216-4568-992d-d4a01a105d98_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. Adversaries may use InstallUtil to proxy the execution of code through a trusted Windows utility.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Activity", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"installutil.exe\" and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "90babaa8-5216-4568-992d-d4a01a105d98", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "90babaa8-5216-4568-992d-d4a01a105d98_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json deleted file mode 100644 index 44c2d6e2d6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", "false_positives": ["Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", "references": ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json b/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json deleted file mode 100644 index 99a9114b9df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the flow of network traffic in their target's cloud environment.", "false_positives": ["Virtual Private Cloud routes may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:(v*.compute.routes.insert or \"beta.compute.routes.insert\")\n", "references": ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json deleted file mode 100644 index 85f56b6048b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", "false_positives": ["Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "91d04cd4-47a9-4334-ab14-084abe274d49", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json deleted file mode 100644 index 817f73f5a1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", "false_positives": ["Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "91d04cd4-47a9-4334-ab14-084abe274d49_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json deleted file mode 100644 index 696e97b62c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", "false_positives": ["Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "91d04cd4-47a9-4334-ab14-084abe274d49_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json deleted file mode 100644 index eb5c8cf8efb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", "false_positives": ["Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "91d04cd4-47a9-4334-ab14-084abe274d49_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json b/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json deleted file mode 100644 index 3d50ab1a454..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91d04cd4-47a9-4334-ab14-084abe274d49_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list.", "false_positives": ["Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS WAF Access Control List Deletion", "note": "", "query": "event.dataset:aws.cloudtrail and event.action:DeleteWebACL and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "91d04cd4-47a9-4334-ab14-084abe274d49", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "91d04cd4-47a9-4334-ab14-084abe274d49_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json deleted file mode 100644 index 4c39e2a158f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", "false_positives": ["Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_user_agent", "name": "Unusual Web User Agent", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 104}, "id": "91f02f01-969f-4167-8d77-07827ac4cee0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json deleted file mode 100644 index 72449c54d46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", "false_positives": ["Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_user_agent", "name": "Unusual Web User Agent", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 101}, "id": "91f02f01-969f-4167-8d77-07827ac4cee0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json deleted file mode 100644 index 47ba93cd0af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", "false_positives": ["Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_user_agent", "name": "Unusual Web User Agent", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 102}, "id": "91f02f01-969f-4167-8d77-07827ac4cee0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json deleted file mode 100644 index 1571219a482..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8d77-07827ac4cee0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual user agent indicating web browsing activity by an unusual process other than a web browser. This can be due to persistence, command-and-control, or exfiltration activity. Uncommon user agents coming from remote sources to local destinations are often the result of scanners, bots, and web scrapers, which are part of common Internet background traffic. Much of this is noise, but more targeted attacks on websites using tools like Burp or SQLmap can sometimes be discovered by spotting uncommon user agents. Uncommon user agents in traffic from local sources to remote destinations can be any number of things, including harmless programs like weather monitoring or stock-trading programs. However, uncommon user agents from local sources can also be due to malware or scanning activity.", "false_positives": ["Web activity that is uncommon, like security scans, may trigger this alert and may need to be excluded. A new or rarely used program that calls web services may trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_user_agent", "name": "Unusual Web User Agent", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8d77-07827ac4cee0", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 103}, "id": "91f02f01-969f-4167-8d77-07827ac4cee0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json deleted file mode 100644 index 4ffec8c6521..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_urls", "name": "Unusual Web Request", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 104}, "id": "91f02f01-969f-4167-8f55-07827ac3acc9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json deleted file mode 100644 index b36947859af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_urls", "name": "Unusual Web Request", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 101}, "id": "91f02f01-969f-4167-8f55-07827ac3acc9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json deleted file mode 100644 index 22e54566cde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_urls", "name": "Unusual Web Request", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 102}, "id": "91f02f01-969f-4167-8f55-07827ac3acc9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json deleted file mode 100644 index 70fbb65850f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f55-07827ac3acc9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.", "false_positives": ["Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this when they are used sparsely. Web domains can be excluded in cases such as these."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_rare_urls", "name": "Unusual Web Request", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f55-07827ac3acc9", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "machine_learning", "version": 103}, "id": "91f02f01-969f-4167-8f55-07827ac3acc9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json deleted file mode 100644 index db1e7a92ad4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", "false_positives": ["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_dns_tunneling", "name": "DNS Tunneling", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "machine_learning", "version": 104}, "id": "91f02f01-969f-4167-8f66-07827ac3bdd9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json deleted file mode 100644 index dbeabff1620..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", "false_positives": ["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_dns_tunneling", "name": "DNS Tunneling", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "machine_learning", "version": 101}, "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json deleted file mode 100644 index 9e36d12df83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", "false_positives": ["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_dns_tunneling", "name": "DNS Tunneling", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "machine_learning", "version": 102}, "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json b/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json deleted file mode 100644 index 0bfe4393e79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/91f02f01-969f-4167-8f66-07827ac3bdd9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.", "false_positives": ["DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "packetbeat_dns_tunneling", "name": "DNS Tunneling", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "91f02f01-969f-4167-8f66-07827ac3bdd9", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "machine_learning", "version": 103}, "id": "91f02f01-969f-4167-8f66-07827ac3bdd9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/929223b4-fba3-4a1c-a943-ec4716ad23ec.json b/packages/security_detection_engine/kibana/security_rule/929223b4-fba3-4a1c-a943-ec4716ad23ec.json deleted file mode 100644 index 13effcb11cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/929223b4-fba3-4a1c-a943-ec4716ad23ec.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is part of the \"GitHub UEBA - Unusual Activity from Account Pack\", and leverages alert data to determine when multiple alerts are executed by the same user in a timespan of one hour. Analysts can use this to prioritize triage and response, as these alerts are a higher indicator of compromised user accounts or PATs.", "from": "now-60m", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "GitHub UEBA - Multiple Alerts from a GitHub Account", "query": "signal.rule.tags:(\"Use Case: UEBA\" and \"Data Source: Github\") and kibana.alert.workflow_status:\"open\"\n", "required_fields": [{"ecs": false, "name": "kibana.alert.workflow_status", "type": "unknown"}, {"ecs": false, "name": "signal.rule.tags", "type": "unknown"}], "risk_score": 47, "rule_id": "929223b4-fba3-4a1c-a943-ec4716ad23ec", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: Higher-Order Rule", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "threshold": {"cardinality": [{"field": "signal.rule.name", "value": 5}], "field": ["user.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "929223b4-fba3-4a1c-a943-ec4716ad23ec", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json deleted file mode 100644 index c5753b2fd6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.path : C\\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json deleted file mode 100644 index 0cd28d204a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.path : C\\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_109.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_109.json deleted file mode 100644 index 3e9bdbb1a4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\program?files\\\\powershell\\\\?\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\Modules\\\\*.psd1"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not (\n file.path : C\\:\\\\Program?Files\\\\WindowsPowerShell\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json deleted file mode 100644 index 47839831b1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not user.id : \"S-1-5-18\"\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json deleted file mode 100644 index d6696f23685..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and \n powershell.file.script_block_text:((Windows.Clipboard or \n Windows.Forms.Clipboard or \n Windows.Forms.TextBox) and \n (\".Paste()\" or \n \"]::GetText\")) or \n powershell.file.script_block_text:Get-Clipboard and \n not user.id:S-1-5-18\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json deleted file mode 100644 index 6fdb617322b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not user.id : \"S-1-5-18\"\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json deleted file mode 100644 index fbf9e96f7b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n and not file.path : (*WindowsPowerShell*Modules*.psd1 or *WindowsPowerShell*Modules*.psm1)\n and not (\n file.path : *WindowsPowerShell*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json deleted file mode 100644 index d944d5c9e5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : (\n ?\\:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1\n ) and \n not (\n file.path : ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json deleted file mode 100644 index aa3556a764f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : (\n ?\\:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1\n ) and \n not (\n file.path : ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json b/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json deleted file mode 100644 index b9c81bbe5bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92984446-aefb-4d5e-ad12-598042ca80ba_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can get the contents of the clipboard, which attackers can abuse to retrieve sensitive information like credentials, messages, etc.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Clipboard Retrieval Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to get the contents of the clipboard with the goal of stealing credentials and other valuable information, such as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users are unlikely to use scripting utilities to capture contents of the clipboard, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (powershell.file.script_block_text : (\n \"Windows.Clipboard\" or\n \"Windows.Forms.Clipboard\" or\n \"Windows.Forms.TextBox\"\n ) and\n powershell.file.script_block_text : (\n \"]::GetText\" or\n \".Paste()\"\n )) or powershell.file.script_block_text : \"Get-Clipboard\" and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n ) and\n not user.id : \"S-1-5-18\" and\n not file.path : (\n ?\\:\\\\\\\\program?files\\\\\\\\powershell\\\\\\\\?\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\WINDOWS\\\\\\\\system32\\\\\\\\WindowsPowerShell\\\\\\\\v1.0\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psd1 or\n ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\Modules\\\\\\\\*.psm1\n ) and \n not (\n file.path : ?\\:\\\\\\\\Program?Files\\\\\\\\WindowsPowerShell\\\\\\\\*Modules*.ps1 and\n file.name : (\"Convert-ExcelRangeToImage.ps1\" or \"Read-Clipboard.ps1\")\n )\n", "references": ["https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-ClipboardContents.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "92984446-aefb-4d5e-ad12-598042ca80ba", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": "https://attack.mitre.org/techniques/T1115/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "92984446-aefb-4d5e-ad12-598042ca80ba_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json deleted file mode 100644 index 87339a6e3f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName : (\n \"\\\\CreateExplorerShellUnelevatedTask\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker_backup\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\",\n \"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\"\n )\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json deleted file mode 100644 index 98bc2674314..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json deleted file mode 100644 index 8a7a3b14589..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json deleted file mode 100644 index eb86e367349..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName :\n (\"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_8.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_8.json deleted file mode 100644 index e37017f711c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName : (\n \"\\\\CreateExplorerShellUnelevatedTask\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker_backup\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\",\n \"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\"\n )\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_9.json b/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_9.json deleted file mode 100644 index 5335d18883c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92a6faf5-78ec-4e25-bea1-73bacc9b59d9_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was created", "query": "iam where event.action == \"scheduled-task-created\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n\n /* TaskContent is not parsed, exclude by full taskname noisy ones */\n not winlog.event_data.TaskName : (\n \"\\\\CreateExplorerShellUnelevatedTask\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker\",\n \"\\\\Hewlett-Packard\\\\HP Support Assistant\\\\WarrantyChecker_backup\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\",\n \"\\\\OneDrive Standalone Update Task-S-1-5-21*\",\n \"\\\\OneDrive Standalone Update Task-S-1-12-1-*\"\n )\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "92a6faf5-78ec-4e25-bea1-73bacc9b59d9_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc.json deleted file mode 100644 index 3e849f13e2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Windows Filtering Platform", "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", "references": ["https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}], "risk_score": 47, "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "type": "eql", "version": 4}, "id": "92d3a04e-6487-4b62-892d-70e640a590dc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_1.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_1.json deleted file mode 100644 index 68149ed3aa7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Windows Filtering Platform", "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", "references": ["https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}], "risk_score": 47, "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", "setup": "\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "type": "eql", "version": 1}, "id": "92d3a04e-6487-4b62-892d-70e640a590dc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json deleted file mode 100644 index 8b0559a2ab7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Windows Filtering Platform", "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", "references": ["https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}], "risk_score": 47, "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "type": "eql", "version": 2}, "id": "92d3a04e-6487-4b62-892d-70e640a590dc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json deleted file mode 100644 index ff32804e963..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.network-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Windows Filtering Platform", "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", "references": ["https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}], "risk_score": 47, "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "type": "eql", "version": 3}, "id": "92d3a04e-6487-4b62-892d-70e640a590dc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_4.json b/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_4.json deleted file mode 100644 index 39a2dedb6f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/92d3a04e-6487-4b62-892d-70e640a590dc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple Windows Filtering Platform block events and where the process name is related to an endpoint security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Evasion via Windows Filtering Platform", "query": "sequence by winlog.computer_name with maxspan=1m\n [network where host.os.type == \"windows\" and \n event.action : (\"windows-firewall-packet-block\", \"windows-firewall-packet-drop\") and \n process.name : (\n \"bdagent.exe\", \"bdreinit.exe\", \"pdscan.exe\", \"pdiface.exe\", \"BDSubWiz.exe\", \"ProductAgentService.exe\",\n \"ProductAgentUI.exe\", \"WatchDog.exe\", \"CarbonBlackClientSetup.exe\", \"TrGUI.exe\", \"TracCAPI.exe\", \"cpmsi_tool.exe\",\n \"trac.exe\", \"vna_install64.exe\", \"vna_utils.exe\", \"TracSrvWrapper.exe\", \"vsmon.exe\", \"p95tray.exe\",\n \"CybereasonRansomFreeServiceHost.exe\", \"CrAmTray.exe\", \"minionhost.exe\", \"CybereasonSensor.exe\", \"CylanceUI.exe\",\n \"CylanceProtectSetup.exe\", \"cylancesvc.exe\", \"cyupdate.exe\", \"elastic-agent.exe\", \"elastic-endpoint.exe\",\n \"egui.exe\", \"minodlogin.exe\", \"emu-rep.exe\", \"emu_install.exe\", \"emu-cci.exe\", \"emu-gui.exe\", \"emu-uninstall.exe\",\n \"ndep.exe\", \"spike.exe\", \"ecls.exe\", \"ecmd.exe\", \"ecomserver.exe\", \"eeclnt.exe\", \"eh64.exe\", \"EHttpSrv.exe\",\n \"xagt.exe\", \"collectoragent.exe\", \"FSAEConfig.exe\", \"uninstalldcagent.exe\", \"rmon.exe\", \"fccomint.exe\",\n \"fclanguageselector.exe\", \"fortifw.exe\", \"fcreg.exe\", \"fortitray.exe\", \"fcappdb.exe\", \"fcwizard.exe\", \"submitv.exe\",\n \"av_task.exe\", \"fortiwf.exe\", \"fortiwadbd.exe\", \"fcauth.exe\", \"fcdblog.exe\", \"fcmgr.exe\", \"fortiwad.exe\",\n \"fortiproxy.exe\", \"fortiscand.exe\", \"fortivpnst.exe\", \"ipsec.exe\", \"fcwscd7.exe\", \"fcasc.exe\", \"fchelper.exe\",\n \"forticlient.exe\",\"fcwsc.exe\", \"FortiClient.exe\", \"fmon.exe\", \"FSSOMA.exe\", \"FCVbltScan.exe\", \"FortiESNAC.exe\",\n \"EPCUserAvatar.exe\", \"FortiAvatar.exe\", \"FortiClient_Diagnostic_Tool.exe\", \"FortiSSLVPNdaemon.exe\", \"avp.exe\",\n \"FCConfig.exe\", \"avpsus.exe\", \"klnagent.exe\", \"klnsacwsrv.exe\", \"kl_platf.exe\", \"stpass.exe\", \"klnagwds.exe\",\n \"mbae.exe\", \"mbae64.exe\", \"mbae-svc.exe\", \"mbae-uninstaller.exe\", \"mbaeLoader32.exe\", \"mbaeloader64.exe\",\n \"mbam-dor.exe\", \"mbamgui.exe\", \"mbamservice.exe\", \"mbamtrayctrl.exe\", \"mbampt.exe\", \"mbamscheduler.exe\",\n \"Coreinst.exe\", \"mbae-setup.exe\", \"mcupdate.exe\", \"ProtectedModuleHost.exe\", \"ESConfigTool.exe\", \"FWInstCheck.exe\",\n \"FwWindowsFirewallHandler.exe\", \"mfeesp.exe\", \"mfefw.exe\", \"mfeProvisionModeUtility.exe\", \"mfetp.exe\", \"avpui.exe\", \n \"WscAVExe.exe\", \"mcshield.exe\", \"McChHost.exe\", \"mfewc.exe\", \"mfewch.exe\", \"mfewcui.exe\", \"fwinfo.exe\",\n \"mfecanary.exe\", \"mfefire.exe\", \"mfehidin.exe\", \"mfemms.exe\", \"mfevtps.exe\", \"mmsinfo.exe\", \"vtpinfo.exe\",\n \"MarSetup.exe\", \"mctray.exe\", \"masvc.exe\", \"macmnsvc.exe\", \"McAPExe.exe\", \"McPvTray.exe\", \"mcods.exe\",\n \"mcuicnt.exe\", \"mcuihost.exe\", \"xtray.exe\", \"McpService.exe\", \"epefprtrainer.exe\", \"mfeffcoreservice.exe\",\n \"MfeEpeSvc.exe\", \"qualysagent.exe\", \"QualysProxy.exe\", \"QualysAgentUI.exe\", \"SVRTgui.exe\", \"SVRTcli.exe\",\n \"SVRTcli.exe\", \"SVRTgui.exe\", \"SCTCleanupService.exe\", \"SVRTservice.exe\", \"native.exe\", \"SCTBootTasks.exe\",\n \"ALMon.exe\", \"SAA.exe\", \"SUMService.exe\", \"ssp.exe\", \"SCFService.exe\", \"SCFManager.exe\", \"spa.exe\", \"cabarc.exe\",\n \"sargui.exe\", \"sntpservice.exe\", \"McsClient.exe\", \"McsAgent.exe\", \"McsHeartbeat.exe\", \"SAVAdminService.exe\",\n \"sav32cli.exe\", \"ForceUpdateAlongSideSGN.exe\", \"SAVCleanupService.exe\", \"SavMain.exe\", \"SavProgress.exe\", \n \"SavProxy.exe\", \"SavService.exe\", \"swc_service.exe\", \"swi_di.exe\", \"swi_service.exe\", \"swi_filter.exe\",\n \"ALUpdate.exe\", \"SophosUpdate.exe\", \"ALsvc.exe\", \"SophosAlert.exe\", \"osCheck.exe\", \"N360Downloader.exe\",\n \"InstWrap.exe\", \"symbos.exe\", \"nss.exe\", \"symcorpui.exe\", \"isPwdSvc.exe\", \"ccsvchst.exe\", \"ntrmv.exe\",\n \"pccntmon.exe\", \"AosUImanager.exe\", \"NTRTScan.exe\", \"TMAS_OL.exe\", \"TMAS_OLImp.exe\", \"TMAS_OLSentry.exe\",\n \"ufnavi.exe\", \"Clnrbin.exe\", \"vizorhtmldialog.exe\", \"pwmConsole.exe\", \"PwmSvc.exe\", \"coreServiceShell.exe\",\n \"ds_agent.exe\", \"SfCtlCom.exe\", \"MBAMHelper.exe\", \"cb.exe\", \"smc.exe\", \"tda.exe\", \"xagtnotif.exe\", \"ekrn.exe\",\n \"dsa.exe\", \"Notifier.exe\", \"rphcp.exe\", \"lc_sensor.exe\", \"CSFalconService.exe\", \"CSFalconController.exe\",\n \"SenseSampleUploader.exe\", \"windefend.exe\", \"MSASCui.exe\", \"MSASCuiL.exe\", \"msmpeng.exe\", \"msmpsvc.exe\",\n \"MsSense.exe\", \"esensor.exe\", \"sentinelone.exe\", \"tmccsf.exe\", \"csfalconcontainer.exe\", \"sensecncproxy.exe\",\n \"splunk.exe\", \"sysmon.exe\", \"sysmon64.exe\", \"taniumclient.exe\"\n )] with runs=5\n", "references": ["https://github.com/dsnezhkov/shutter/tree/main", "https://github.com/netero1010/EDRSilencer/tree/main", "https://www.mdsec.co.uk/2023/09/nighthawk-0-2-6-three-wise-monkeys/", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5157", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5152"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}], "risk_score": 47, "rule_id": "92d3a04e-6487-4b62-892d-70e640a590dc", "setup": "## Setup\n\nThe 'Filtering Platform Connection' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nFiltering Platform Connection (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "type": "eql", "version": 4}, "id": "92d3a04e-6487-4b62-892d-70e640a590dc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json deleted file mode 100644 index 650f953e56f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation.", "false_positives": ["AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.", "Applications integrated with AWS might assume roles to access AWS resources.", "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments."], "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS Temporary Credentials via AssumeRole", "new_terms_fields": ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"], "note": "", "query": "event.dataset:aws.cloudtrail\n and event.provider:sts.amazonaws.com\n and event.action:AssumeRole*\n and event.outcome:success\n and user.id:*\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json deleted file mode 100644 index 14fb5942222..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json deleted file mode 100644 index f380a509747..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json deleted file mode 100644 index b1ecad673c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json deleted file mode 100644 index 8fd2da4e728..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_206.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_206.json deleted file mode 100644 index 03ffa02af48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json deleted file mode 100644 index 63a38f85400..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges.", "false_positives": ["Automated processes that use Terraform may lead to false positives."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Security Token Service (STS) AssumeRole Usage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumeRole and\naws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_208.json b/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_208.json deleted file mode 100644 index 39ec2e367b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93075852-b0f5-4b8b-89c3-a226efae5726_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a user has assumed a role in AWS Security Token Service (STS). Users can assume a role to obtain temporary credentials and access AWS resources. Adversaries can use this technique for credential access and privilege escalation.", "false_positives": ["AWS administrators or automated processes might regularly assume roles for legitimate administrative purposes.", "Applications integrated with AWS might assume roles to access AWS resources.", "Automated workflows might assume roles to perform periodic tasks such as data backups, updates, or deployments."], "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS Temporary Credentials via AssumeRole", "new_terms_fields": ["user.id", "aws.cloudtrail.flattened.request_parameters.roleArn"], "note": "", "query": "event.dataset:aws.cloudtrail\n and event.provider:sts.amazonaws.com\n and event.action:AssumeRole*\n and event.outcome:success\n and user.id:*\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "93075852-b0f5-4b8b-89c3-a226efae5726", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "93075852-b0f5-4b8b-89c3-a226efae5726_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json deleted file mode 100644 index 813d8a22fa4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 204}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json deleted file mode 100644 index 2e9d26927ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json deleted file mode 100644 index db5ebcef035..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json deleted file mode 100644 index 58839a61ff8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json deleted file mode 100644 index 3a8e469736b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 203}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204.json b/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204.json deleted file mode 100644 index 52c04f91111..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudoers File Modification", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "event.category:file and event.type:change and file.path:(/etc/sudoers* or /private/etc/sudoers*) and\nnot process.name:(dpkg or platform-python or puppet or yum or dnf) and \nnot process.executable:(/opt/chef/embedded/bin/ruby or /opt/puppetlabs/puppet/bin/ruby or /usr/bin/dockerd)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 204}, "id": "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json deleted file mode 100644 index 9fc4c814fd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS VPC Flow Logs Deletion", "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json deleted file mode 100644 index 3cd9d1b5a88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS VPC Flow Logs Deletion", "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json deleted file mode 100644 index 36b3b6a24dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS VPC Flow Logs Deletion", "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json deleted file mode 100644 index f72e8939299..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS VPC Flow Logs Deletion", "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json b/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json deleted file mode 100644 index c9687187dd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9395fd2c-9947-4472-86ef-4aceb2f7e872_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS VPC Flow Logs Deletion", "note": "## Triage and analysis\n\n### Investigating AWS VPC Flow Logs Deletion\n\nVPC Flow Logs is an AWS feature that enables you to capture information about the IP traffic going to and from network interfaces in your virtual private cloud (VPC). Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.\n\nThis rule identifies the deletion of VPC flow logs using the API `DeleteFlowLogs` action. Attackers can do this to cover their tracks and impact security monitoring that relies on this source.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n- Administrators may rotate these logs after a certain period as part of their retention policy or after importing them to a SIEM.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DeleteFlowLogs and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "9395fd2c-9947-4472-86ef-4aceb2f7e872", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "9395fd2c-9947-4472-86ef-4aceb2f7e872_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json deleted file mode 100644 index ded75153bec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json deleted file mode 100644 index 00025e97d92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json deleted file mode 100644 index b3763350f34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json deleted file mode 100644 index 16383a24ed8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json deleted file mode 100644 index 6481175500f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_108.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_108.json deleted file mode 100644 index 3fd57014cbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json deleted file mode 100644 index f2b9499b349..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json b/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json deleted file mode 100644 index 798ade2ec05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93b22c0a-06a0-4131-b830-b10d5e166ff4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.", "false_positives": ["Trusted SolarWinds child processes, verify process details such as network connections and file writes."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious SolarWinds Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name: (\"SolarWinds.BusinessLayerHost.exe\", \"SolarWinds.BusinessLayerHostx64.exe\") and\n not (\n process.name : (\n \"APMServiceControl*.exe\",\n \"ExportToPDFCmd*.Exe\",\n \"SolarWinds.Credentials.Orion.WebApi*.exe\",\n \"SolarWinds.Orion.Topology.Calculator*.exe\",\n \"Database-Maint.exe\",\n \"SolarWinds.Orion.ApiPoller.Service.exe\",\n \"WerFault.exe\",\n \"WerMgr.exe\",\n \"SolarWinds.BusinessLayerHost.exe\",\n \"SolarWinds.BusinessLayerHostx64.exe\",\n \"SolarWinds.Topology.Calculator.exe\",\n \"SolarWinds.Topology.Calculatorx64.exe\",\n \"SolarWinds.APM.RealTimeProcessPoller.exe\") and\n process.code_signature.trusted == true\n ) and\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\ARP.EXE\", \"?:\\\\Windows\\\\SysWOW64\\\\lodctr.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\unlodctr.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93b22c0a-06a0-4131-b830-b10d5e166ff4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "93b22c0a-06a0-4131-b830-b10d5e166ff4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json deleted file mode 100644 index 30c9bc66747..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json deleted file mode 100644 index b243e7709b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json deleted file mode 100644 index c29a08dd947..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json deleted file mode 100644 index 95794d5732e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json deleted file mode 100644 index f77dc845c64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json deleted file mode 100644 index 0d1087cedae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_208.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_208.json deleted file mode 100644 index 74620a6dbec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json deleted file mode 100644 index 860e9eea54a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_310.json b/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_310.json deleted file mode 100644 index e27c1bba0ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93c1ce76-494c-4f01-8167-35edfb52f7b1_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry write modifications to hide an encoded portable executable. This could be indicative of adversary defense evasion by avoiding the storing of malicious content directly on disk.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Encoded Executable Stored in the Registry", "query": "registry where host.os.type == \"windows\" and\n/* update here with encoding combinations */\n registry.data.strings : \"TVqQAAMAAAAEAAAA*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}], "risk_score": 47, "rule_id": "93c1ce76-494c-4f01-8167-35edfb52f7b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "93c1ce76-494c-4f01-8167-35edfb52f7b1_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json deleted file mode 100644 index 74d62195724..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", "false_positives": ["Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Deletion", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json deleted file mode 100644 index a82bf943002..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", "false_positives": ["Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Deletion", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json deleted file mode 100644 index 09e45399e7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", "false_positives": ["Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Deletion", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Impact", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json b/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json deleted file mode 100644 index 5c752b9f414..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93e63c3e-4154-4fc6-9f86-b411e0987bbf_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is deleted. An adversary may delete a custom admin role in order to impact the permissions or capabilities of system administrators.", "false_positives": ["Google Workspace admin roles may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Admin Role Deletion", "note": "## Triage and analysis\n\n### Investigating Google Workspace Admin Role Deletion\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where further domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nDeleted administrator roles may render some user accounts inaccessible or cause operational failure where these roles are relied upon to perform daily administrative tasks. The deletion of roles may also hinder the response and remediation actions of administrators responding to security-related alerts and events. Without specific roles assigned, users will inherit the permissions and privileges of the root organizational unit.\n\nThis rule identifies when a Google Workspace administrative role is deleted within the Google Admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role deleted by reviewing `google_workspace.admin.role.name` in the alert.\n- With the user identified, verify if he has administrative privileges to disable or delete administrative roles.\n- To identify other users affected by this role removed, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role deleted as an additional filter.\n - Adjust the relative time accordingly to identify all users that were assigned this admin role.\n\n### False positive analysis\n\n- After identifying the user account that disabled the admin role, verify the action was intentional.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Discuss with the user the affected users as a result of this action to mitigate operational discrepencies.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:DELETE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "93e63c3e-4154-4fc6-9f86-b411e0987bbf_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json deleted file mode 100644 index 87aee5c367a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "history_window_start": "now-7d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", "new_terms_fields": ["host.id", "process.executable", "file.path"], "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /usr/libexec/packagekitd or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n ) and\n not process.name:\n (\n yum or dnf or rsync or platform-python or authconfig or rpm or pdkg or apk or dnf-automatic or btrfs or\n dpkg or pam-auth-update or steam or platform-python3.6 or pam-config or microdnf or yum_install or yum-cron or\n systemd or containerd or pacman\n )\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 204}, "id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json deleted file mode 100644 index 6264ec84b08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json deleted file mode 100644 index 96aec1cd0b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json deleted file mode 100644 index 45150caff15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json b/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json deleted file mode 100644 index 09297725e2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/93f47b6f-5728-4004-ba00-625083b3dcb0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may modify the standard authentication module for persistence via patching the normal authorization process or modifying the login configuration to allow unauthorized access or elevate privileges.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification of Standard Authentication Module or Configuration", "query": "event.category:file and event.type:change and\n (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/* or /usr/lib64/security/*)) and\n process.executable:\n (* and\n not\n (\n /bin/yum or\n \"/usr/sbin/pam-auth-update\" or\n /usr/libexec/packagekitd or\n /usr/bin/dpkg or\n /usr/bin/vim or\n /usr/libexec/xpcproxy or\n /usr/bin/bsdtar or\n /usr/local/bin/brew or\n /usr/bin/rsync or\n /usr/bin/yum or\n /var/lib/docker/*/bin/yum or\n /var/lib/docker/*/bin/dpkg or\n ./merged/var/lib/docker/*/bin/dpkg or\n \"/System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/XPCServices/package_script_service.xpc/Contents/MacOS/package_script_service\"\n )\n ) and\n not file.path:\n (\n /tmp/snap.rootfs_*/pam_*.so or\n /tmp/newroot/lib/*/pam_*.so or\n /private/var/folders/*/T/com.apple.fileprovider.ArchiveService/TemporaryItems/*/lib/security/pam_*.so or\n /tmp/newroot/usr/lib64/security/pam_*.so\n )\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "93f47b6f-5728-4004-ba00-625083b3dcb0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "93f47b6f-5728-4004-ba00-625083b3dcb0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae.json b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae.json deleted file mode 100644 index 7044af8b0e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Bit Set for Potential Persistence Script", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.args : (\n // Misc.\n \"/etc/rc.local\", \"/etc/rc.common\", \"/etc/rc.d/rc.local\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\",\n \"/etc/apt/apt.conf.d/*\", \"/etc/cron*\", \"/etc/init/*\",\n\n // XDG\n \"/etc/xdg/autostart/*\", \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\", \"/home/*/.config/autostart-scripts/*\",\n \"/root/.config/autostart-scripts/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \n // udev\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\"\n\n) and (\n (process.name == \"chmod\" and process.args : (\"+x*\", \"1*\", \"3*\", \"5*\", \"7*\")) or\n (process.name == \"install\" and process.args : \"-m*\" and process.args : (\"7*\", \"5*\", \"3*\", \"1*\"))\n) and not process.parent.executable : \"/var/lib/dpkg/*\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "94418745-529f-4259-8d25-a713a6feb6ae", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "94418745-529f-4259-8d25-a713a6feb6ae", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json deleted file mode 100644 index 64f891b65bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of an executable bit of the `/etc/rc.local` or `/etc/rc.common` files. These files are used to start custom applications, services, scripts or commands during start-up. They require executable permissions to be executed on boot. An alert of this rule is an indicator that this method is being set up within your environment. This method has mostly been replaced by Systemd. However, through the `systemd-rc-local-generator`, these files can be converted to services that run at boot. Adversaries may alter these files to execute malicious code at start-up, and gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Bit Set for rc.local/rc.common", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.args in (\"/etc/rc.local\", \"/etc/rc.common\") and (\n (process.name == \"chmod\" and process.args : (\"*+x*\", \"1*\", \"3*\", \"5*\", \"7*\")) or\n (process.name == \"install\" and process.args : \"-m*\" and process.args : (\"*7*\", \"*5*\", \"*3*\", \"*1*\"))\n)\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "94418745-529f-4259-8d25-a713a6feb6ae", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "94418745-529f-4259-8d25-a713a6feb6ae_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_2.json b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_2.json deleted file mode 100644 index efdd4041e81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Bit Set for Potential Persistence Script", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.args : (\n // Misc.\n \"/etc/rc.local\", \"/etc/rc.common\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\", \"/etc/apt/apt.conf.d/*\", \"/etc/cron*\",\n \"/etc/init/*\",\n\n // XDG\n \"/etc/xdg/autostart/*\", \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\", \"/home/*/.config/autostart-scripts/*\",\n \"/root/.config/autostart-scripts/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \n // udev\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\"\n\n) and (\n (process.name == \"chmod\" and process.args : (\"+x*\", \"1*\", \"3*\", \"5*\", \"7*\")) or\n (process.name == \"install\" and process.args : \"-m*\" and process.args : (\"7*\", \"5*\", \"3*\", \"1*\"))\n) and not process.parent.executable : \"/var/lib/dpkg/*\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "94418745-529f-4259-8d25-a713a6feb6ae", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "94418745-529f-4259-8d25-a713a6feb6ae_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_3.json b/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_3.json deleted file mode 100644 index 6a91ff42748..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94418745-529f-4259-8d25-a713a6feb6ae_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of an executable bit for scripts that are located in directories which are commonly abused for persistence. An alert of this rule is an indicator that a persistence mechanism is being set up within your environment. Adversaries may create these scripts to execute malicious code at start-up, or at a set interval to gain persistence onto the system.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Executable Bit Set for Potential Persistence Script", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.args : (\n // Misc.\n \"/etc/rc.local\", \"/etc/rc.common\", \"/etc/rc.d/rc.local\", \"/etc/init.d/*\", \"/etc/update-motd.d/*\",\n \"/etc/apt/apt.conf.d/*\", \"/etc/cron*\", \"/etc/init/*\",\n\n // XDG\n \"/etc/xdg/autostart/*\", \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\", \"/home/*/.config/autostart-scripts/*\",\n \"/root/.config/autostart-scripts/*\", \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\",\n \n // udev\n \"/lib/udev/*\", \"/etc/udev/rules.d/*\", \"/usr/lib/udev/rules.d/*\", \"/run/udev/rules.d/*\"\n\n) and (\n (process.name == \"chmod\" and process.args : (\"+x*\", \"1*\", \"3*\", \"5*\", \"7*\")) or\n (process.name == \"install\" and process.args : \"-m*\" and process.args : (\"7*\", \"5*\", \"3*\", \"1*\"))\n) and not process.parent.executable : \"/var/lib/dpkg/*\"\n", "references": ["https://www.intezer.com/blog/malware-analysis/hiddenwasp-malware-targeting-linux-systems/", "https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#8-boot-or-logon-initialization-scripts-rc-scripts", "https://www.cyberciti.biz/faq/how-to-enable-rc-local-shell-script-on-systemd-while-booting-linux-system/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "94418745-529f-4259-8d25-a713a6feb6ae", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}, {"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}, {"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "94418745-529f-4259-8d25-a713a6feb6ae_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3.json b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3.json deleted file mode 100644 index e87527124d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Creation of Kernel Module", "query": "file where host.os.type == \"linux\" and event.type in (\"change\", \"creation\") and file.path : \"/lib/modules/*\" and\nfile.extension == \"ko\" and not process.name : (\n \"dpkg\", \"systemd\", \"falcon-sensor*\", \"dnf\", \"yum\", \"rpm\", \"cp\"\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "947827c6-9ed6-4dec-903e-c856c86e72f3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "947827c6-9ed6-4dec-903e-c856c86e72f3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json deleted file mode 100644 index 9ebd16ec83c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Creation of Kernel Module", "query": "file where event.type in (\"change\", \"creation\") and host.os.type == \"linux\" and\nfile.path : \"/lib/modules/*\" and file.name : \"*.ko\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "947827c6-9ed6-4dec-903e-c856c86e72f3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "947827c6-9ed6-4dec-903e-c856c86e72f3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_2.json b/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_2.json deleted file mode 100644 index e53c2c76214..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/947827c6-9ed6-4dec-903e-c856c86e72f3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Creation of Kernel Module", "query": "file where event.type in (\"change\", \"creation\") and host.os.type == \"linux\" and\nfile.path : \"/lib/modules/*\" and file.name : \"*.ko\" and \nnot process.name : (\"dpkg\", \"systemd\", \"falcon-sensor*\", \"dnf\", \"yum\", \"rpm\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "947827c6-9ed6-4dec-903e-c856c86e72f3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "947827c6-9ed6-4dec-903e-c856c86e72f3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json deleted file mode 100644 index 1de1bc597eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json deleted file mode 100644 index f83be33695a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_209.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_209.json deleted file mode 100644 index 0b4baae2758..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json deleted file mode 100644 index 65a7eb411e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json deleted file mode 100644 index bf5a078b782..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json deleted file mode 100644 index c18813ab99e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (`gpresult.exe`) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system.\n\nThis rule identifies the execution of `gpresult.exe` or renamed instances with specific arguments, which can be abused by attackers to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_6.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_6.json deleted file mode 100644 index b037b7c237d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json deleted file mode 100644 index 9588b34c209..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json deleted file mode 100644 index 347914590e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_9.json b/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_9.json deleted file mode 100644 index 0f39931f877..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94a401ba-4fa2-455c-b7ae-b6e037afc0b7_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of gpresult.exe to query group policy objects. Attackers may query group policy objects during the reconnaissance phase after compromising a system to gain a better understanding of the active directory environment and possible methods to escalate privileges or move laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Discovery via Microsoft GPResult Utility", "note": "## Triage and analysis\n\n### Investigating Group Policy Discovery via Microsoft GPResult Utility\n\nGroup Policy is a Windows feature that allows administrators to manage and configure settings for users and computers in an Active Directory environment. The Microsoft GPResult utility (gpresult.exe) is a command-line tool used to query and display Group Policy Objects (GPOs) applied to a system. Attackers may abuse this utility to gain insights into the active directory environment and identify potential privilege escalation or lateral movement opportunities.\n\nThe detection rule 'Group Policy Discovery via Microsoft GPResult Utility' is designed to identify the usage of gpresult.exe with specific arguments (\"/z\", \"/v\", \"/r\", \"/x\") that are commonly used by adversaries during the reconnaissance phase to perform group policy discovery.\n\n#### Possible investigation steps\n\n- Review the alert details to understand the context of the gpresult.exe usage, such as the user account, system, and time of execution.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate any abnormal behavior by the parent process, such as network connections, registry or file modifications, and any other spawned child processes.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(process.name: \"gpresult.exe\" or ?process.pe.original_file_name == \"gprslt.exe\") and process.args: (\"/z\", \"/v\", \"/r\", \"/x\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1615", "name": "Group Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1615/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "94a401ba-4fa2-455c-b7ae-b6e037afc0b7_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce.json deleted file mode 100644 index c4186487528..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Client Address", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action == \"user.session.start\" OR event.action RLIKE \"user\\\\.authentication(.*)\")\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count > 5\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json deleted file mode 100644 index 1097148921b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Client Address", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action == \"user.session.start\" OR event.action RLIKE \"user\\\\.authentication(.*)\")\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count > 5\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_103.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_103.json new file mode 100644 index 00000000000..d2035820753 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_103.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Okta User Authentication Events with Client Address", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action == \"user.session.start\" OR event.action RLIKE \"user\\\\.authentication(.*)\")\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| KEEP okta.client.ip, okta.actor.alternate_id, okta.actor.id, event.action, okta.outcome.reason\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count > 5\n| SORT\n source_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "risk_score": 21, + "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 103 + }, + "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_2.json deleted file mode 100644 index 110833a2f52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/94e734c0-2cda-11ef-84e1-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Client Address", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Client Address\n\nThis rule detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\nSince this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.client.ip` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n - If the event type is `user.session.start`, the source may have attempted to establish a session via the Okta authentication API.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n - Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action == \"user.session.start\" OR event.action RLIKE \"user\\\\.authentication(.*)\")\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n source_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.client.ip, okta.actor.alternate_id\n| WHERE\n source_auth_count > 5\n| SORT\n source_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "risk_score": 21, "rule_id": "94e734c0-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "94e734c0-2cda-11ef-84e1-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json deleted file mode 100644 index 934859d8f8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", "false_positives": ["Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": ["https://support.google.com/a/answer/2685650?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "9510add4-3392-11ed-bd01-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json deleted file mode 100644 index f1a6b25cf34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", "false_positives": ["Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": ["https://support.google.com/a/answer/2685650?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "9510add4-3392-11ed-bd01-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json deleted file mode 100644 index 6e080b9cf99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", "false_positives": ["Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": ["https://support.google.com/a/answer/2685650?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "9510add4-3392-11ed-bd01-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json deleted file mode 100644 index 86f683009ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9510add4-3392-11ed-bd01-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom Gmail route is added or modified in Google Workspace. Adversaries can add a custom e-mail route for outbound mail to route these e-mails to their own inbox of choice for data gathering. This allows adversaries to capture sensitive information from e-mail and potential attachments, such as invoices or payment documents. By default, all email from current Google Workspace users with accounts are routed through a domain's mail server for inbound and outbound mail.", "false_positives": ["Administrators may create custom email routes in Google Workspace based on organizational policies, administrative preference or for security purposes regarding spam."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Gmail Route Created or Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Gmail Route Created or Modified\n\nGmail is a popular cloud-based email service developed and managed by Google. Gmail is one of many services available for users with Google Workspace accounts.\n\nThreat actors often send phishing emails containing malicious URL links or attachments to corporate Gmail accounts. Google Workspace identity relies on the corporate user Gmail account and if stolen, allows threat actors to further their intrusion efforts from valid user accounts.\n\nThis rule identifies the creation of a custom global Gmail route by an administrator from the Google Workspace admin console. Custom email routes could indicate an attempt to secretly forward sensitive emails to unintentional recipients.\n\n#### Possible investigation steps\n\n- Identify the user account that created the custom email route and verify that they should have administrative privileges.\n- Review the added recipients from the custom email route and confidentiality of potential email contents.\n- Identify the user account, then review `event.action` values for related activity within the last 48 hours.\n- If the Google Workspace license is Enterprise Plus or Education Plus, search for emails matching the route filters. To find the Gmail event logs, go to `Reporting > Audit and investigation > Gmail log events`.\n- If existing emails have been sent and match the custom route criteria, review the sender and contents for malicious URL links and attachments.\n- Identified URLs or attachments can be submitted to VirusTotal for reputational services.\n\n### False positive analysis\n\n- This rule searches for domain-wide custom email routes created in the admin console of Google Workspace. Administrators might create custom email routes to fulfill organizational requirements.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:(\"CREATE_GMAIL_SETTING\" or \"CHANGE_GMAIL_SETTING\")\n and google_workspace.event.type:\"EMAIL_SETTINGS\" and google_workspace.admin.setting.name:(\"EMAIL_ROUTE\" or \"MESSAGE_SECURITY_RULE\")\n", "references": ["https://support.google.com/a/answer/2685650?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "9510add4-3392-11ed-bd01-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "9510add4-3392-11ed-bd01-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449.json b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449.json deleted file mode 100644 index a182007e6f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Pass-the-Hash/Relay Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n ) and\n not file.directory : \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "951779c2-82ad-4a6c-82b8-296c1f691449", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json deleted file mode 100644 index 1e22ee7bef1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Pass-the-Hash/Relay Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n )\n", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "951779c2-82ad-4a6c-82b8-296c1f691449_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_2.json b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_2.json deleted file mode 100644 index 319765931e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Pass-the-Hash/Relay Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n ) and\n not file.directory : \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "951779c2-82ad-4a6c-82b8-296c1f691449_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_3.json b/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_3.json deleted file mode 100644 index b00e14e9c9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/951779c2-82ad-4a6c-82b8-296c1f691449_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can execute pass-the-hash (PtH) attacks, intercept and relay NTLM challenges, and carry out other man-in-the-middle (MitM) attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell Pass-the-Hash/Relay Script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n (\"NTLMSSPNegotiate\" and (\"NegotiateSMB\" or \"NegotiateSMB2\")) or\n \"4E544C4D53535000\" or\n \"0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\" or\n \"0x4e,0x54,0x20,0x4c,0x4d\" or\n \"0x53,0x4d,0x42,0x20,0x32\" or\n \"0x81,0xbb,0x7a,0x36,0x44,0x98,0xf1,0x35,0xad,0x32,0x98,0xf0,0x38\"\n ) and\n not file.directory : \"C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Downloads\"\n", "references": ["https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-WMIExec.ps1", "https://github.com/Kevin-Robertson/Invoke-TheHash/blob/master/Invoke-SMBExec.ps1", "https://github.com/dafthack/Check-LocalAdminHash/blob/master/Check-LocalAdminHash.ps1", "https://github.com/nettitude/PoshC2/blob/master/resources/modules/Invoke-Tater.ps1", "https://github.com/Kevin-Robertson/Inveigh/blob/master/Inveigh.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.directory", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "951779c2-82ad-4a6c-82b8-296c1f691449", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1557", "name": "Adversary-in-the-Middle", "reference": "https://attack.mitre.org/techniques/T1557/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "951779c2-82ad-4a6c-82b8-296c1f691449_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json deleted file mode 100644 index 93a8d66787d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 109}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json deleted file mode 100644 index 1c5ac9a430e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 104}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json deleted file mode 100644 index eae55d5cf75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 105}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json deleted file mode 100644 index e0100e42aeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 106}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json deleted file mode 100644 index c51a504b933..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 107}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_108.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_108.json deleted file mode 100644 index 322549d8df7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 108}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_109.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_109.json deleted file mode 100644 index 79196154ff5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 109}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_110.json b/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_110.json deleted file mode 100644 index cbdbb454c36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/954ee7c8-5437-49ae-b2d6-2960883898e9_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote scheduled task creations on a target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the base64 encoded tasks actions registry value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Task Scheduler service incoming connection followed by TaskCache registry modification */\n\nsequence by host.id, process.entity_id with maxspan = 1m\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and\n network.direction : (\"incoming\", \"ingress\") and source.port >= 49152 and destination.port >= 49152 and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ]\n [registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Actions\" and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\TaskCache\\\\Tasks\\\\*\\\\Actions\"]\n", "references": ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "954ee7c8-5437-49ae-b2d6-2960883898e9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 110}, "id": "954ee7c8-5437-49ae-b2d6-2960883898e9_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json deleted file mode 100644 index 4dde7c21bf8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "959a7353-1129-4aa7-9084-30746b256a70", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json deleted file mode 100644 index 1eff91009c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "959a7353-1129-4aa7-9084-30746b256a70_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json deleted file mode 100644 index 643dc7dc3b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "959a7353-1129-4aa7-9084-30746b256a70_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json deleted file mode 100644 index cfa33b5fd0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "959a7353-1129-4aa7-9084-30746b256a70_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json deleted file mode 100644 index 9cc85bbf3e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "959a7353-1129-4aa7-9084-30746b256a70_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_109.json b/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_109.json deleted file mode 100644 index b8d09dfa8fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/959a7353-1129-4aa7-9084-30746b256a70_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can take screenshots, which is a common feature in post-exploitation kits and remote access tools (RATs).", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Suspicious Script with Screenshot Capabilities", "note": "## Triage and analysis\n\n### Investigating PowerShell Suspicious Script with Screenshot Capabilities\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, which makes it available for use in various environments and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities and take screen captures of desktops to gather information over the course of an operation.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to take screenshots, which makes false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n CopyFromScreen and\n (\"System.Drawing.Bitmap\" or \"Drawing.Bitmap\")\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "959a7353-1129-4aa7-9084-30746b256a70", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1113", "name": "Screen Capture", "reference": "https://attack.mitre.org/techniques/T1113/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "959a7353-1129-4aa7-9084-30746b256a70_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce.json deleted file mode 100644 index 21e69c01a13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Same Device Token Hash", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\n\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.dt_hash != \"-\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\n| WHERE\n target_auth_count > 20\n| SORT\n target_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json deleted file mode 100644 index 204f2ad2a40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Same Device Token Hash", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\n\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.dt_hash != \"-\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\n| WHERE\n target_auth_count > 20\n| SORT\n target_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/"], "risk_score": 21, "rule_id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "95b99adc-2cda-11ef-84e1-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_103.json b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_103.json new file mode 100644 index 00000000000..e1d09196585 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_103.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", + "false_positives": [ + "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", + "Shared systems such as Kiosks and conference room computers may be used by multiple users." + ], + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Okta User Authentication Events with Same Device Token Hash", + "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\n\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.dt_hash != \"-\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| KEEP event.action, okta.debug_context.debug_data.dt_hash, okta.actor.id, okta.actor.alternate_id, okta.outcome.reason\n| STATS\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\n| WHERE\n target_auth_count > 20\n| SORT\n target_auth_count DESC\n", + "references": [ + "https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "risk_score": 21, + "rule_id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.003", + "name": "Password Spraying", + "reference": "https://attack.mitre.org/techniques/T1110/003/" + } + ] + }, + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/", + "subtechnique": [ + { + "id": "T1110.004", + "name": "Credential Stuffing", + "reference": "https://attack.mitre.org/techniques/T1110/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 103 + }, + "id": "95b99adc-2cda-11ef-84e1-f661ea17fbce_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_2.json b/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_2.json deleted file mode 100644 index fda2cbc67c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/95b99adc-2cda-11ef-84e1-f661ea17fbce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts.", "false_positives": ["Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", "Shared systems such as Kiosks and conference room computers may be used by multiple users."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Okta User Authentication Events with Same Device Token Hash", "note": "## Triage and analysis\n\n### Investigating Multiple Okta User Authentication Events with Same Device Token Hash\n\nThis rule detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. Note that Okta does not log unrecognized usernames supplied during authentication attempts, so this rule may not detect all credential stuffing attempts or may indicate a targeted attack.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.debug_context.debug_data.dt_hash` values can be used to pivot into the raw authentication events related to this activity.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- Review the `okta.security_context.is_proxy` field to determine if the device is a proxy.\n - If the device is a proxy, this may indicate that a user is using a proxy to access multiple accounts for password spraying.\n- With the list of `okta.actor.alternate_id` values, review `event.outcome` results to determine if the authentication was successful.\n - If the authentication was successful for any user, pivoting to `event.action` values for those users may provide additional context.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - If the event type is `user.authentication.sso`, the user may have legitimately started a session via a proxy for security or privacy reasons.\n - If the event type is `user.authentication.password`, the user may be using a proxy to access multiple accounts for password spraying.\n- Examine the `okta.outcome.result` field to determine if the authentication was successful.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n\n### False positive analysis:\n- A user may have legitimately started a session via a proxy for security or privacy reasons.\n- Users may share an endpoint related to work or personal use in which separate Okta accounts are used.\n - Architecturally, this shared endpoint may leverage a proxy for security or privacy reasons.\n - Shared systems such as Kiosks and conference room computers may be used by multiple users.\n - Shared working spaces may have a single endpoint that is used by multiple users.\n\n### Response and remediation:\n- Review the profile of the users involved in this action to determine if proxy usage may be expected.\n- If the user is legitimate and the authentication behavior is not suspicious based on device analysis, no action is required.\n- If the user is legitimate but the authentication behavior is suspicious, consider resetting passwords for the users involves and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- If this is a false positive, consider adding the `okta.debug_context.debug_data.dt_hash` field to the `exceptions` list in the rule.\n - This will prevent future occurrences of this event for this device from triggering the rule.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n AND (event.action RLIKE \"user\\\\.authentication(.*)\" OR event.action == \"user.session.start\")\n AND okta.debug_context.debug_data.dt_hash != \"-\"\n AND okta.outcome.reason == \"INVALID_CREDENTIALS\"\n| STATS\n target_auth_count = COUNT_DISTINCT(okta.actor.id)\n BY okta.debug_context.debug_data.dt_hash, okta.actor.alternate_id\n| WHERE\n target_auth_count > 20\n| SORT\n target_auth_count DESC\n", "references": ["https://support.okta.com/help/s/article/How-does-the-Device-Token-work?language=en_US", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.okta.com/resources/whitepaper-how-adaptive-mfa-can-help-in-mitigating-brute-force-attacks/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "risk_score": 21, "rule_id": "95b99adc-2cda-11ef-84e1-f661ea17fbce", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}, {"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.004", "name": "Credential Stuffing", "reference": "https://attack.mitre.org/techniques/T1110/004/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "95b99adc-2cda-11ef-84e1-f661ea17fbce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_1.json new file mode 100644 index 00000000000..5a7c25e644a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/962a71ae-aac9-11ef-9348-f661ea17fbce_1.json @@ -0,0 +1,141 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when the STS `AssumeRoot` action is performed by a rare user in AWS. The AssumeRoot action allows users to assume the root member account role, granting elevated but specific permissions based on the task policy specified. Adversaries whom may have compromised user credentials, such as access and secret keys, can use this technique to escalate privileges and gain unauthorized access to AWS resources. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that identifies when the STS `AssumeRoot` action is performed by a user that rarely assumes this role and specific member account.", + "false_positives": [ + "AWS administrators or automated processes might regularly assume root for legitimate administrative purposes.", + "AWS services might assume root to access AWS resources as part of their standard operations.", + "Automated workflows might assume root to perform periodic administrative tasks." + ], + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "filebeat-*", + "logs-aws.cloudtrail-*" + ], + "investigation_fields": { + "field_names": [ + "@timestamp", + "aws.cloudtrail.user_identity.type", + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.user_identity.access_key_id", + "source.address", + "aws.cloudtrail.resources.account_id", + "aws.cloudtrail.recipient_account_id", + "aws.cloudtrail.flattened.request_parameters", + "event.action", + "event.outcome", + "aws.cloudtrail.flattened.request_parameters.taskPolicyArn", + "cloud.region", + "aws.cloudtrail.request_parameters", + "aws.cloudtrail.response_elements" + ] + }, + "language": "kuery", + "license": "Elastic License v2", + "name": "AWS STS AssumeRoot by Rare User and Member Account", + "new_terms_fields": [ + "aws.cloudtrail.user_identity.arn", + "aws.cloudtrail.resources.account_id" + ], + "note": "## Triage and Analysis\n\n### Investigating AWS STS AssumeRoot by Rare User and Member Account\n\nThis rule identifies instances where AWS STS (Security Token Service) is used to assume a root role, granting temporary credentials for AWS resource access. While this action is often legitimate, it can be exploited by adversaries to obtain unauthorized access, escalate privileges, or move laterally within an AWS environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor and Assumed Role**:\n - **User Identity**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields to determine who initiated the `AssumeRoot` action.\n - **Account Context**: Check the `aws.cloudtrail.recipient_account_id` field for the account affected by the action. This is likely the management account.\n - **Authentication**: If available, review the `aws.cloudtrail.user_identity.access_key_id` to identify the access key used for the action. This key may be compromised in the case of unauthorized activity.\n - **Resources**: Inspect `aws.cloudtrail.resources.type` and `aws.cloudtrail.resources.arn` to determine the resource or role assumed. This is the member account where the root role was assumed.\n\n- **Analyze Request Parameters**:\n - **Session Details**: Check `aws.cloudtrail.flattened.request_parameters.durationSeconds` for session duration.\n - **Permissions**: Review `aws.cloudtrail.flattened.request_parameters.taskPolicyArn` for the associated policy. These policies are predefined and grant specific permissions to the assumed root account.\n - **Target Entity**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPrincipal` field for the entity being accessed. This is typically the member account.\n - **Target Policy**: Inspect the `aws.cloudtrail.flattened.request_parameters.targetPolicyArn` field for the policy applied to temporary root credentials. This can help determine the scope of the permissions granted.\n\n- **Examine Response Details**:\n - **Credentials Issued**: Review `aws.cloudtrail.flattened.response_elements.credentials` to confirm credentials were issued and note their expiration (`expiration` field). The temporary access key can be used to pivot into other actions done by the assumed root account by searching for the value in `aws.cloudtrail.user_identity.access_key_id`.\n\n- **Inspect Source Details**:\n - **Source IP and Location**: Evaluate `source.address` and `source.geo` fields to confirm the request's origin. Unusual locations might indicate unauthorized activity.\n - **User Agent**: Analyze `user_agent.original` to determine the tool or application used (e.g., AWS CLI, SDK, or custom tooling).\n\n- **Correlate with Related Events**:\n - **Concurrent Events**: Look for surrounding CloudTrail events that indicate follow-up actions, such as access to sensitive resources or privilege escalation attempts.\n - **Historical Activity**: Review historical activity for the `aws.cloudtrail.user_identity.arn` to determine if this action is anomalous.\n\n- **Evaluate Privilege Escalation Risk**:\n - **Role Privileges**: Inspect the privileges granted by the assumed role or task policy (`aws.cloudtrail.flattened.request_parameters.taskPolicyArn`).\n - **Operational Context**: Confirm whether the action aligns with routine operations or is unusual.\n\n### False Positive Analysis\n\n- **Authorized Administrative Activity**:\n - Verify if the activity was initiated by an AWS administrator for legitimate purposes.\n- **Automated Workflows**:\n - Identify if the action was part of an automated process or workflow.\n\n### Response and Remediation\n\n1. **Revoke Unauthorized Credentials**:\n - If malicious activity is identified, immediately revoke the session tokens and access keys associated with the `AssumeRoot` action.\n - It may be worth removing the compromised access key from the affected user or service account.\n2. **Enhance Monitoring**:\n - Increase the monitoring frequency for sensitive roles and actions, especially `AssumeRoot`.\n3. **Review IAM Policies**:\n - Limit permissions for accounts or roles to assume root and enforce multi-factor authentication (MFA) where applicable.\n4. **Contain and Investigate**:\n - Isolate affected accounts or roles and follow incident response procedures to determine the scope and impact of the activity.\n\n### Additional Information\n\nFor more information on AssumeRoot, refer to the [AWS STS documentation](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html).\n", + "query": "event.dataset: \"aws.cloudtrail\"\n and event.provider: \"sts.amazonaws.com\"\n and event.action: \"AssumeRoot\"\n and event.outcome: \"success\"\n", + "references": [ + "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoot.html" + ], + "related_integrations": [ + { + "integration": "cloudtrail", + "package": "aws", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.provider", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "962a71ae-aac9-11ef-9348-f661ea17fbce", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Data Source: AWS STS", + "Resources: Investigation Guide", + "Use Case: Identity and Access Audit", + "Tactic: Privilege Escalation" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1548", + "name": "Abuse Elevation Control Mechanism", + "reference": "https://attack.mitre.org/techniques/T1548/", + "subtechnique": [ + { + "id": "T1548.005", + "name": "Temporary Elevated Cloud Access", + "reference": "https://attack.mitre.org/techniques/T1548/005/" + } + ] + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "962a71ae-aac9-11ef-9348-f661ea17fbce_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a.json b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a.json deleted file mode 100644 index 3e55bcfad68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Sensitive Keys Or Passwords Searched For Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\n((\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ \n (process.name in (\"grep\", \"egrep\", \"fgrep\") or process.args in (\"grep\", \"egrep\", \"fgrep\")) \n and process.args : (\"*BEGIN PRIVATE*\", \"*BEGIN OPENSSH PRIVATE*\", \"*BEGIN RSA PRIVATE*\", \n\"*BEGIN DSA PRIVATE*\", \"*BEGIN EC PRIVATE*\", \"*pass*\", \"*ssh*\", \"*user*\")\n) \nor \n(\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n (process.name in (\"find\", \"locate\", \"mlocate\") or process.args in (\"find\", \"locate\", \"mlocate\")) \n and process.args : (\"*id_rsa*\", \"*id_dsa*\")\n))\n", "references": ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9661ed8b-001c-40dc-a777-0983b7b0c91a", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "9661ed8b-001c-40dc-a777-0983b7b0c91a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json b/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json deleted file mode 100644 index fb61a84fe38..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9661ed8b-001c-40dc-a777-0983b7b0c91a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of system search utilities like grep and find to search for private SSH keys or passwords inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying host machine.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Sensitive Keys Or Passwords Searched For Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" and\n((\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/ \n (process.name in (\"grep\", \"egrep\", \"fgrep\") or process.args in (\"grep\", \"egrep\", \"fgrep\")) \n and process.args : (\"*BEGIN PRIVATE*\", \"*BEGIN OPENSSH PRIVATE*\", \"*BEGIN RSA PRIVATE*\", \n\"*BEGIN DSA PRIVATE*\", \"*BEGIN EC PRIVATE*\", \"*pass*\", \"*ssh*\", \"*user*\")\n) \nor \n(\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n (process.name in (\"find\", \"locate\", \"mlocate\") or process.args in (\"find\", \"locate\", \"mlocate\")) \n and process.args : (\"*id_rsa*\", \"*id_dsa*\")\n))\n", "references": ["https://sysdig.com/blog/cve-2021-25741-kubelet-falco/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9661ed8b-001c-40dc-a777-0983b7b0c91a", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "9661ed8b-001c-40dc-a777-0983b7b0c91a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json deleted file mode 100644 index db0bd8a396b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\") and\n not process.parent.name in (\"systemd\", \"cf-agent\", \"ntpdate\", \"xargs\", \"px\", \"preinst\", \"auth\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json deleted file mode 100644 index 8975426e379..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: \"/lib/systemd/systemd\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json deleted file mode 100644 index af48efffad7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json deleted file mode 100644 index a80e6ce2639..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json deleted file mode 100644 index a85444ec20a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json deleted file mode 100644 index 409663dc6ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json deleted file mode 100644 index 6da8056aeea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json deleted file mode 100644 index b33c1ed03b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.name == \"root\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_110.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_110.json deleted file mode 100644 index bca2d63b0c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\") and\n not process.parent.name in (\"systemd\", \"cf-agent\", \"ntpdate\", \"xargs\", \"px\", \"preinst\", \"auth\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json b/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json deleted file mode 100644 index 4925d26be1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/968ccab9-da51-4a87-9ce2-d3c9782fd759_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a file being made immutable using the chattr binary. Making a file immutable means it cannot be deleted or renamed, no link can be created to this file, most of the file's metadata can not be modified, and the file can not be opened in write mode. Threat actors will commonly utilize this to prevent tampering or modification of their malicious files or any system files they have modified for purposes of persistence (e.g .ssh, /etc/passwd, etc.).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "File made Immutable by Chattr", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and user.id == \"0\" and\n process.executable : \"/usr/bin/chattr\" and process.args : (\"-*i*\", \"+*i*\") and\n not process.parent.executable: (\"/lib/systemd/systemd\", \"/usr/local/uems_agent/bin/*\", \"/usr/lib/systemd/systemd\") and\n not process.parent.name in (\"systemd\", \"cf-agent\", \"ntpdate\", \"xargs\", \"px\", \"preinst\", \"auth\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "968ccab9-da51-4a87-9ce2-d3c9782fd759", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "968ccab9-da51-4a87-9ce2-d3c9782fd759_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json deleted file mode 100644 index ae5b76e3b3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json deleted file mode 100644 index 43a5c1ff9ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json deleted file mode 100644 index 794013d0598..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json deleted file mode 100644 index 7eda98b5954..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json deleted file mode 100644 index 2886f18da3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_206.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_206.json deleted file mode 100644 index af3db9599f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_208.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_208.json deleted file mode 100644 index cf599050565..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", "false_positives": ["If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Create Okta API Token", "note": "", "query": "event.dataset:okta.system and event.action:system.api_token.create\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_308.json b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_308.json new file mode 100644 index 00000000000..7f7ddad91d2 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/96b9f4ea-0e8c-435b-8d53-2096e75fcac5_308.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to create an Okta API token. An adversary may create an Okta API token to maintain access to an organization's network while they work to achieve their objectives. An attacker may abuse an API token to execute techniques such as creating user accounts or disabling security rules or policies.", + "false_positives": [ + "If the behavior of creating Okta API tokens is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Create Okta API Token", + "note": "", + "query": "event.dataset:okta.system and event.action:system.api_token.create\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1136", + "name": "Create Account", + "reference": "https://attack.mitre.org/techniques/T1136/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "96b9f4ea-0e8c-435b-8d53-2096e75fcac5_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json deleted file mode 100644 index 4e0d70b7a66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Message-of-the-Day (MOTD) File Creation", "note": "## Triage and analysis\n\n### Investigating Message-of-the-Day (MOTD) File Creation\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/update-motd.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "96d11d31-9a79-480f-8401-da28b194608f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json deleted file mode 100644 index 5ffbebe50d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 1}, "id": "96d11d31-9a79-480f-8401-da28b194608f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_10.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_10.json deleted file mode 100644 index ff34e4d7572..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE\\n'/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and\nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf or podman or ln or yum \n) and not (\n (process.name:mv and file.extension:dpkg-remove) or\n (file.extension:(swp or swpx))\n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "96d11d31-9a79-480f-8401-da28b194608f_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json deleted file mode 100644 index 012c330fe52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation of potentially malicious files within the default MOTD file directories. Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" directory. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Message-of-the-Day (MOTD) File Creation", "note": "## Triage and analysis\n\n### Investigating Message-of-the-Day (MOTD) File Creation\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` directory.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` directory have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path LIKE '/etc/update-motd.d/%'\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path LIKE '/etc/update-motd.d/%'\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Process Spawned from Message-of-the-Day (MOTD) - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and\nfile.path : \"/etc/update-motd.d/*\" and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "96d11d31-9a79-480f-8401-da28b194608f_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json deleted file mode 100644 index 2e88be89082..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not \nfile.extension : \"swp\"\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 2}, "id": "96d11d31-9a79-480f-8401-da28b194608f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json deleted file mode 100644 index 0c1446bc4b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\") and not file.extension : \"swp\"\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 3}, "id": "96d11d31-9a79-480f-8401-da28b194608f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json deleted file mode 100644 index 40651a7c324..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/kaniko/executor\") and not \nfile.extension : (\"swp\" or \"swx\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 4}, "id": "96d11d31-9a79-480f-8401-da28b194608f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json deleted file mode 100644 index c6b4972d706..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["file.path", "process.name"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not \nprocess.executable : (\"/usr/bin/dpkg\" or \"/usr/bin/dockerd\" or \"/bin/rpm\" or \"/kaniko/executor\") and not \nfile.extension : (\"swp\" or \"swx\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 5}, "id": "96d11d31-9a79-480f-8401-da28b194608f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json deleted file mode 100644 index 6aef06c8823..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 6}, "id": "96d11d31-9a79-480f-8401-da28b194608f_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json deleted file mode 100644 index 9f4b8a468e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and \nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "type": "new_terms", "version": 7}, "id": "96d11d31-9a79-480f-8401-da28b194608f_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_8.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_8.json deleted file mode 100644 index 94260920155..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type :\"linux\" and event.action:(\"creation\" or \"file_create_event\" or \"rename\" or \"file_rename_event\") and\nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf or podman or ln\n) and not file.extension : (\"swp\" or \"swpx\")\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "96d11d31-9a79-480f-8401-da28b194608f_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json b/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json deleted file mode 100644 index ef3ba181e1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96d11d31-9a79-480f-8401-da28b194608f_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or a serial connection. Linux systems contain several default MOTD files located in the \"/etc/update-motd.d/\" and \"/usr/lib/update-notifier/\" directories. These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a backdoor script or command. This rule detects the creation of potentially malicious files within the default MOTD file directories.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence Through MOTD File Creation Detected", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Potential Persistence Through MOTD File Creation Detected\n\nThe message-of-the-day (MOTD) is used to display a customizable system-wide message or information to users upon login in Linux.\n\nAttackers can abuse message-of-the-day (motd) files to run scripts, commands or malicious software every time a user connects to a system over SSH or a serial connection, by creating a new file within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directory. Executable files in these directories automatically run with root privileges.\n\nThis rule identifies the creation of new files within the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\"}}\n- Investigate whether any other files in the `/etc/update-motd.d/` or `/usr/lib/update-notifier/` directories have been altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/update-motd.d/%' OR path LIKE '/usr/lib/update-notifier/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### Related Rules\n\n- Suspicious Process Spawned from MOTD Detected - 4ec47004-b34a-42e6-8003-376a123ea447\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the MOTD files or restore their original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type :linux and event.action:(creation or file_create_event or rename or file_rename_event) and\nfile.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : (\n dpkg or dockerd or rpm or executor or dnf or podman or ln or yum \n) and not (\n (process.name:mv and file.extension:dpkg-remove) or\n (file.extension:(swp or swpx))\n)\n", "references": ["https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/#10-boot-or-logon-initialization-scripts-motd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "96d11d31-9a79-480f-8401-da28b194608f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "96d11d31-9a79-480f-8401-da28b194608f_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json deleted file mode 100644 index 63290c50672..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : (\"/opt/jc/bin/jumpcloud-agent\", \"/usr/bin/basename\") and\n not process.Ext.effective_parent.executable : (\"/opt/rapid7/ir_agent/ir_agent\",\n \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\",\n \"/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon\",\n \"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService\",\n \"/usr/local/jamf/bin/jamf\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon\")\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json deleted file mode 100644 index 07d4bac279d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json deleted file mode 100644 index 80e7c1d5f34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json deleted file mode 100644 index 4f8446ba7ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json deleted file mode 100644 index 5bc53584764..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json deleted file mode 100644 index b388da39781..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json b/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json deleted file mode 100644 index 8d75d8e3151..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Access to Keychain Credentials Directories", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.args :\n (\n \"/Users/*/Library/Keychains/*\",\n \"/Library/Keychains/*\",\n \"/Network/Library/Keychains/*\",\n \"System.keychain\",\n \"login.keychain-db\",\n \"login.keychain\"\n ) and\n not process.args : (\"find-certificate\",\n \"add-trusted-cert\",\n \"set-keychain-settings\",\n \"delete-certificate\",\n \"/Users/*/Library/Keychains/openvpn.keychain-db\",\n \"show-keychain-info\",\n \"lock-keychain\",\n \"set-key-partition-list\",\n \"import\",\n \"find-identity\") and\n not process.parent.executable :\n (\n \"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect\",\n \"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise\",\n \"/opt/jc/bin/jumpcloud-agent\"\n ) and\n not process.executable : \"/opt/jc/bin/jumpcloud-agent\"\n", "references": ["https://objective-see.com/blog/blog_0x25.html", "https://securelist.com/calisto-trojan-for-macos/86543/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "96e90768-c3b7-4df6-b5d9-6237f8bc36a8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json deleted file mode 100644 index 4d047321fa5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "## Setup\n\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json deleted file mode 100644 index 2c24a9c5e5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "note": "", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json deleted file mode 100644 index 9a424a8c7f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "note": "", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "Windows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json deleted file mode 100644 index fb1a2b73392..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_6.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_6.json deleted file mode 100644 index 407d9d4dad9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json deleted file mode 100644 index a1727ac7fab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "## Setup\n\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_8.json b/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_8.json deleted file mode 100644 index 435003295c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97020e61-e591-4191-8a3b-2861a2b887cd_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a process running as SYSTEM and impersonating a Windows core binary privileges. Adversaries may create a new process with a different token to escalate privileges and bypass access controls.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "SeDebugPrivilege Enabled by a Suspicious Process", "query": "any where host.os.type == \"windows\" and event.provider: \"Microsoft-Windows-Security-Auditing\" and\n event.action : \"Token Right Adjusted Events\" and\n\n winlog.event_data.EnabledPrivilegeList : \"SeDebugPrivilege\" and\n\n /* exclude processes with System Integrity */\n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n\n not winlog.event_data.ProcessName :\n (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\lsass.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*-*\\\\DismHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\auditpol.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSe.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSe.exe\")\n", "references": ["https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4703", "https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense-3078a403d74e"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.EnabledPrivilegeList", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}], "risk_score": 47, "rule_id": "97020e61-e591-4191-8a3b-2861a2b887cd", "setup": "## Setup\n\nWindows Event 4703 logs Token Privileges changes and need to be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDetailed Tracking >\nToken Right Adjusted Events (Success)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "97020e61-e591-4191-8a3b-2861a2b887cd_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json deleted file mode 100644 index eab703aa83c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "97314185-2568-4561-ae81-f3e480e5e695", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json deleted file mode 100644 index eecf650efa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "97314185-2568-4561-ae81-f3e480e5e695_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json deleted file mode 100644 index 16493d17453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "97314185-2568-4561-ae81-f3e480e5e695_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json deleted file mode 100644 index 5dca3669e02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "97314185-2568-4561-ae81-f3e480e5e695_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json b/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json deleted file mode 100644 index 330731e0b70..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97314185-2568-4561-ae81-f3e480e5e695_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an anti-phishing rule in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing rules increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-AntiPhishRule\" or \"Disable-AntiPhishRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "97314185-2568-4561-ae81-f3e480e5e695", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "97314185-2568-4561-ae81-f3e480e5e695_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json deleted file mode 100644 index 0671d9f7df3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", "false_positives": ["Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Configuration Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json b/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json deleted file mode 100644 index ad0baca52b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97359fd8-757d-4b1d-9af1-ef29e4a8680e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the configuration is modified for a storage bucket in Google Cloud Platform (GCP). An adversary may modify the configuration of a storage bucket in order to weaken the security controls of their target's environment.", "false_positives": ["Storage bucket configuration may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Configuration Modification", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.update\" and event.outcome:success\n", "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "97359fd8-757d-4b1d-9af1-ef29e4a8680e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97697a52-4a76-4f0a-aa4f-25c178aae6eb.json b/packages/security_detection_engine/kibana/security_rule/97697a52-4a76-4f0a-aa4f-25c178aae6eb.json deleted file mode 100644 index 0838b5c98da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97697a52-4a76-4f0a-aa4f-25c178aae6eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access sensitive host level files which could be used for further privilege escalation and container escapes to the host machine.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "File System Debugger Launched Inside a Privileged Container", "query": "process where event.module == \"cloud_defend\" and \n event.type == \"start\" and process.name == \"debugfs\" and \n process.args : \"/dev/sd*\" and not process.args == \"-R\" and\n container.security_context.privileged == true\n", "references": ["https://cyberark.wistia.com/medias/ygbzkzx93q?wvideo=ygbzkzx93q", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation#privileged"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.security_context.privileged", "type": "boolean"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97697a52-4a76-4f0a-aa4f-25c178aae6eb", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "97697a52-4a76-4f0a-aa4f-25c178aae6eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json deleted file mode 100644 index 5f9209a798a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when a user has updated a SAML provider in AWS. SAML providers are used to enable federated access to the AWS Management Console. This activity could be an indication of an attacker attempting to escalate privileges.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM SAML Provider Updated", "note": "", "query": "event.dataset:aws.cloudtrail\n and event.provider: iam.amazonaws.com\n and event.action: UpdateSAMLProvider\n and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.002", "name": "Trust Modification", "reference": "https://attack.mitre.org/techniques/T1484/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json deleted file mode 100644 index b447a56b25c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json deleted file mode 100644 index d291a444541..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json deleted file mode 100644 index d20a614e278..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json deleted file mode 100644 index 2165f19b5ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_206.json b/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_206.json deleted file mode 100644 index 09e76a0fb0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/979729e7-0c52-4c4c-b71e-88103304a79f_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target.", "false_positives": ["SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SAML Activity", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or\nUpdateSAMLProvider) and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "979729e7-0c52-4c4c-b71e-88103304a79f", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "979729e7-0c52-4c4c-b71e-88103304a79f_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json deleted file mode 100644 index 5fe3975c14e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Successful MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 209}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json deleted file mode 100644 index 06833ec7e49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 102}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json deleted file mode 100644 index eaee1c06a23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 103}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json deleted file mode 100644 index db02c85a983..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 104}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json deleted file mode 100644 index b06c711de04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 105}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json deleted file mode 100644 index 22c8442d8ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 106}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json deleted file mode 100644 index 05dbdc7b975..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Abuse of Repeated MFA Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by user.email with maxspan=10m\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.mfa.okta_verify.deny_push\"]\n [any where event.dataset == \"okta.system\" and event.module == \"okta\" and event.action == \"user.authentication.sso\"]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "eql", "version": 207}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json deleted file mode 100644 index 82ca8c83919..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Successful MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "unknown"}, {"ecs": false, "name": "okta.outcome.result", "type": "unknown"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 208}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json deleted file mode 100644 index 42f5ed8797b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Successful MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 209}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210.json deleted file mode 100644 index 5514d7bbfe9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Successful MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 210}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212.json deleted file mode 100644 index 4dd94e1dcc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", "event_category_override": "event.category", "index": ["filebeat-*", "logs-okta*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Successful MFA Bombing via Push Notifications", "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", "references": ["https://www.mandiant.com/resources/russian-targeting-gov-business", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 73, "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1621", "name": "Multi-Factor Authentication Request Generation", "reference": "https://attack.mitre.org/techniques/T1621/"}]}], "type": "eql", "version": 212}, "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312.json b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312.json new file mode 100644 index 00000000000..a09d14af6ea --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.", + "event_category_override": "event.category", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potentially Successful MFA Bombing via Push Notifications", + "note": "## Triage and analysis\n\n### Investigating Potential Abuse of Repeated MFA Push Notifications\n\nMulti-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.\n\nThis rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.\n\n#### Possible investigation steps:\n\n- Identify the user who received the MFA notifications by reviewing the `user.email` field.\n- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.\n- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.\n- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.\n- Check if the MFA requests and the successful login occurred during the user's regular activity hours.\n- Look for any other suspicious activity on the account around the same time.\n- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.\n\n### False positive analysis:\n\n- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.\n- Check if there are known issues with the MFA system causing false denials.\n\n### Response and remediation:\n\n- If unauthorized access is confirmed, initiate your incident response process.\n- Alert the user and your IT department immediately.\n- If possible, isolate the user's account until the issue is resolved.\n- Investigate the source of the unauthorized access.\n- If the account was accessed by an unauthorized party, determine the actions they took after logging in.\n- Consider enhancing your MFA policy to prevent such incidents in the future.\n- Encourage users to report any unexpected MFA notifications immediately.\n- Review and update your incident response plans and security policies based on the findings from the incident.", + "query": "sequence by okta.actor.id with maxspan=10m\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and event.action == \"user.mfa.okta_verify.deny_push\"] with runs=3\n [authentication where event.dataset == \"okta.system\" and event.module == \"okta\"\n and (event.action : (\n \"user.authentication.sso\",\n \"user.authentication.auth_via_mfa\",\n \"user.authentication.verify\",\n \"user.session.start\") and okta.outcome.result == \"SUCCESS\")]\n", + "references": [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.module", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1621", + "name": "Multi-Factor Authentication Request Generation", + "reference": "https://attack.mitre.org/techniques/T1621/" + } + ] + } + ], + "type": "eql", + "version": 312 + }, + "id": "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7_312", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json deleted file mode 100644 index 971c390cfa0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json deleted file mode 100644 index bb087cfcd28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json deleted file mode 100644 index c2567f3b6c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json deleted file mode 100644 index 5dd4dcea188..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json deleted file mode 100644 index f49687e79d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json deleted file mode 100644 index 66214fa7410..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json deleted file mode 100644 index 172995ba1a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json deleted file mode 100644 index 385a6949c7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_211.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_211.json deleted file mode 100644 index 3b1822f0e8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json deleted file mode 100644 index 1c1bc1e3c05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_313.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_313.json deleted file mode 100644 index f11cddf393e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_314.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_314.json deleted file mode 100644 index 24361f570fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_414.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_414.json deleted file mode 100644 index a59ff899c42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_414.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 414}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_414", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_415.json b/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_415.json deleted file mode 100644 index 5d59f21e81b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97aba1ef-6034-4bd3-8c1a-1e0996b27afa_415.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Zoom child process was detected, which may indicate an attempt to run unnoticed. Verify process details such as command line, network connections, file writes and associated file signature details as well.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Zoom Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious Zoom Child Process\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading, and deserve further investigation.\n\nThis rule identifies a potential malicious process masquerading as `Zoom.exe` or exploiting a vulnerability in the application causing it to execute code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line of the child process to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"Zoom.exe\" and process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 415}, "id": "97aba1ef-6034-4bd3-8c1a-1e0996b27afa_415", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json deleted file mode 100644 index 9afc97e4019..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json deleted file mode 100644 index 10c45a38b2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json deleted file mode 100644 index 60f9ba1285d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json deleted file mode 100644 index 7ef8470fcf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json deleted file mode 100644 index 1ba324475f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json b/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json deleted file mode 100644 index e797edd4675..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where VMware-related files, such as those with extensions like \".vmdk\", \".vmx\", \".vmxf\", \".vmsd\", \".vmsn\", \".vswp\", \".vmss\", \".nvram\", and \".vmem\", are renamed on a Linux system. The rule monitors for the \"rename\" event action associated with these file types, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI Files", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and\nfile.Ext.original.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\nand not file.name : (\"*.vmdk\", \"*.vmx\", \"*.vmxf\", \"*.vmsd\", \"*.vmsn\", \"*.vswp\", \"*.vmss\", \"*.nvram\", \"*.vmem\")\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "97db8b42-69d8-4bf3-9fd4-c69a1d895d68_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json deleted file mode 100644 index 48ac7a6dd51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and \n registry.data.strings != null and registry.hive : (\"HKEY_USERS\", \"HKLM\") and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.hive", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json deleted file mode 100644 index ea09d88d3b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json deleted file mode 100644 index d5b47e4e9d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n user.id not in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (process.name : \"OneDriveSetup.exe\" and\n registry.value : (\"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\") and\n registry.data.strings : \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json deleted file mode 100644 index d65611b84b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json deleted file mode 100644 index 99cd3b89cfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : \"Slack Technologies, Inc.\" and\n process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json deleted file mode 100644 index c76f34f2653..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json deleted file mode 100644 index 1544268642c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\"\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.value : (\n \"Delete Cached Standalone Update Binary\", \"Delete Cached Update Binary\", \"amd64\", \"Uninstall *\", \"i386\", \"OneDrive\"\n ) and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background *\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* WebEx */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json deleted file mode 100644 index fa252047651..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json deleted file mode 100644 index c50f0d8a32f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and registry.data.strings != null and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_112.json b/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_112.json deleted file mode 100644 index c5278ab7064..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/97fc44d3-8dae-4019-ae83-298c3015600f_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies run key or startup key registry modifications. In order to survive reboots and other system interrupts, attackers will modify run keys within the registry or leverage startup folder items as a form of persistence.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*"], "language": "eql", "license": "Elastic License v2", "name": "Startup or Run Key Registry Modification", "note": "## Triage and analysis\n\n### Investigating Startup or Run Key Registry Modification\n\nAdversaries may achieve persistence by referencing a program with a registry run key. Adding an entry to the run keys in the registry will cause the program referenced to be executed when a user logs in. These programs will executed under the context of the user and will have the account's permissions. This rule looks for this behavior by monitoring a range of registry run keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to registry run keys. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before undertaking further investigation, verify that this activity is not benign.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n- Startup Persistence by a Suspicious Process - 440e2db4-bc7f-4c96-a068-65b78da59bde\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and \n registry.data.strings != null and registry.hive : (\"HKEY_USERS\", \"HKLM\") and\n registry.path : (\n /* Machine Hive */\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\",\n /* Users Hive */\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\*\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell\\\\*\"\n ) and\n /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */\n not registry.data.strings : \"ctfmon.exe /n\" and\n not (registry.value : \"Application Restart #*\" and process.name : \"csrss.exe\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not registry.data.strings : (\"?:\\\\Program Files\\\\*.exe\", \"?:\\\\Program Files (x86)\\\\*.exe\") and\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\") and\n not (\n /* Logitech G Hub */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Logitech Inc\" and\n (\n process.name : \"lghub_agent.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\lghub.exe\\\" --background\",\n \"\\\"?:\\\\Program Files\\\\LGHUB\\\\system_tray\\\\lghub_system_tray.exe\\\" --minimized\"\n )\n ) or\n (\n process.name : \"LogiBolt.exe\" and registry.data.strings : (\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBolt.exe --startup\"\n )\n )\n ) or\n\n /* Google Drive File Stream, Chrome, and Google Update */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Google LLC\" and\n (\n process.name : \"GoogleDriveFS.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Drive File Stream\\\\*\\\\GoogleDriveFS.exe\\\" --startup_mode\"\n ) or\n\n process.name : \"chrome.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\",\n \"\\\"?:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\\\" --no-startup-window /prefetch:5\"\n ) or\n\n process.name : \"GoogleUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Update\\\\*\\\\GoogleUpdateCore.exe\\\"\"\n )\n )\n ) or\n\n /* MS Programs */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Microsoft Windows\", \"Microsoft Corporation\") and\n (\n process.name : \"msedge.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start /prefetch:5\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --win-session-start\",\n \"\\\"C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe\\\" --no-startup-window --win-session-start\"\n ) or\n\n process.name : (\"Update.exe\", \"Teams.exe\") and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\",\n \"?:\\\\ProgramData\\\\*\\\\Microsoft\\\\Teams\\\\Update.exe --processStart \\\"Teams.exe\\\" --process-start-args \\\"--system-initiated\\\"\"\n ) or\n\n process.name : \"OneDriveStandaloneUpdater.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\\Microsoft.SharePoint.exe\"\n ) or\n\n process.name : \"OneDriveSetup.exe\" and\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /c * \\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\*\\\"\",\n \"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe /background*\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background*\",\n \"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe /background *\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"OneDrive.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft OneDrive\\\\OneDrive.exe\\\" /background\",\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\OneDrive.exe\\\" /background\"\n ) or\n \n process.name : \"Microsoft.SharePoint.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\OneDrive\\\\??.???.????.????\\\\Microsoft.SharePoint.exe\"\n ) or\n \n process.name : \"MicrosoftEdgeUpdate.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\Expedient\\\\AppData\\\\Local\\\\Microsoft\\\\EdgeUpdate\\\\*\\\\MicrosoftEdgeUpdateCore.exe\\\"\"\n ) or\n \n process.executable : \"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\" and\n registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Microsoft\\\\EdgeWebView\\\\Application\\\\*\\\\Installer\\\\setup.exe\\\" --msedgewebview --delete-old-versions --system-level --verbose-logging --on-logon\"\n )\n )\n ) or\n\n /* Slack */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\", \"Slack Technologies, LLC\"\n ) and process.name : \"slack.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\ProgramData\\\\*\\\\slack\\\\slack.exe\\\" --process-start-args --startup\",\n \"\\\"?:\\\\Program Files\\\\Slack\\\\slack.exe\\\" --process-start-args --startup\"\n )\n ) or\n\n /* Cisco */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and\n (\n process.name : \"WebexHost.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\WebEx\\\\WebexHost.exe\\\" /daemon /runFrom=autorun\"\n )\n ) or\n (\n process.name : \"CiscoJabber.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Program Files (x86)\\\\Cisco Systems\\\\Cisco Jabber\\\\CiscoJabber.exe\\\" /min\"\n )\n )\n ) or\n\n /* Loom */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Loom, Inc.\" and\n process.name : \"Loom.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Loom\\\\Loom.exe --process-start-args \\\"--loomHidden\\\"\"\n )\n ) or\n\n /* Adobe */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Adobe Inc.\" and\n process.name : (\"Acrobat.exe\", \"FlashUtil32_*_Plugin.exe\") and registry.data.strings : (\n \"\\\"?:\\\\Program Files\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"\\\"?:\\\\Program Files (x86)\\\\Adobe\\\\Acrobat DC\\\\Acrobat\\\\AdobeCollabSync.exe\\\"\",\n \"?:\\\\WINDOWS\\\\SysWOW64\\\\Macromed\\\\Flash\\\\FlashUtil32_*_Plugin.exe -update plugin\"\n )\n ) or\n\n /* CCleaner */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"PIRIFORM SOFTWARE LIMITED\" and\n process.name : (\"CCleanerBrowser.exe\", \"CCleaner64.exe\") and registry.data.strings : (\n \"\\\"C:\\\\Program Files (x86)\\\\CCleaner Browser\\\\Application\\\\CCleanerBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup --profile-directory=\\\"Default\\\"\",\n \"\\\"C:\\\\Program Files\\\\CCleaner\\\\CCleaner64.exe\\\" /MONITOR\"\n )\n ) or\n\n /* Opera */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Opera Norway AS\" and\n process.name : \"opera.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\launcher.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera GX\\\\launcher.exe\"\n )\n ) or\n\n /* Avast */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Avast Software s.r.o.\" and\n process.name : \"AvastBrowser.exe\" and registry.data.strings : (\n \"\\\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\\\"?:\\\\Program Files (x86)\\\\AVAST Software\\\\Browser\\\\Application\\\\AvastBrowser.exe\\\" --check-run=src=logon --auto-launch-at-startup*\",\n \"\"\n )\n ) or\n\n /* Grammarly */\n (\n process.code_signature.trusted == true and process.code_signature.subject_name == \"Grammarly, Inc.\" and\n process.name : \"GrammarlyInstaller.exe\" and registry.data.strings : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Grammarly\\\\DesktopIntegrations\\\\Grammarly.Desktop.exe\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.hive", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "97fc44d3-8dae-4019-ae83-298c3015600f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "97fc44d3-8dae-4019-ae83-298c3015600f_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json deleted file mode 100644 index b8afcb35f49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", "false_positives": ["A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", "references": ["https://support.google.com/drive/answer/2494822"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.visibility", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "980b70a0-c820-11ed-8799-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json deleted file mode 100644 index 00f156aeb48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", "false_positives": ["A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", "references": ["https://support.google.com/drive/answer/2494822"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.visibility", "type": "unknown"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json deleted file mode 100644 index 15d2fbc15f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", "false_positives": ["A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", "references": ["https://support.google.com/drive/answer/2494822"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.visibility", "type": "unknown"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json deleted file mode 100644 index 4793220a236..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/980b70a0-c820-11ed-8799-f661ea17fbcc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an external (anonymous) user has viewed, copied or downloaded an encryption key file from a Google Workspace drive. Adversaries may gain access to encryption keys stored in private drives from rogue access links that do not have an expiration. Access to encryption keys may allow adversaries to access sensitive data or authenticate on behalf of users.", "false_positives": ["A user may generate a shared access link to encryption key files to share with others. It is unlikely that the intended recipient is an external or anonymous user."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Drive Encryption Key(s) Accessed from Anonymous User", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "file where event.dataset == \"google_workspace.drive\" and event.action : (\"copy\", \"view\", \"download\") and\n google_workspace.drive.visibility: \"people_with_link\" and source.user.email == \"\" and\n file.extension: (\n \"token\",\"assig\", \"pssc\", \"keystore\", \"pub\", \"pgp.asc\", \"ps1xml\", \"pem\", \"gpg.sig\", \"der\", \"key\",\n \"p7r\", \"p12\", \"asc\", \"jks\", \"p7b\", \"signature\", \"gpg\", \"pgp.sig\", \"sst\", \"pgp\", \"gpgz\", \"pfx\", \"crt\",\n \"p8\", \"sig\", \"pkcs7\", \"jceks\", \"pkcs8\", \"psc1\", \"p7c\", \"csr\", \"cer\", \"spc\", \"ps2xml\")\n", "references": ["https://support.google.com/drive/answer/2494822"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.visibility", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 73, "rule_id": "980b70a0-c820-11ed-8799-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "980b70a0-c820-11ed-8799-f661ea17fbcc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c.json b/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c.json deleted file mode 100644 index d3e12775c96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "logs-endpoint.events.network*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Egress Network Connection", "query": "sequence by host.id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"git\" and process.args : \".git/hooks/*\" and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n )\n ] by process.parent.entity_id\n", "references": ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9822c5a1-1494-42de-b197-487197bb540c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "9822c5a1-1494-42de-b197-487197bb540c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c_1.json b/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c_1.json deleted file mode 100644 index ae02723e96c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9822c5a1-1494-42de-b197-487197bb540c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects a suspicious egress network connection attempt from a Git hook script. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse these features to execute arbitrary commands on the system, establish persistence or to initialize a network connection to a remote server and exfiltrate data or download additional payloads.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "logs-endpoint.events.network*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Egress Network Connection", "query": "sequence by host.id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"git\" and process.args : \".git/hooks/*\" and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.entity_id\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n )\n ] by process.parent.entity_id\n", "references": ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9822c5a1-1494-42de-b197-487197bb540c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "9822c5a1-1494-42de-b197-487197bb540c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/986361cd-3dac-47fe-afa1-5c5dd89f2fb4_1.json b/packages/security_detection_engine/kibana/security_rule/986361cd-3dac-47fe-afa1-5c5dd89f2fb4_1.json deleted file mode 100644 index 5b087698926..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/986361cd-3dac-47fe-afa1-5c5dd89f2fb4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious process command lines executed by child processes of foomatic-rip and cupsd. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from Foomatic-rip or Cupsd Parent", "note": "## Triage and analysis\n\n### Investigating Suspicious Execution from Foomatic-rip or Cupsd Parent\n\nThis rule identifies potential exploitation attempts of several vulnerabilities in the CUPS printing system (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177). These vulnerabilities allow attackers to send crafted IPP requests or manipulate UDP packets to execute arbitrary commands or modify printer configurations. Attackers can exploit these flaws to inject malicious data, leading to Remote Code Execution (RCE) on affected systems.\n\n#### Possible Investigation Steps\n\n- Investigate the incoming IPP requests or UDP packets targeting port 631.\n- Examine the printer configurations on the system to determine if any unauthorized printers or URLs have been added.\n- Investigate the process tree to check if any unexpected processes were triggered as a result of IPP activity. Review the executable files for legitimacy.\n- Check for additional alerts related to the compromised system or user within the last 48 hours.\n- Investigate network traffic logs for suspicious outbound connections to unrecognized domains or IP addresses.\n- Check if any of the contacted domains or addresses are newly registered or have a suspicious reputation.\n- Retrieve any scripts or executables dropped by the attack for further analysis in a private sandbox environment:\n- Analyze potential malicious activity, including:\n - Attempts to communicate with external servers.\n - File access or creation of unauthorized executables.\n - Cron jobs, services, or other persistence mechanisms.\n\n### Related Rules\n- Cupsd or Foomatic-rip Shell Execution - 476267ff-e44f-476e-99c1-04c78cb3769d\n- Printer User (lp) Shell Execution - f86cd31c-5c7e-4481-99d7-6875a3e31309\n- Network Connection by Cups or Foomatic-rip Child - e80ee207-9505-49ab-8ca8-bc57d80e2cab\n- File Creation by Cups or Foomatic-rip Child - b9b14be7-b7f4-4367-9934-81f07d2f63c4\n\n### False Positive Analysis\n\n- This activity is rarely legitimate. However, verify the context to rule out non-malicious printer configuration changes or legitimate IPP requests.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the triage outcome.\n- Isolate the compromised host to prevent further exploitation.\n- If the investigation confirms malicious activity, search the environment for additional compromised hosts.\n- Implement network segmentation or restrictions to contain the attack.\n- Stop suspicious processes or services tied to CUPS exploitation.\n- Block identified Indicators of Compromise (IoCs), including IP addresses, domains, or hashes of involved files.\n- Review compromised systems for backdoors, such as reverse shells or persistence mechanisms like cron jobs.\n- Investigate potential credential exposure on compromised systems and reset passwords for any affected accounts.\n- Restore the original printer configurations or uninstall unauthorized printer entries.\n- Perform a thorough antimalware scan to identify any lingering threats or artifacts from the attack.\n- Investigate how the attacker gained initial access and address any weaknesses to prevent future exploitation.\n- Use insights from the incident to improve detection and response times in future incidents (MTTD and MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.parent.name in (\"foomatic-rip\", \"cupsd\") and process.command_line like (\n // persistence\n \"*cron*\", \"*/etc/rc.local*\", \"*/dev/tcp/*\", \"*/etc/init.d*\", \"*/etc/update-motd.d*\", \"*/etc/sudoers*\",\n \"*/etc/profile*\", \"*autostart*\", \"*/etc/ssh*\", \"*/home/*/.ssh/*\", \"*/root/.ssh*\", \"*~/.ssh/*\", \"*udev*\",\n \"*/etc/shadow*\", \"*/etc/passwd*\",\n\n // Downloads\n \"*curl*\", \"*wget*\",\n\n // encoding and decoding\n \"*base64 *\", \"*base32 *\", \"*xxd *\", \"*openssl*\",\n\n // reverse connections\n \"*GS_ARGS=*\", \"*/dev/tcp*\", \"*/dev/udp/*\", \"*import*pty*spawn*\", \"*import*subprocess*call*\", \"*TCPSocket.new*\",\n \"*TCPSocket.open*\", \"*io.popen*\", \"*os.execute*\", \"*fsockopen*\", \"*disown*\", \"*nohup*\",\n\n // SO loads\n \"*openssl*-engine*.so*\", \"*cdll.LoadLibrary*.so*\", \"*ruby*-e**Fiddle.dlopen*.so*\", \"*Fiddle.dlopen*.so*\",\n \"*cdll.LoadLibrary*.so*\",\n\n // misc. suspicious command lines\n \"*/etc/ld.so*\", \"*/dev/shm/*\", \"*/var/tmp*\", \"*echo*\", \"*>>*\", \"*|*\"\n)\n", "references": ["https://www.elastic.co/security-labs/cups-overflow", "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/", "https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1", "https://github.com/RickdeJager/cupshax/blob/main/cupshax.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "986361cd-3dac-47fe-afa1-5c5dd89f2fb4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "986361cd-3dac-47fe-afa1-5c5dd89f2fb4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1.json b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1.json deleted file mode 100644 index b31476c45aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Indirect Command Execution via Forfiles/Pcalua", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"pcalua.exe\", \"forfiles.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "98843d35-645e-4e66-9d6a-5049acd96ce1", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "98843d35-645e-4e66-9d6a-5049acd96ce1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json deleted file mode 100644 index ef4cb9dc7de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Indirect Command Execution via Forfiles/Pcalua", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"pcalua.exe\", \"forfiles.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "98843d35-645e-4e66-9d6a-5049acd96ce1", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "98843d35-645e-4e66-9d6a-5049acd96ce1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_2.json b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_2.json deleted file mode 100644 index 331bce1c82d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Indirect Command Execution via Forfiles/Pcalua", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"pcalua.exe\", \"forfiles.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "98843d35-645e-4e66-9d6a-5049acd96ce1", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "98843d35-645e-4e66-9d6a-5049acd96ce1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_3.json b/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_3.json deleted file mode 100644 index 26a90439f37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98843d35-645e-4e66-9d6a-5049acd96ce1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Indirect Command Execution via Forfiles/Pcalua", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"pcalua.exe\", \"forfiles.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "98843d35-645e-4e66-9d6a-5049acd96ce1", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "98843d35-645e-4e66-9d6a-5049acd96ce1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json deleted file mode 100644 index 25b92dec082..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", "false_positives": ["Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Service Account Key Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "9890ee61-d061-403d-9bf6-64934c51f638", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json b/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json deleted file mode 100644 index abe3f11a441..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9890ee61-d061-403d-9bf6-64934c51f638_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.", "false_positives": ["Service account key deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Service Account Key Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "9890ee61-d061-403d-9bf6-64934c51f638", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9890ee61-d061-403d-9bf6-64934c51f638_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json deleted file mode 100644 index 863ebba3b41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", "false_positives": ["A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json deleted file mode 100644 index 57ade41bfe8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", "false_positives": ["A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json deleted file mode 100644 index 7745c676b96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", "false_positives": ["A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json deleted file mode 100644 index 994ebf21c4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", "false_positives": ["A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json b/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json deleted file mode 100644 index bcc00dbdb1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98995807-5b09-4e37-8a54-5cae5dc932d7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a new role is assigned to a management group in Microsoft 365. An adversary may attempt to add a role in order to maintain persistence in an environment.", "false_positives": ["A new role may be assigned to a management group by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Management Group Role Assignment", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-ManagementRoleAssignment\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98995807-5b09-4e37-8a54-5cae5dc932d7", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "98995807-5b09-4e37-8a54-5cae5dc932d7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json deleted file mode 100644 index 05df59d8229..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", "false_positives": ["IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json deleted file mode 100644 index b08c9a89387..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", "false_positives": ["IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json deleted file mode 100644 index ce058042948..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", "false_positives": ["IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json deleted file mode 100644 index 62dfb9cd637..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", "false_positives": ["IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json b/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json deleted file mode 100644 index 885205653cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/98fd7407-0bd5-5817-cda0-3fcc33113a56_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account.", "false_positives": ["IAM users may occasionally share EC2 snapshots with another AWS account belonging to the same organization. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Snapshot Activity", "note": "## Triage and analysis\n\n### Investigating AWS EC2 Snapshot Activity\n\nAmazon EC2 snapshots are a mechanism to create point-in-time references to data that reside in storage volumes. System administrators commonly use this for backup operations and data recovery.\n\nThis rule looks for the modification of snapshot attributes using the API `ModifySnapshotAttribute` action. This can be used to share snapshots with unauthorized third parties, giving others access to all the data on the snapshot.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Search for dry run attempts against the resource ID of the snapshot from other user accounts within CloudTrail.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Check if the shared permissions of the snapshot were modified to `Public` or include unknown account IDs.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:ModifySnapshotAttribute\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "98fd7407-0bd5-5817-cda0-3fcc33113a56", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "98fd7407-0bd5-5817-cda0-3fcc33113a56_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json deleted file mode 100644 index a9615349115..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json deleted file mode 100644 index 9819f4eb988..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "query", "version": 100}, "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json deleted file mode 100644 index bbec93e1e01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "query", "version": 101}, "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_102.json b/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_102.json deleted file mode 100644 index 98fe06d621a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/990838aa-a953-4f3e-b3cb-6ddf7584de9e_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Process Injection - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "990838aa-a953-4f3e-b3cb-6ddf7584de9e_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json deleted file mode 100644 index e9853a17239..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id with maxspan=15s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")] by process.entity_id\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\", \"java\", \"ruby\", \"node\")] by process.parent.entity_id\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 107}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json deleted file mode 100644 index 323ba11be84..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 102}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json deleted file mode 100644 index 5ff15d7e3ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 103}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json deleted file mode 100644 index 4500e64468f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 104}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json deleted file mode 100644 index f22fac8fc5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 105}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json b/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json deleted file mode 100644 index 74096c87052..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99239e7d-b0d4-46e3-8609-acafcf99f68c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.", "false_positives": ["Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "MacOS Installer Package Spawns Network Event", "query": "sequence by host.id, user.id with maxspan=30s\n[process where host.os.type == \"macos\" and event.type == \"start\" and event.action == \"exec\" and process.parent.name : (\"installer\", \"package_script_service\") and process.name : (\"bash\", \"sh\", \"zsh\", \"python\", \"osascript\", \"tclsh*\")]\n[network where host.os.type == \"macos\" and event.type == \"start\" and process.name : (\"curl\", \"osascript\", \"wget\", \"python\")]\n", "references": ["https://redcanary.com/blog/clipping-silver-sparrows-wings", "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520", "https://github.com/D00MFist/Mystikal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "99239e7d-b0d4-46e3-8609-acafcf99f68c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "type": "eql", "version": 106}, "id": "99239e7d-b0d4-46e3-8609-acafcf99f68c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8.json deleted file mode 100644 index cf5a5aec58a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "994e40aa-8c85-43de-825e-15f665375ee8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json deleted file mode 100644 index c2415c47b08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "note": "", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_2.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_2.json deleted file mode 100644 index d60f07d41ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json deleted file mode 100644 index 95fba186e53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json deleted file mode 100644 index ab276fa19c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_5.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_5.json deleted file mode 100644 index e3b62494e44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n```\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json deleted file mode 100644 index 3144394bd83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_7.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_7.json deleted file mode 100644 index 705354cfaa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 21, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_8.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_8.json deleted file mode 100644 index c2686ebe3b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "high", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_9.json b/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_9.json deleted file mode 100644 index 156ffc77687..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/994e40aa-8c85-43de-825e-15f665375ee8_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.", "from": "now-10m", "index": ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score", "query": "process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or\nblocklist_label == 1) and not process.args : (\"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*\", \"*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*\")\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "blocklist_label", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction", "type": "unknown"}, {"ecs": false, "name": "problemchild.prediction_probability", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "994e40aa-8c85-43de-825e-15f665375ee8", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "high", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.004", "name": "Masquerade Task or Service", "reference": "https://attack.mitre.org/techniques/T1036/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "994e40aa-8c85-43de-825e-15f665375ee8_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json deleted file mode 100644 index 0dce6ce1399..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n )\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "9960432d-9b26-409f-972b-839a959e79e2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json deleted file mode 100644 index 13a6befcd2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9960432d-9b26-409f-972b-839a959e79e2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json deleted file mode 100644 index 7c5411c2d61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "unknown"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9960432d-9b26-409f-972b-839a959e79e2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json deleted file mode 100644 index 6b693a18936..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9960432d-9b26-409f-972b-839a959e79e2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json deleted file mode 100644 index 15aa39a1b62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 206}, "id": "9960432d-9b26-409f-972b-839a959e79e2_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json deleted file mode 100644 index 16ac7b0d2fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "note": "", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\")\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "9960432d-9b26-409f-972b-839a959e79e2_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json deleted file mode 100644 index cf79d7663bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n )\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "9960432d-9b26-409f-972b-839a959e79e2_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json deleted file mode 100644 index 0e7bf5ffc59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n )\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "9960432d-9b26-409f-972b-839a959e79e2_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_210.json b/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_210.json deleted file mode 100644 index e09a0a6dc81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9960432d-9b26-409f-972b-839a959e79e2_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious access to LSASS handle from a call trace pointing to DBGHelp.dll or DBGCore.dll, which both export the MiniDumpWriteDump method that can be used to dump LSASS memory content in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via LSASS Memory Dump", "query": "process where host.os.type == \"windows\" and event.code == \"10\" and\n winlog.event_data.TargetImage : \"?:\\\\WINDOWS\\\\system32\\\\lsass.exe\" and\n\n /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/\n winlog.event_data.CallTrace : (\"*dbghelp*\", \"*dbgcore*\") and\n\n /* case of lsass crashing */\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n )\n", "references": ["https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", "https://www.elastic.co/security-labs/detect-credential-access", "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.CallTrace", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetImage", "type": "keyword"}], "risk_score": 73, "rule_id": "9960432d-9b26-409f-972b-839a959e79e2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic:Execution", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 210}, "id": "9960432d-9b26-409f-972b-839a959e79e2_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/999565a2-fc52-4d72-91e4-ba6712c0377e_1.json b/packages/security_detection_engine/kibana/security_rule/999565a2-fc52-4d72-91e4-ba6712c0377e_1.json deleted file mode 100644 index dfb1851dd33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/999565a2-fc52-4d72-91e4-ba6712c0377e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This building block rule (BBR) detects Linux Access Control List (ACL) modification via the setfacl command.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Access Control List Modification via setfacl", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name == \"setfacl\"\n", "references": ["https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "999565a2-fc52-4d72-91e4-ba6712c0377e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "999565a2-fc52-4d72-91e4-ba6712c0377e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json deleted file mode 100644 index ef12cb8cf75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", "false_positives": ["A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_fails", "name": "Spike in Failed Logon Events", "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 105}, "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json deleted file mode 100644 index 1fb6108c946..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", "false_positives": ["A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_fails", "name": "Spike in Failed Logon Events", "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 102}, "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json deleted file mode 100644 index 2569535e1b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", "false_positives": ["A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_fails", "name": "Spike in Failed Logon Events", "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 103}, "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json b/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json deleted file mode 100644 index eb737b61a40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/99dcf974-6587-4f65-9252-d866a3fdfd9c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in authentication failure events. This can be due to password spraying, user enumeration or brute force activity and may be a precursor to account takeover or credentialed access.", "false_positives": ["A misconfigured service account can trigger this alert. A password change on an account used by an email client can trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_fails", "name": "Spike in Failed Logon Events", "note": "## Triage and analysis\n\n### Investigating Spike in Failed Logon Events\n\nThis rule uses a machine learning job to detect a substantial spike in failed authentication events. This could indicate attempts to enumerate users, password spraying, brute force, etc.\n\n#### Possible investigation steps\n\n- Identify the users involved and if the activity targets a specific user or a set of users.\n- Check if the authentication comes from different sources.\n- Investigate if the host where the failed authentication events occur is exposed to the internet.\n - If the host is exposed to the internet, and the source of these attempts is external, the activity can be related to bot activity and possibly not directed at your organization.\n - If the host is not exposed to the internet, investigate the hosts where the authentication attempts are coming from, as this can indicate that they are compromised and the attacker is trying to move laterally.\n- Investigate other alerts associated with the involved users and hosts during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Investigate whether there are successful authentication events from the involved sources. This could indicate a successful brute force or password spraying attack.\n\n### False positive analysis\n\n- If the account is used in automation tasks, it is possible that they are using expired credentials, causing a spike in authentication failures.\n- Authentication failures can be related to permission issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Assess whether the asset should be exposed to the internet, and take action to reduce your attack surface.\n - If the asset needs to be exposed to the internet, restrict access to remote login services to specific IPs.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "99dcf974-6587-4f65-9252-d866a3fdfd9c", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 104}, "id": "99dcf974-6587-4f65-9252-d866a3fdfd9c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json deleted file mode 100644 index 84980163f1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": true, "exceptions_list": [{"id": "endpoint_list", "list_id": "endpoint_list", "namespace_type": "agnostic", "type": "endpoint"}], "from": "now-10m", "index": ["logs-endpoint.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Endpoint Security", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", "rule_name_override": "message", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["Data Source: Elastic Defend"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json deleted file mode 100644 index 1da74bd9a4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": true, "exceptions_list": [{"id": "endpoint_list", "list_id": "endpoint_list", "namespace_type": "agnostic", "type": "endpoint"}], "from": "now-10m", "index": ["logs-endpoint.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Endpoint Security", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", "rule_name_override": "message", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["Elastic", "Endpoint Security"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json b/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json deleted file mode 100644 index 1543dd28ca4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a1a2dae-0b5f-4c3d-8305-a268d404c306_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.", "enabled": true, "exceptions_list": [{"id": "endpoint_list", "list_id": "endpoint_list", "namespace_type": "agnostic", "type": "endpoint"}], "from": "now-10m", "index": ["logs-endpoint.alerts-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Endpoint Security", "query": "event.kind:alert and event.module:(endpoint and not endgame)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306", "rule_name_override": "message", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["Data Source: Elastic Defend"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026.json b/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026.json deleted file mode 100644 index 61a5234fd61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service.", "from": "now-119m", "index": ["logs-endpoint.events.library-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned BITS Service Client Process", "query": "library where dll.name : \"Bitsproxy.dll\" and process.executable != null and\nnot process.code_signature.trusted == true and\nnot process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")\n", "references": ["https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "9a3884d0-282d-45ea-86ce-b9c81100f026", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "9a3884d0-282d-45ea-86ce-b9c81100f026", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json b/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json deleted file mode 100644 index ce8699c4c2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned BITS Service Client Process", "query": "library where dll.name : \"Bitsproxy.dll\" and process.executable != null and\nnot process.code_signature.trusted == true\n", "references": ["https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "9a3884d0-282d-45ea-86ce-b9c81100f026", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "9a3884d0-282d-45ea-86ce-b9c81100f026_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_2.json b/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_2.json deleted file mode 100644 index 2c7006c48cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3884d0-282d-45ea-86ce-b9c81100f026_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies an unsigned Windows Background Intelligent Transfer Service (BITS) client process. Attackers may abuse BITS functionality to download or upload data using the BITS service.", "from": "now-119m", "index": ["logs-endpoint.events.library-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned BITS Service Client Process", "query": "library where dll.name : \"Bitsproxy.dll\" and process.executable != null and\nnot process.code_signature.trusted == true and\nnot process.code_signature.status : (\"errorExpired\", \"errorCode_endpoint*\")\n", "references": ["https://web.archive.org/web/20230531215706/https://blog.menasec.net/2021/05/hunting-for-suspicious-usage-of.html", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "9a3884d0-282d-45ea-86ce-b9c81100f026", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "9a3884d0-282d-45ea-86ce-b9c81100f026_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json deleted file mode 100644 index ea39ed9d91b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line", "host.id", "process.executable"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json deleted file mode 100644 index b1bc070b7dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json deleted file mode 100644 index 69e5e4bd326..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json deleted file mode 100644 index 5f78bc98082..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 107}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json deleted file mode 100644 index 64f052df9c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 108}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json deleted file mode 100644 index 3065254ee78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "new_terms_fields": ["process.command_line", "host.id", "process.executable"], "query": "host.os.type : \"linux\" and event.category : \"process\" and event.action : (\"exec\" or \"exec_event\") and\n(process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\")) and not \n(process.executable : (\"/bin/chown\" or \"/usr/bin/chown\") and process.args : \"root:shadow\") and not \n(process.executable : (\"/bin/chmod\" or \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json deleted file mode 100644 index ca2fa1c8d72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and user.name == \"root\"\n and (process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\"))\n and not process.executable:\n (\"/usr/bin/tar\",\n \"/bin/tar\",\n \"/usr/bin/gzip\",\n \"/bin/gzip\",\n \"/usr/bin/zip\",\n \"/bin/zip\",\n \"/usr/bin/stat\",\n \"/bin/stat\",\n \"/usr/bin/cmp\",\n \"/bin/cmp\",\n \"/usr/bin/sudo\",\n \"/bin/sudo\",\n \"/usr/bin/find\",\n \"/bin/find\",\n \"/usr/bin/ls\",\n \"/bin/ls\",\n \"/usr/bin/uniq\",\n \"/bin/uniq\",\n \"/usr/bin/unzip\",\n \"/bin/unzip\",\n \"/usr/sbin/restorecon\",\n \"/sbin/restorecon\")\n and not process.parent.executable: \"/bin/dracut\" and\n not (process.executable : (\"/bin/chown\", \"/usr/bin/chown\") and process.args : \"root:shadow\") and\n not (process.executable : (\"/bin/chmod\", \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json b/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json deleted file mode 100644 index 5c4719823ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access to the /etc/shadow file via the commandline using standard system utilities. After elevating privileges to root, threat actors may attempt to read or dump this file in order to gain valid credentials. They may utilize these to move laterally undetected and access additional resources.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Shadow File Read via Command Line Utilities", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and user.name == \"root\"\n and (process.args : \"/etc/shadow\" or (process.working_directory: \"/etc\" and process.args: \"shadow\"))\n and not process.executable:\n (\"/usr/bin/tar\",\n \"/bin/tar\",\n \"/usr/bin/gzip\",\n \"/bin/gzip\",\n \"/usr/bin/zip\",\n \"/bin/zip\",\n \"/usr/bin/stat\",\n \"/bin/stat\",\n \"/usr/bin/cmp\",\n \"/bin/cmp\",\n \"/usr/bin/sudo\",\n \"/bin/sudo\",\n \"/usr/bin/find\",\n \"/bin/find\",\n \"/usr/bin/ls\",\n \"/bin/ls\",\n \"/usr/bin/uniq\",\n \"/bin/uniq\",\n \"/usr/bin/unzip\",\n \"/bin/unzip\",\n \"/usr/sbin/restorecon\",\n \"/sbin/restorecon\")\n and not process.parent.executable: \"/bin/dracut\" and\n not (process.executable : (\"/bin/chown\", \"/usr/bin/chown\") and process.args : \"root:shadow\") and\n not (process.executable : (\"/bin/chmod\", \"/usr/bin/chmod\") and process.args : \"640\")\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "9a3a3689-8ed1-4cdb-83fb-9506db54c61f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json deleted file mode 100644 index 0d7f606ffd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json deleted file mode 100644 index 2509a0a57de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json deleted file mode 100644 index 213f1f62ba4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json deleted file mode 100644 index 1a169601778..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json deleted file mode 100644 index 7e3c19b646d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json deleted file mode 100644 index 3fc984153fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json deleted file mode 100644 index f158d58d045..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json b/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json deleted file mode 100644 index 82f24b31b62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Explorer Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cscript.exe\", \"wscript.exe\", \"powershell.exe\", \"rundll32.exe\", \"cmd.exe\", \"mshta.exe\", \"regsvr32.exe\") or\n process.pe.original_file_name in (\"cscript.exe\", \"wscript.exe\", \"PowerShell.EXE\", \"RUNDLL32.EXE\", \"Cmd.Exe\", \"MSHTA.EXE\", \"REGSVR32.EXE\")\n ) and\n /* Explorer started via DCOM */\n process.parent.name : \"explorer.exe\" and process.parent.args : \"-Embedding\" and\n not process.parent.args:\n (\n /* Noisy CLSID_SeparateSingleProcessExplorerHost Explorer COM Class IDs */\n \"/factory,{5BD95610-9434-43C2-886C-57852CC8A120}\",\n \"/factory,{ceff45ee-c862-41de-aee2-a022c81eda92}\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json deleted file mode 100644 index 77a61375436..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json deleted file mode 100644 index 666cef209ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json deleted file mode 100644 index 5e0c06b7d6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json deleted file mode 100644 index 8499f39a02a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json deleted file mode 100644 index 6e70756a999..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json deleted file mode 100644 index 73b522ce04f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json deleted file mode 100644 index 10cd2a49b30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json deleted file mode 100644 index 96ad5a7ae82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_110.json b/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_110.json deleted file mode 100644 index 19d585a37d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa0e1f6-52ce-42e1-abb3-09657cee2698_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the Windows scheduled tasks AT command via the registry. Attackers may use this method to move laterally or persist locally. The AT command has been deprecated since Windows 8 and Windows Server 2012, but still exists for backwards compatibility.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Scheduled Tasks AT Command Enabled", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Schedule\\\\Configuration\\\\EnableAt\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-scheduledjob"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9aa0e1f6-52ce-42e1-abb3-09657cee2698_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24.json b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24.json deleted file mode 100644 index d3d84000734..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to User", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachUserPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "9aa4be8d-5828-417d-9f54-7cd304571b24", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "9aa4be8d-5828-417d-9f54-7cd304571b24", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json deleted file mode 100644 index f6e07caa3ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user."], "from": "now-10m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to User", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachUserPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, target.userName, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "9aa4be8d-5828-417d-9f54-7cd304571b24", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "9aa4be8d-5828-417d-9f54-7cd304571b24_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_2.json b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_2.json deleted file mode 100644 index f368617018b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to User", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachUserPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "9aa4be8d-5828-417d-9f54-7cd304571b24", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "9aa4be8d-5828-417d-9f54-7cd304571b24_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_3.json b/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_3.json deleted file mode 100644 index 5c8d85b59a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9aa4be8d-5828-417d-9f54-7cd304571b24_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised user accounts. This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachUserPolicy` API operation to attach the `AdministratorAccess` policy to the target user."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to User", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to User\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources.\nWith access to the `iam:AttachUserPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user for privilege escalation or another user as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachUserPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected user(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified.\n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment.\n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-* metadata _id, _version, _index\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachUserPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?userName}=%{target.userName}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, event.provider, event.action, event.outcome, policyName, target.userName\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "9aa4be8d-5828-417d-9f54-7cd304571b24", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 3}, "id": "9aa4be8d-5828-417d-9f54-7cd304571b24_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4.json deleted file mode 100644 index 6cec7187589..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Owner Role Granted To User", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json deleted file mode 100644 index f4fb3d3214e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Owner Role Granted To User", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "unknown"}], "risk_score": 47, "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_105.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_105.json new file mode 100644 index 00000000000..c6775e0f728 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_105.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub Owner Role Granted To User", + "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.permission", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", + "severity": "medium", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.003", + "name": "Additional Cloud Roles", + "reference": "https://attack.mitre.org/techniques/T1098/003/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 105 + }, + "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_105", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json deleted file mode 100644 index 5ec94413334..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Owner Role Granted To User", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_3.json b/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_3.json deleted file mode 100644 index d1e688b50b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b343b62-d173-4cfd-bd8b-e6379f964ca4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles could indicate compromise within your organization and provide unlimited access to data and settings.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub Owner Role Granted To User", "query": "iam where event.dataset == \"github.audit\" and event.action == \"org.update_member\" and github.permission == \"admin\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.permission", "type": "keyword"}], "risk_score": 47, "rule_id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4", "severity": "medium", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "9b343b62-d173-4cfd-bd8b-e6379f964ca4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json deleted file mode 100644 index 37cfccd5df5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json deleted file mode 100644 index 2468c4cf168..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json deleted file mode 100644 index f8a626ec12e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json deleted file mode 100644 index 5ac3626ddd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json deleted file mode 100644 index c5b0f791f4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json deleted file mode 100644 index 4c173a489c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_109.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_109.json deleted file mode 100644 index 7f6e0e7f6c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json deleted file mode 100644 index cb4098ad200..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json deleted file mode 100644 index 6f3bdde3843..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_112.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_112.json deleted file mode 100644 index 752f6c9c3a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_312.json b/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_312.json deleted file mode 100644 index 6a22b2ef0b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via WMI Event Subscription", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wmic.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"create\" and\n process.args : (\"ActiveScriptEventConsumer\", \"CommandLineEventConsumer\")\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586.json b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586.json deleted file mode 100644 index 8b3a137ec09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name != null and\n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\") and \n user.id != \"0\" and not (\n process.parent.executable : (\"/tmp/newroot/*\", \"/opt/carbonblack*\") or\n process.parent.executable in (\n \"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\", \"/usr/bin/vmware-toolbox-cmd\",\n \"/usr/bin/dbus-daemon\", \"/usr/bin/update-notifier\", \"/usr/share/language-tools/language-options\"\n ) or\n process.executable : (\"/opt/dynatrace/*\", \"/tmp/newroot/*\") or\n process.executable in (\n \"/bin/fgrep\", \"/usr/bin/sudo\", \"/usr/bin/pkexec\", \"/usr/lib/cockpit/cockpit-session\", \"/usr/sbin/suexec\"\n )\n )]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\")\n and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 3}, "id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_1.json b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_1.json deleted file mode 100644 index abb372d15da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name != null and\n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\")\n and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 1}, "id": "9b80cb26-9966-44b5-abbf-764fbdbc3586_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json deleted file mode 100644 index 2fd2fd7c802..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name != null and\n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\")\n and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 2}, "id": "9b80cb26-9966-44b5-abbf-764fbdbc3586_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_3.json b/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_3.json deleted file mode 100644 index 0a5460285fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9b80cb26-9966-44b5-abbf-764fbdbc3586_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a process (granted CAP_SETUID and/or CAP_SETGID capabilities) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SETUID and CAP_SETGID capabilities allow a process to change its UID and GID, respectively, providing control over user and group identity management. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_SETUID/SETGID Capabilities", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name != null and\n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\") and \n user.id != \"0\" and not (\n process.parent.executable : (\"/tmp/newroot/*\", \"/opt/carbonblack*\") or\n process.parent.executable in (\n \"/opt/SolarWinds/Agent/bin/Plugins/JobEngine/SolarWinds.Agent.JobEngine.Plugin\", \"/usr/bin/vmware-toolbox-cmd\",\n \"/usr/bin/dbus-daemon\", \"/usr/bin/update-notifier\", \"/usr/share/language-tools/language-options\"\n ) or\n process.executable : (\"/opt/dynatrace/*\", \"/tmp/newroot/*\") or\n process.executable in (\n \"/bin/fgrep\", \"/usr/bin/sudo\", \"/usr/bin/pkexec\", \"/usr/lib/cockpit/cockpit-session\", \"/usr/sbin/suexec\"\n )\n )]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n (process.thread.capabilities.effective : \"CAP_SET?ID\" or process.thread.capabilities.permitted : \"CAP_SET?ID\")\n and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9b80cb26-9966-44b5-abbf-764fbdbc3586", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 3}, "id": "9b80cb26-9966-44b5-abbf-764fbdbc3586_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json deleted file mode 100644 index 0b55e5bac6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "## Setup\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json deleted file mode 100644 index d9f74600717..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json deleted file mode 100644 index d8770075cd8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json deleted file mode 100644 index 3e294eefe7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json deleted file mode 100644 index 0ddfa80c182..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "For Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json deleted file mode 100644 index 94cbbeec3fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json deleted file mode 100644 index fbf4de884ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "## Setup\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_109.json b/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_109.json deleted file mode 100644 index 70a065ba488..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c260313-c811-4ec8-ab89-8f6530e0246c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The hosts file on endpoints is used to control manual IP address to hostname resolutions. The hosts file is the first point of lookup for DNS hostname resolution so if adversaries can modify the endpoint hosts file, they can route traffic to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or RHEL) and macOS systems.", "from": "now-9m", "index": ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Hosts File Modified", "note": "## Triage and analysis\n\n### Investigating Hosts File Modified\n\nOperating systems use the hosts file to map a connection between an IP address and domain names before going to domain name servers. Attackers can abuse this mechanism to route traffic to malicious infrastructure or disrupt security that depends on server communications. For example, Russian threat actors modified this file on a domain controller to redirect Duo MFA calls to localhost instead of the Duo server, which prevented the MFA service from contacting its server to validate MFA login. This effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to \"Fail open\" if the MFA server is unreachable. This can happen in any MFA implementation and is not exclusive to Duo. Find more details in this [CISA Alert](https://www.cisa.gov/uscert/ncas/alerts/aa22-074a).\n\nThis rule identifies modifications in the hosts file across multiple operating systems using process creation events for Linux and file events in Windows and macOS.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the changes to the hosts file by comparing it against file backups, volume shadow copies, and other restoration mechanisms.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and the configuration was justified.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges of the administrator account that performed the action.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n\n /* file events for creation; file change events are not captured by some of the included sources for linux and so may\n miss this, which is the purpose of the process + command line args logic below */\n (\n event.category == \"file\" and event.type in (\"change\", \"creation\") and\n file.path : (\"/private/etc/hosts\", \"/etc/hosts\", \"?:\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\") and \n not process.name in (\"dockerd\", \"rootlesskit\", \"podman\", \"crio\")\n )\n or\n\n /* process events for change targeting linux only */\n (\n event.category == \"process\" and event.type in (\"start\") and\n process.name in (\"nano\", \"vim\", \"vi\", \"emacs\", \"echo\", \"sed\") and\n process.args : (\"/etc/hosts\") and \n not process.parent.name in (\"dhclient-script\", \"google_set_hostname\")\n )\n", "references": ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9c260313-c811-4ec8-ab89-8f6530e0246c", "setup": "## Setup\n\nFor Windows systems using Auditbeat, this rule requires adding `C:/Windows/System32/drivers/etc` as an additional path in the 'file_integrity' module of auditbeat.yml.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9c260313-c811-4ec8-ab89-8f6530e0246c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json deleted file mode 100644 index 4d68fc6fe39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation via RPC", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "iam where event.action == \"scheduled-task-created\" and \n winlog.event_data.RpcCallClientLocality : \"0\" and winlog.event_data.ClientProcessId : \"0\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RpcCallClientLocality", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json deleted file mode 100644 index 43be95dbced..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Logon followed by Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where host.os.type == \"windows\" and event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 4}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json deleted file mode 100644 index 92c72936293..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Logon followed by Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 5}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json deleted file mode 100644 index fdf225fbe5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote logon followed by a scheduled task creation on the target host. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Logon followed by Scheduled Task Creation", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "/* Network Logon followed by Scheduled Task creation */\n\nsequence by winlog.computer_name with maxspan=1m\n [authentication where event.action == \"logged-in\" and\n winlog.logon.type == \"Network\" and event.outcome == \"success\" and\n not user.name == \"ANONYMOUS LOGON\" and not winlog.event_data.SubjectUserName : \"*$\" and\n not user.domain == \"NT AUTHORITY\" and source.ip != \"127.0.0.1\" and source.ip !=\"::1\"] by winlog.event_data.TargetLogonId\n\n [iam where event.action == \"scheduled-task-created\"] by winlog.event_data.SubjectLogonId\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 6}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_7.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_7.json deleted file mode 100644 index 385669bf5e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation via RPC", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "iam where event.action == \"scheduled-task-created\" and winlog.event_data.RpcCallClientLocality : \"0\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.RpcCallClientLocality", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json deleted file mode 100644 index fd1c16d7aa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation via RPC", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "iam where event.action == \"scheduled-task-created\" and \n winlog.event_data.RpcCallClientLocality : \"0\" and winlog.event_data.ClientProcessId : \"0\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RpcCallClientLocality", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_9.json b/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_9.json deleted file mode 100644 index e1d9ed3a3d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c865691-5599-447a-bac9-b3f2df5f9a9d_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies scheduled task creation from a remote source. This could be indicative of adversary lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Scheduled Task Creation via RPC", "note": "## Triage and analysis\n\n### Investigating Remote Scheduled Task Creation\n\n[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.\n\n#### Possible investigation steps\n\n- Review the TaskContent value to investigate the task configured action.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Further examination should include review of host-based artifacts and network logs from around when the scheduled task was created, on both the source and target machines.\n\n### False positive analysis\n\n- There is a high possibility of benign activity tied to the creation of remote scheduled tasks as it is a general feature within Windows and used for legitimate purposes for a wide range of activity. Any kind of context should be found to further understand the source of the activity and determine the intent based on the scheduled task's contents.\n\n### Related rules\n\n- Service Command Lateral Movement - d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc\n- Remotely Started Services via RPC - aa9a274d-6b53-424d-ac5e-cb8ca4251650\n- Remote Scheduled Task Creation - 954ee7c8-5437-49ae-b2d6-2960883898e9\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Remove scheduled task and any other related artifacts.\n- Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks.\n", "query": "iam where event.action == \"scheduled-task-created\" and \n winlog.event_data.RpcCallClientLocality : \"0\" and winlog.event_data.ClientProcessId : \"0\"\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ClientProcessId", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.RpcCallClientLocality", "type": "unknown"}], "risk_score": 47, "rule_id": "9c865691-5599-447a-bac9-b3f2df5f9a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "9c865691-5599-447a-bac9-b3f2df5f9a9d_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795.json b/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795.json deleted file mode 100644 index b2e3ad336e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Enumeration via Active Directory Web Service", "query": "sequence by process.entity_id with maxspan=3m\n [library where host.os.type == \"windows\" and \n dll.name : (\"System.DirectoryServices*.dll\", \"System.IdentityModel*.dll\") and \n not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\windows\\\\system32\\\\dsac.exe\", \n \"?:\\\\program files\\\\powershell\\\\?\\\\pwsh.exe\", \n \"?:\\\\windows\\\\system32\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\windows\\\\syswow64\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\program files\\\\microsoft monitoring agent\\\\*.exe\", \n \"?:\\\\windows\\\\adws\\\\microsoft.activedirectory.webservices.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 9389 and source.port >= 49152 and\n network.direction == \"egress\" and network.transport == \"tcp\" and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9c951837-7d13-4b0c-be7a-f346623c8795", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "9c951837-7d13-4b0c-be7a-f346623c8795", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json b/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json deleted file mode 100644 index b24255996bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9c951837-7d13-4b0c-be7a-f346623c8795_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Enumeration via Active Directory Web Service", "query": "sequence by process.entity_id with maxspan=3m\n [library where host.os.type == \"windows\" and \n dll.name : (\"System.DirectoryServices*.dll\", \"System.IdentityModel*.dll\") and \n not user.id in (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\windows\\\\system32\\\\dsac.exe\", \n \"?:\\\\program files\\\\powershell\\\\?\\\\pwsh.exe\", \n \"?:\\\\windows\\\\system32\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\windows\\\\syswow64\\\\windowspowershell\\\\*.exe\", \n \"?:\\\\program files\\\\microsoft monitoring agent\\\\*.exe\", \n \"?:\\\\windows\\\\adws\\\\microsoft.activedirectory.webservices.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 9389 and source.port >= 49152 and\n network.direction == \"egress\" and network.transport == \"tcp\" and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"::1/128\")]\n", "references": ["https://github.com/FalconForceTeam/SOAPHound"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "9c951837-7d13-4b0c-be7a-f346623c8795", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "9c951837-7d13-4b0c-be7a-f346623c8795_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json deleted file mode 100644 index ad304e2c448..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json deleted file mode 100644 index 32beea18326..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json deleted file mode 100644 index 68b6a48db4a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json deleted file mode 100644 index 4fe7efc4e11..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json deleted file mode 100644 index 6d71d4edde2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json deleted file mode 100644 index 6733e2588c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json deleted file mode 100644 index 7230b1cc8ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json b/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json deleted file mode 100644 index be9e6776fcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9ccf3ce0-0057-440a-91f5-870c6ad39093_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies command shell activity started via RunDLL32, which is commonly abused by attackers to host malicious code.", "false_positives": ["Microsoft Windows installers leveraging RunDLL32 for installation."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Shell Activity Started via RunDLL32", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.parent.name : \"rundll32.exe\" and process.parent.command_line != null and\n /* common FPs can be added here */\n not process.parent.args : (\"C:\\\\Windows\\\\System32\\\\SHELL32.dll,RunAsNewUser_RunDLL\",\n \"C:\\\\WINDOWS\\\\*.tmp,zzzzInvokeManagedCustomActionOutOfProc\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9ccf3ce0-0057-440a-91f5-870c6ad39093", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9ccf3ce0-0057-440a-91f5-870c6ad39093_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json deleted file mode 100644 index 1dab18f63ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json deleted file mode 100644 index fb1fc5d6596..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json deleted file mode 100644 index b7659e81147..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json deleted file mode 100644 index 02f6241eef8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\") and\n process.parent.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\", \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json deleted file mode 100644 index 4e53e269e3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 205}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json deleted file mode 100644 index 8892d56bdc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json deleted file mode 100644 index 6913ed113f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json deleted file mode 100644 index 112a70a64c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json deleted file mode 100644 index 052752e5538..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210.json deleted file mode 100644 index d51adbc7f68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by a script or the Windows command interpreter. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a Script Process", "new_terms_fields": ["host.id", "user.name", "process.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n process.name.caseless:\"msbuild.exe\" or process.pe.original_file_name:\"MSBuild.exe\") and \n process.parent.name:(\"cmd.exe\" or \"powershell.exe\" or \"pwsh.exe\" or \"powershell_ise.exe\" or \"cscript.exe\" or\n \"wscript.exe\" or \"mshta.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json deleted file mode 100644 index 8d29f652c9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json deleted file mode 100644 index c5133bbcbd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json deleted file mode 100644 index 53ba2ba5ddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json deleted file mode 100644 index 353b3037e98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json deleted file mode 100644 index e7668893032..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json deleted file mode 100644 index e15ed7f976e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json deleted file mode 100644 index 4859e16177c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json deleted file mode 100644 index 971cd6b5369..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111.json deleted file mode 100644 index 23aae282fcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311.json deleted file mode 100644 index b83d2ad17c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or the WMI (Windows Management Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by a System Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"explorer.exe\", \"wmiprvse.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json deleted file mode 100644 index eec7852933d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json deleted file mode 100644 index f1c1edf1c9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json deleted file mode 100644 index 4b1c57614af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json deleted file mode 100644 index 131148203bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json deleted file mode 100644 index 65cffcb9c46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json deleted file mode 100644 index 0b9c20034e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json deleted file mode 100644 index 22bf6f99077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json deleted file mode 100644 index 3d3456293e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json deleted file mode 100644 index 1f479877bc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json deleted file mode 100644 index be29ae39d9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started after being renamed. This is uncommon behavior and may indicate an attempt to run unnoticed or undetected.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Using an Alternate Name", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Using an Alternate Name\n\nThe OriginalFileName attribute of a PE (Portable Executable) file is a metadata field that contains the original name of the executable file when compiled or linked. By using this attribute, analysts can identify renamed instances that attackers can use with the intent of evading detections, application allowlists, and other security protections.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule checks for renamed instances of MSBuild, which can indicate an attempt of evading detections, application allowlists, and other security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"MSBuild.exe\" and\n not process.name : \"MSBuild.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json deleted file mode 100644 index 257a0f6314f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 110}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json deleted file mode 100644 index 03586391ea0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "type": "eql", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json deleted file mode 100644 index 765ca4362f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "type": "eql", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json deleted file mode 100644 index ed0615f56ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "type": "eql", "version": 106}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json deleted file mode 100644 index 0e0f853055c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "type": "eql", "version": 107}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json deleted file mode 100644 index 9dceaf876b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 108}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json deleted file mode 100644 index e691b202668..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 109}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110.json deleted file mode 100644 index 0fdbc5f19ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically linked libraries) responsible for Windows credential management. This technique is sometimes used for credential dumping.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Trusted Developer Utility", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Trusted Developer Utility\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software.\n\nAdversaries can abuse MSBuild to proxy the execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file. MSBuild will compile and execute the inline task. `MSBuild.exe` is a signed Microsoft binary, and the execution of code using it can bypass application control defenses that are configured to allow `MSBuild.exe` execution.\n\nThis rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, which indicates the execution of credential access activities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to identify the `.csproj` file location.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and (process.name : \"MSBuild.exe\" or process.pe.original_file_name == \"MSBuild.exe\")]\n [any where host.os.type == \"windows\" and (event.category == \"library\" or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : (\"vaultcli.dll\", \"SAMLib.DLL\") or file.name : (\"vaultcli.dll\", \"SAMLib.DLL\"))]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "type": "eql", "version": 110}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json deleted file mode 100644 index 76087a25371..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 212}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json deleted file mode 100644 index fc762faca90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json deleted file mode 100644 index c83037aa150..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json deleted file mode 100644 index a71a75a2ecd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"MSBuild.exe\" and\n process.name : (\"csc.exe\", \"iexplore.exe\", \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json deleted file mode 100644 index fb050763d4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name", "process.parent.command_line"], "note": "", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"MSBuild.exe\" and\nprocess.name.caseless:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json deleted file mode 100644 index 76bf5487122..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name", "process.parent.command_line"], "note": "", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"MSBuild.exe\" and\nprocess.name.caseless:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json deleted file mode 100644 index 74a4ab1d105..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name", "process.parent.command_line"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"MSBuild.exe\" and\nprocess.name.caseless:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209.json deleted file mode 100644 index 90a7ecd4dab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json deleted file mode 100644 index a8137b0232d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json deleted file mode 100644 index 26c6d0b9822..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 211}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212.json deleted file mode 100644 index 7af2b6bbe88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 212}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213.json deleted file mode 100644 index bbd7a97429e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, started a PowerShell script or the Visual C# Command Line Compiler. This technique is sometimes used to deploy a malicious payload using the Build Engine.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. If a build system triggers this rule it can be exempted by process, user or host name."], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft Build Engine Started an Unusual Process", "new_terms_fields": ["host.id", "user.name"], "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:(\"MSBuild.exe\" or \"msbuild.exe\") and\nprocess.name:(\"csc.exe\" or \"iexplore.exe\" or \"powershell.exe\")\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.004", "name": "Compile After Delivery", "reference": "https://attack.mitre.org/techniques/T1027/004/"}]}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 213}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json deleted file mode 100644 index 7b3f11d531a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process where host.os.type == \"windows\" and process.name: \"MSBuild.exe\" and\n event.action:(\"CreateRemoteThread detected (rule: CreateRemoteThread)\", \"CreateRemoteThread\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json deleted file mode 100644 index 8447ebe53ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json deleted file mode 100644 index fdfc1897226..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json deleted file mode 100644 index 35869b97968..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json deleted file mode 100644 index e7e03855d02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "kuery", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process.name:MSBuild.exe and host.os.type:windows and event.action:\"CreateRemoteThread detected (rule: CreateRemoteThread)\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107.json b/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107.json deleted file mode 100644 index 4f9c168170a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, created a thread in another process. This technique is sometimes used to evade detection or elevate privileges.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."], "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Injection by the Microsoft Build Engine", "query": "process where host.os.type == \"windows\" and process.name: \"MSBuild.exe\" and\n event.action:(\"CreateRemoteThread detected (rule: CreateRemoteThread)\", \"CreateRemoteThread\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}, {"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json deleted file mode 100644 index 3760c599df4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", "false_positives": ["Trusted applications persisting via LaunchDaemons"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "eql", "version": 106}, "id": "9d19ece6-c20e-481a-90c5-ccca596537de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json deleted file mode 100644 index da6dc2bc41a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", "false_positives": ["Trusted applications persisting via LaunchDaemons"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "eql", "version": 102}, "id": "9d19ece6-c20e-481a-90c5-ccca596537de_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json deleted file mode 100644 index c20bab8378a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", "false_positives": ["Trusted applications persisting via LaunchDaemons"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "eql", "version": 103}, "id": "9d19ece6-c20e-481a-90c5-ccca596537de_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json deleted file mode 100644 index 8d3cc8aa5c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", "false_positives": ["Trusted applications persisting via LaunchDaemons"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "eql", "version": 104}, "id": "9d19ece6-c20e-481a-90c5-ccca596537de_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json b/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json deleted file mode 100644 index 84550c4ab92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d19ece6-c20e-481a-90c5-ccca596537de_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.", "false_positives": ["Trusted applications persisting via LaunchDaemons"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LaunchDaemon Creation or Modification and Immediate Loading", "query": "sequence by host.id with maxspan=1m\n [file where host.os.type == \"macos\" and event.type != \"deletion\" and file.path : (\"/System/Library/LaunchDaemons/*\", \"/Library/LaunchDaemons/*\")]\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"launchctl\" and process.args == \"load\"]\n", "references": ["https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9d19ece6-c20e-481a-90c5-ccca596537de", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "type": "eql", "version": 105}, "id": "9d19ece6-c20e-481a-90c5-ccca596537de_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json deleted file mode 100644 index 81264a260fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_process"], "name": "Unusual Linux Process Calling the Metadata Service", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "9d302377-d226-4e12-b54c-1906b5aec4f6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json deleted file mode 100644 index 8c20e3831f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_process"], "name": "Unusual Linux Process Calling the Metadata Service", "risk_score": 21, "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 101}, "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json deleted file mode 100644 index 67e686fe931..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_process"], "name": "Unusual Linux Process Calling the Metadata Service", "risk_score": 21, "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 102}, "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json b/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json deleted file mode 100644 index ee6b653ef59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9d302377-d226-4e12-b54c-1906b5aec4f6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_metadata_process"], "name": "Unusual Linux Process Calling the Metadata Service", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "9d302377-d226-4e12-b54c-1906b5aec4f6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 103}, "id": "9d302377-d226-4e12-b54c-1906b5aec4f6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f.json b/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f.json deleted file mode 100644 index bbd627931ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls.", "false_positives": ["Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance should not be modified in this way before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance Made Public", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance Made Public\n\nThis rule identifies when an RDS DB instance is created or modified to enable public access. While publicly accessible DB instances are a common practice, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Creation/Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance`, `CreateDBInstance` or `CreateDBCluster` actions where the publiclyAccessible parameter was set to true.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.\n- **Verify the Created/Modified Instance**: Check the DB instance that was created or modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this event to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Configuration**: Confirm if the DB instance creation or modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the instance attributes to remove public access and restore it to its previous state. Determine whether attached security groups have been modified to allow additional access and revert any unauthorized changes. \n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n or \n (event.action in (\"CreateDBInstance\", \"CreateDBCluster\") and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n )\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.009", "name": "Conditional Access Policies", "reference": "https://attack.mitre.org/techniques/T1556/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_1.json b/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_1.json deleted file mode 100644 index 80510f83a12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9efb3f79-b77b-466a-9fa0-3645d22d1e7f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of an AWS RDS DB instance to enable public access. DB instances may contain sensitive data that can be abused if shared with unauthorized accounts or made public. Adversaries may enable public access on a DB instance to maintain persistence or evade defenses by bypassing access controls.", "false_positives": ["Public access is a common configuration used to enable access from outside a private VPC. Ensure that the instance should not be modified in this way before taking action."], "from": "now-10m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance Made Public", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance Made Public\n\nThis rule identifies when an RDS DB instance is created or modified to enable public access. While publicly accessible DB instances are a common practice, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Creation/Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance`, `CreateDBInstance` or `CreateDBCluster` actions where the publiclyAccessible parameter was set to true.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.\n- **Verify the Created/Modified Instance**: Check the DB instance that was created or modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this event to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Configuration**: Confirm if the DB instance creation or modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the instance attributes to remove public access and restore it to its previous state. Determine whether attached security groups have been modified to allow additional access and revert any unauthorized changes. \n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n or \n (event.action in (\"CreateDBInstance\", \"CreateDBCluster\") and stringContains(aws.cloudtrail.request_parameters, \"publiclyAccessible=true\"))\n )\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-rds-persistence#make-instance-publicly-accessible-rds-modifydbinstance", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-createdbinstance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.009", "name": "Conditional Access Policies", "reference": "https://attack.mitre.org/techniques/T1556/009/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "9efb3f79-b77b-466a-9fa0-3645d22d1e7f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json deleted file mode 100644 index 605055cf5ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via EarthWorm\n\nAttackers can leverage `earthworm` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several command line arguments that are consistent with `earthworm` tunneling behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "## Setup\n\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json deleted file mode 100644 index b5b4e6a37ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json deleted file mode 100644 index 8368f2752a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json deleted file mode 100644 index 0f5991c14e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json deleted file mode 100644 index 025698a617b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json deleted file mode 100644 index 397bd28dc52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json deleted file mode 100644 index 86110312dd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_109.json b/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_109.json deleted file mode 100644 index 52bc4ab47c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f1c4ca3-44b5-481d-ba42-32dc215a2769_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the EarthWorm tunneler. Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection and network filtering, or to enable access to otherwise unreachable systems.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via EarthWorm", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via EarthWorm\n\nAttackers can leverage `earthworm` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several command line arguments that are consistent with `earthworm` tunneling behavior. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n process.args : \"-s\" and process.args : \"-d\" and process.args : \"rssocks\"\n", "references": ["http://rootkiter.com/EarthWorm/", "https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 47, "rule_id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9f1c4ca3-44b5-481d-ba42-32dc215a2769_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json deleted file mode 100644 index 9be8c5b4dc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json deleted file mode 100644 index 3626335e15e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json deleted file mode 100644 index 3d748eb2679..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json deleted file mode 100644 index 8bea403fdc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If specific credentials were compromised:\n - Reset the password for these accounts and other potentially compromised credentials, like email, business systems, and web services.\n- If the entire domain or the `krbtgt` user were compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json deleted file mode 100644 index b82edffa9d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json deleted file mode 100644 index 3aa359db17c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json deleted file mode 100644 index 8dd68e9c35c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\"*$\", \"MSOL_*\", \"OpenDNS_Connector\")\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json deleted file mode 100644 index ccf9fba895e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where event.action == \"Directory Service Access\" and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json deleted file mode 100644 index b0dfd016362..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json deleted file mode 100644 index 0bc46bd6d10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_114.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_114.json deleted file mode 100644 index 2fce15ff318..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_115.json b/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_115.json deleted file mode 100644 index c72e42b1bdf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f962927-1a4f-45f3-a57b-287f2c7029c1_115.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when a User Account starts the Active Directory Replication Process. Attackers can use the DCSync technique to get credential information of individual accounts or the entire domain, thus compromising the entire domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via DCSync", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via DCSync\n\nActive Directory replication is the process by which the changes that originate on one domain controller are automatically transferred to other domain controllers that store the same data.\n\nActive Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain controller on which they occur to every other domain controller that stores a replica of an affected object.\n\nAdversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used legitimately for tickets creation, but also tickets forging by attackers. This attack requires some extended privileges to succeed (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), which are granted by default to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. Privileged accounts can be abused to grant controlled objects the right to DCsync/Replicate.\n\nMore details can be found on [Threat Hunter Playbook](https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing) and [The Hacker Recipes](https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync).\n\nThis rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)).\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account and system owners and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Correlate security events 4662 and 4624 (Logon Type 3) by their Logon ID (`winlog.logon.id`) on the Domain Controller (DC) that received the replication request. This will tell you where the AD replication request came from, and if it came from another DC or not.\n- Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones).\n\n### False positive analysis\n\n- Administrators may use custom accounts on Azure AD Connect, investigate if it is the case, and if it is properly secured. If noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n- Although replicating Active Directory (AD) data to non-Domain Controllers is not a common practice and is generally not recommended from a security perspective, some software vendors may require it for their products to function correctly. If this rule is noisy in your environment due to expected activity, consider adding the corresponding account as a exception.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Investigate how the attacker escalated privileges and identify systems they used to conduct lateral movement. Use this information to determine ways the attacker could regain access to the environment.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where event.action : (\"Directory Service Access\", \"object-operation-performed\") and\n event.code == \"4662\" and winlog.event_data.Properties : (\n\n /* Control Access Rights/Permissions Symbol */\n\n \"*DS-Replication-Get-Changes*\",\n \"*DS-Replication-Get-Changes-All*\",\n \"*DS-Replication-Get-Changes-In-Filtered-Set*\",\n\n /* Identifying GUID used in ACE */\n\n \"*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*\",\n \"*89e95b76-444d-4c62-991a-0facbeda640c*\")\n\n /* The right to perform an operation controlled by an extended access right. */\n\n and winlog.event_data.AccessMask : \"0x100\" and\n not winlog.event_data.SubjectUserName : (\n \"*$\", \"MSOL_*\", \"OpenDNS_Connector\", \"adconnect\", \"SyncADConnect\",\n \"SyncADConnectCM\", \"aadsync\", \"svcAzureADSync\", \"-\"\n )\n\n /* The Umbrella AD Connector uses the OpenDNS_Connector account to perform replication */\n", "references": ["https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html", "https://threathunterplaybook.com/library/windows/active_directory_replication.html?highlight=dcsync#directory-replication-services-auditing", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_ad_replication_non_machine_account.yml", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0027_windows_audit_directory_service_access.md", "https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync", "https://www.thehacker.recipes/ad/movement/credentials/dumping/dcsync", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Properties", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 73, "rule_id": "9f962927-1a4f-45f3-a57b-287f2c7029c1", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 115}, "id": "9f962927-1a4f-45f3-a57b-287f2c7029c1_115", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json deleted file mode 100644 index ff2c8cf2d12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\nnot process.parent.name:(apt-key or update-motd-updates-available)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json deleted file mode 100644 index d0a4fd0c5f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json deleted file mode 100644 index e5f3294b9ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(chmod or chown or chattr or chgrp) and\n process.working_directory:(/tmp or /var/tmp or /dev/shm) and\n not user.name:root\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json deleted file mode 100644 index 855b39641e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\"and\n process.name in (\"chmod\", \"chown\", \"chattr\", \"chgrp\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n not process.parent.name in (\"update-motd-updates-available\") and\n not user.name == \"root\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json deleted file mode 100644 index df0ac6bc6e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "query": "process where host.os.type == \"linux\" and event.type == \"start\"and\n process.name in (\"chmod\", \"chown\", \"chattr\", \"chgrp\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n not process.parent.name in (\"update-motd-updates-available\") and\n not user.name == \"root\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json deleted file mode 100644 index b7041849a49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chmod or chown or chattr or chgrp) and \nprocess.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json deleted file mode 100644 index ac333f0beac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chmod or chown or chattr or chgrp) and \nprocess.working_directory:(\"/tmp\" or \"/var/tmp\" or \"/dev/shm\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_208.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_208.json deleted file mode 100644 index f2bc492968d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:((chattr or chgrp or chmod or chown) and\nnot (apt-key or update-motd-updates-available)) and\nprocess.working_directory:(/dev/shm or /tmp or /var/tmp)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json deleted file mode 100644 index 13551b1114d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\nnot process.parent.name:(apt-key or update-motd-updates-available)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json b/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json deleted file mode 100644 index 69041fb1cd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/9f9a2a82-93a8-4b1a-8778-1780895626d4_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.", "false_positives": ["Certain programs or applications may modify files or change ownership in writable directories. These can be exempted by username."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Permission Modification in Writable Directory", "new_terms_fields": ["host.id", "process.parent.executable", "process.command_line"], "query": "host.os.type:linux and event.category:process and event.type:start and\nprocess.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and\nnot process.parent.name:(apt-key or update-motd-updates-available)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 21, "rule_id": "9f9a2a82-93a8-4b1a-8778-1780895626d4", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "9f9a2a82-93a8-4b1a-8778-1780895626d4_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json deleted file mode 100644 index 42e2016fc23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue` or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["user.id"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action: (GetSecretValue or BatchGetSecretValue) and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Secrets Manager", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.006", "name": "Cloud Secrets Management Stores", "reference": "https://attack.mitre.org/techniques/T1555/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 312}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json deleted file mode 100644 index 872dd8cd287..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Access Secret in Secrets Manager", "note": "## Triage and analysis\n\n### Investigating AWS Access Secret in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using the API `GetSecretValue` action.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and event.action:GetSecretValue\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json deleted file mode 100644 index 95ad60cb3a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 205}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json deleted file mode 100644 index 4742aeefbb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 206}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json deleted file mode 100644 index 87d90872a7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json deleted file mode 100644 index 599f5268c27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_308.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary equipped with compromised credentials may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["aws.cloudtrail.user_identity.access_key_id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a secret value from Secrets Manager.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\" or \"aws-cli\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 308}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_308", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json deleted file mode 100644 index 09cb65bd6af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["user.id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 309}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_310.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_310.json deleted file mode 100644 index 7f8b9250895..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["user.id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 310}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_311.json b/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_311.json deleted file mode 100644 index d7b711d61c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a00681e3-9ed6-447c-ab2c-be648821c622_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Nick Jones", "Elastic"], "description": "An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time a specific user identity has programmatically retrieved a specific secret value from Secrets Manager using the `GetSecretValue` action. This rule assumes that AWS services such as Lambda functions and EC2 instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely on the compromised service's IAM role to access the secrets in Secrets Manager.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be using GetSecretString API for the specified SecretId. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "history_window_start": "now-15d", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "new_terms_fields": ["user.id", "aws.cloudtrail.request_parameters"], "note": "## Triage and analysis\n\n### Investigating First Time Seen AWS Secret Value Accessed in Secrets Manager\n\nAWS Secrets Manager is a service that enables the replacement of hardcoded credentials in code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically.\n\nThis rule looks for the retrieval of credentials using `GetSecretValue` action in Secrets Manager programmatically. This is a [New Terms](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-new-terms-rule) rule indicating this is the first time a specific user identity has successfuly retrieved a specific secret value from Secrets Manager within the last 15 days.\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment, and inspect the related policy.\n- Identify the applications that should use this account.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Review IAM permission policies for the user identity and specific secrets accessed.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of user agent and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:secretsmanager.amazonaws.com and\n event.action:GetSecretValue and event.outcome:success and aws.cloudtrail.user_identity.session_context.session_issuer.type: Role and\n not user_agent.name: (\"Chrome\" or \"Firefox\" or \"Safari\" or \"Edge\" or \"Brave\" or \"Opera\")\n", "references": ["https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.session_context.session_issuer.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user_agent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a00681e3-9ed6-447c-ab2c-be648821c622", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 311}, "id": "a00681e3-9ed6-447c-ab2c-be648821c622_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json deleted file mode 100644 index cbe13c95ef5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and \n not winlog.event_data.TaskName : \"*Microsoft*\" and \n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\", \n \"\\\\IpamDnsProvisioning\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\", \n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\", \n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and \n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json deleted file mode 100644 index 61dae1f6526..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where host.os.type == \"windows\" and event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json deleted file mode 100644 index 3610fb5cb4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json deleted file mode 100644 index e8dbed3c0e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and\n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 21, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json deleted file mode 100644 index 6b08fd3701a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and \n not winlog.event_data.TaskName : \"*Microsoft*\" and \n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\", \n \"\\\\IpamDnsProvisioning\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\", \n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\", \n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and \n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_9.json b/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_9.json deleted file mode 100644 index 6b218e948fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a02cb68e-7c93-48d1-93b2-2c39023308eb_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "A scheduled task was updated", "query": "iam where event.action == \"scheduled-task-updated\" and\n\n /* excluding tasks created by the computer account */\n not user.name : \"*$\" and \n not winlog.event_data.TaskName : \"*Microsoft*\" and \n not winlog.event_data.TaskName :\n (\"\\\\User_Feed_Synchronization-*\",\n \"\\\\OneDrive Reporting Task-S-1-5-21*\",\n \"\\\\OneDrive Reporting Task-S-1-12-1-*\",\n \"\\\\Hewlett-Packard\\\\HP Web Products Detection\",\n \"\\\\Hewlett-Packard\\\\HPDeviceCheck\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistant\", \n \"\\\\IpamDnsProvisioning\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantAllUsersRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantCalendarRun\", \n \"\\\\Microsoft\\\\Windows\\\\UpdateOrchestrator\\\\UpdateAssistantWakeupRun\", \n \"\\\\Microsoft\\\\Windows\\\\.NET Framework\\\\.NET Framework NGEN v*\", \n \"\\\\Microsoft\\\\VisualStudio\\\\Updates\\\\BackgroundDownload\") and \n not winlog.event_data.SubjectUserSid : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserSid", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TaskName", "type": "unknown"}], "risk_score": 47, "rule_id": "a02cb68e-7c93-48d1-93b2-2c39023308eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "a02cb68e-7c93-48d1-93b2-2c39023308eb_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f.json deleted file mode 100644 index dc02e0ff0f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Python cap_setuid", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args : \"import os;os.set?id(0);os.system(*)\" and process.args : \"*python*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"gid_change\") and event.type == \"change\" and \n (user.id == \"0\" or group.id == \"0\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 3}, "id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json deleted file mode 100644 index 2c940f6723d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Python cap_setuid", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args : \"import os;os.set?id(0);os.system(*)\" and process.args : \"*python*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"gid_change\") and event.type == \"change\" and \n (user.id == \"0\" or group.id == \"0\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 1}, "id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json b/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json deleted file mode 100644 index 401303289a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a0ddb77b-0318-41f0-91e4-8c1b5528834f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule monitors for the execution of a system command with setuid or setgid capabilities via Python, followed by a uid or gid change to the root user. This sequence of events may indicate successful privilege escalation. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to escalate privileges to the privileges that are set on the binary that is being executed.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Python cap_setuid", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args : \"import os;os.set?id(0);os.system(*)\" and process.args : \"*python*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action in (\"uid_change\", \"gid_change\") and event.type == \"change\" and \n (user.id == \"0\" or group.id == \"0\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.id", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "type": "eql", "version": 2}, "id": "a0ddb77b-0318-41f0-91e4-8c1b5528834f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json deleted file mode 100644 index 0aa38f4af09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", "false_positives": ["Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/admin"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json b/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json deleted file mode 100644 index bdd4be6f910..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a10d3d9d-0f65-48f1-8b25-af175e2594f5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a topic in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A topic is used to forward messages from publishers to subscribers.", "false_positives": ["Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Topic Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Publisher.CreateTopic and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/admin"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a10d3d9d-0f65-48f1-8b25-af175e2594f5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json deleted file mode 100644 index 871c956a151..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 107}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json deleted file mode 100644 index 9d68013141d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 103}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json deleted file mode 100644 index 0f977309e51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 104}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json deleted file mode 100644 index 3578bda6c88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 105}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json deleted file mode 100644 index 50e462e99c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 106}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_107.json b/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_107.json deleted file mode 100644 index ea418f431e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a13167f1-eec2-4015-9631-1fee60406dcf_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies InstallUtil.exe making outbound network connections. This may indicate adversarial activity as InstallUtil is often leveraged by adversaries to execute code and evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "InstallUtil Process Making Network Connections", "query": "/* the benefit of doing this as an eql sequence vs kql is this will limit to alerting only on the first network connection */\n\nsequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"installutil.exe\"]\n [network where host.os.type == \"windows\" and process.name : \"installutil.exe\" and network.direction : (\"outgoing\", \"egress\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a13167f1-eec2-4015-9631-1fee60406dcf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}]}]}], "type": "eql", "version": 107}, "id": "a13167f1-eec2-4015-9631-1fee60406dcf_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json deleted file mode 100644 index b4e96cf5d9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"shred\" and process.args in (\n \"-u\", \"--remove\", \"-z\", \"--zero\"\n) and not process.parent.name == \"logrotate\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json deleted file mode 100644 index 0f2bcc7bb41..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json deleted file mode 100644 index 4f0f9a3eff2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:shred and\n process.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json deleted file mode 100644 index fdc28316062..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:shred and\nprocess.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\") and not process.parent.name:logrotate\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json deleted file mode 100644 index f34b6057e75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:shred and\nprocess.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\") and not process.parent.name:logrotate\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json deleted file mode 100644 index 4b8db3cfc93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "event.category:process and host.os.type:linux and event.type:start and process.name:shred and\nprocess.args:(\"-u\" or \"--remove\" or \"-z\" or \"--zero\") and not process.parent.name:logrotate\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json b/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json deleted file mode 100644 index 34c94c90762..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1329140-8de3-4445-9f87-908fb6d824f4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Malware or other files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "File Deletion via Shred", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and process.name == \"shred\" and process.args in (\n \"-u\", \"--remove\", \"-z\", \"--zero\"\n) and not process.parent.name == \"logrotate\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1329140-8de3-4445-9f87-908fb6d824f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a1329140-8de3-4445-9f87-908fb6d824f4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json deleted file mode 100644 index b6df6247cb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "## Setup\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json deleted file mode 100644 index 352a0cf22a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "note": "", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json deleted file mode 100644 index 0ab22343afa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "note": "", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json deleted file mode 100644 index 783dba82653..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json deleted file mode 100644 index 72199349b09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "## Setup\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_107.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_107.json deleted file mode 100644 index bdf3f54e2f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "## Setup\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_207.json b/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_207.json deleted file mode 100644 index 5ff7f64c8c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a16612dd-b30e-4d41-86a0-ebe70974ec00_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an LSASS process clone via PssCaptureSnapShot where the parent process is the initial LSASS process instance. This may indicate an attempt to evade detection and dump LSASS memory for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSASS Clone Creation via PssCaptureSnapShot", "query": "process where host.os.type == \"windows\" and event.code:\"4688\" and\n process.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\lsass.exe\"\n", "references": ["https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://medium.com/@Achilles8284/the-birth-of-a-process-part-2-97c6fb9c42a2"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a16612dd-b30e-4d41-86a0-ebe70974ec00", "setup": "## Setup\n\nThis is meant to run only on datasources using Windows security event 4688 that captures the process clone creation.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "a16612dd-b30e-4d41-86a0-ebe70974ec00_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json deleted file mode 100644 index 4944fda3413..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"PackageFamilyName\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json deleted file mode 100644 index cd85ea9c822..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json deleted file mode 100644 index 1e88827a8b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json deleted file mode 100644 index 9a0a183057b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json deleted file mode 100644 index ec65d07ea80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json deleted file mode 100644 index 6e9e8952c33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json deleted file mode 100644 index ce648ffa138..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_8.json b/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_8.json deleted file mode 100644 index 8d3842a22b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1699af0-8e1e-4ed0-8ec1-89783538a061_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects changes to the registry that indicates the install of a new Windows Subsystem for Linux distribution by name. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Distribution Installed", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Distribution Installed\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies the installation of a new Windows Subsystem for Linux distribution via registry events.\n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine which distribution was installed. Some distributions such as Kali Linux can facilitate the compromise of the environment.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate that the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and the WSL distribution is homologated and approved in the environment.\n\n### Related Rules\n\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Windows Subsystem for Linux Enabled via Dism Utility - e2e0537d-7d8f-4910-a11d-559bcf61295a\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"PackageFamilyName\" and\n registry.path : \n (\"HK*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\",\n \"\\\\REGISTRY\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Lxss\\\\*\\\\PackageFamilyName\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "a1699af0-8e1e-4ed0-8ec1-89783538a061", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timeline_id": "3e47ef71-ebfc-4520-975c-cb27fc090799", "timeline_title": "Comprehensive Registry Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "a1699af0-8e1e-4ed0-8ec1-89783538a061_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json deleted file mode 100644 index 0a539a116d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", "false_positives": ["Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", "references": ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json b/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json deleted file mode 100644 index 6c1dfae940c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a17bcc91-297b-459b-b5ce-bc7460d8f82a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Virtual Private Cloud (VPC) route is deleted in Google Cloud Platform (GCP). Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These destinations can be inside a Google VPC network or outside it. An adversary may delete a route in order to impact the flow of network traffic in their target's cloud environment.", "false_positives": ["Virtual Private Cloud routes may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Route Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:v*.compute.routes.delete and event.outcome:success\n", "references": ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "a17bcc91-297b-459b-b5ce-bc7460d8f82a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce.json deleted file mode 100644 index d3de1aee4dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", "enabled": false, "false_positives": ["This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts."], "from": "now-30m", "index": ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "max_signals": 1, "name": "My First Rule", "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", "query": "event.kind:event\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}], "risk_score": 21, "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", "severity": "low", "tags": ["Use Case: Guided Onboarding"], "threshold": {"field": ["host.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json deleted file mode 100644 index 8991ba97c83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", "enabled": false, "false_positives": ["This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts."], "from": "now-24h", "index": ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "max_signals": 1, "name": "My First Rule", "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", "query": "event.kind:\"event\"\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}], "risk_score": 21, "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", "severity": "low", "tags": ["Elastic", "Example", "Guided Onboarding", "Network", "APM", "Windows", "Elastic Endgame"], "threshold": {"field": ["host.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json b/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json deleted file mode 100644 index bc553ff2328..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.", "enabled": false, "false_positives": ["This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts."], "from": "now-24h", "index": ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "traces-apm*", "winlogbeat-*", "-*elastic-cloud-logs-*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "max_signals": 1, "name": "My First Rule", "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n", "query": "event.kind:event\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"], "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}], "risk_score": 21, "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce", "severity": "low", "tags": ["Use Case: Guided Onboarding", "Data Source: APM", "OS: Windows", "Data Source: Elastic Endgame"], "threshold": {"field": ["host.name"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json deleted file mode 100644 index 693d701c888..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\n \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json deleted file mode 100644 index 50cbba0729e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json deleted file mode 100644 index c28a4b6f922..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json deleted file mode 100644 index 00b6c1215d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\", \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json deleted file mode 100644 index dfa2de6af91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\n \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json deleted file mode 100644 index e1fc2d42534..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\n \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json b/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json deleted file mode 100644 index 9ae5123f46b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell Activity via Terminal", "note": "## Triage and analysis\n\n### Investigating Potential Reverse Shell Activity via Terminal\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing. This activity is typically the result of vulnerability exploitation, malware infection, or penetration testing.\n\nThis rule identifies commands that are potentially related to reverse shell activities using shell applications.\n\n#### Possible investigation steps\n\n- Examine the command line and extract the target domain or IP address information.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where event.type in (\"start\", \"process_started\") and\n process.name in (\"sh\", \"bash\", \"zsh\", \"dash\", \"zmodload\") and\n process.args : (\"*/dev/tcp/*\", \"*/dev/udp/*\", \"*zsh/net/tcp*\", \"*zsh/net/udp*\") and\n\n /* noisy FPs */\n not (process.parent.name : \"timeout\" and process.executable : \"/var/lib/docker/overlay*\") and\n not process.command_line : (\n \"*/dev/tcp/sirh_db/*\", \"*/dev/tcp/remoteiot.com/*\", \"*dev/tcp/elk.stag.one/*\", \"*dev/tcp/kafka/*\",\n \"*/dev/tcp/$0/$1*\", \"*/dev/tcp/127.*\", \"*/dev/udp/127.*\", \"*/dev/tcp/localhost/*\", \"*/dev/tcp/itom-vault/*\") and\n not process.parent.command_line : \"runc init\"\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md", "https://github.com/WangYihang/Reverse-Shell-Manager", "https://www.netsparker.com/blog/web-security/understanding-reverse-shells/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a1a0375f-22c2-48c0-81a4-7c2d11cc6856_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json deleted file mode 100644 index 7af5023da4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json deleted file mode 100644 index 4ffffb2123b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json deleted file mode 100644 index a9e4828a62f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json deleted file mode 100644 index 8bce734bdae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "setup": "\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json deleted file mode 100644 index ab97d00f990..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5.json b/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5.json deleted file mode 100644 index e0123c72167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux Group Creation", "note": "## Triage and analysis\n\n### Investigating Linux Group Creation\n\nThe `groupadd` and `addgroup` commands are used to create new user groups in Linux-based operating systems.\n\nAttackers may create new groups to maintain access to victim systems or escalate privileges by assigning a compromised account to a privileged group.\n\nThis rule identifies the usages of `groupadd` and `addgroup` to create new groups.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the group was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify if a user account was added to this group after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Group creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created group and, in case an account was added to this group, delete the account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"group\" and event.type == \"creation\") and\nprocess.name in (\"groupadd\", \"addgroup\") and group.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "group.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json deleted file mode 100644 index 541e561a2c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json deleted file mode 100644 index b099fe024f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json deleted file mode 100644 index d67f84f6367..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json deleted file mode 100644 index 3f16dd6b2d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json deleted file mode 100644 index 00a7db78331..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json deleted file mode 100644 index 8fe365c94b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json deleted file mode 100644 index 55b3db71c45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json deleted file mode 100644 index 0ce229521d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_110.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_110.json deleted file mode 100644 index 430594c7033..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_111.json b/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_111.json deleted file mode 100644 index 70b4f00b78d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a22a09c2-2162-4df0-a356-9aacbeb56a04_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, response, and originating IP, which are used to determine bad actors.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "DNS-over-HTTPS Enabled via Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Edge\\\\BuiltInDnsClientEnabled\" and\n registry.data.strings : \"1\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Google\\\\Chrome\\\\DnsOverHttpsMode\" and\n registry.data.strings : \"secure\") or\n (registry.path : \"*\\\\SOFTWARE\\\\Policies\\\\Mozilla\\\\Firefox\\\\DNSOverHTTPS\" and\n registry.data.strings : \"1\")\n", "references": ["https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "a22a09c2-2162-4df0-a356-9aacbeb56a04", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a22a09c2-2162-4df0-a356-9aacbeb56a04_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json deleted file mode 100644 index 5212cbd0413..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": ["https://support.google.com/a/answer/6089179?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json deleted file mode 100644 index aab106c592b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": ["https://support.google.com/a/answer/6089179?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json deleted file mode 100644 index 51afb3e6c28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": ["https://support.google.com/a/answer/6089179?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json deleted file mode 100644 index b0c62ed817b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Google Marketplace Modified to Allow Any App", "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Google Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": ["https://support.google.com/a/answer/6089179?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_107.json deleted file mode 100644 index 6dce4182481..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2795334-2499-11ed-9e1a-f661ea17fbce_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the Google Marketplace restrictions are changed to allow any application for users in Google Workspace. Malicious APKs created by adversaries may be uploaded to the Google marketplace but not installed on devices managed within Google Workspace. Administrators should set restrictions to not allow any application from the marketplace for security reasons. Adversaries may enable any app to be installed and executed on mobile devices within a Google Workspace environment prior to distributing the malicious APK to the end user.", "false_positives": ["Applications can be added and removed from blocklists by Google Workspace administrators, but they can all be explicitly allowed for users. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Restrictions for Marketplace Modified to Allow Any App", "note": "## Triage and analysis\n\n### Investigating Google Workspace Restrictions for Marketplace Modified to Allow Any App\n\nGoogle Workspace Marketplace is an online store for free and paid web applications that work with Google Workspace services and third-party software. Listed applications are based on Google APIs or Google Apps Script and created by both Google and third-party developers.\n\nMarketplace applications require access to specific Google Workspace resources. Applications can be installed by individual users, if they have permission, or can be installed for an entire Google Workspace domain by administrators. Consent screens typically display what permissions and privileges the application requires during installation. As a result, malicious Marketplace applications may require more permissions than necessary or have malicious intent.\n\nGoogle clearly states that they are not responsible for any product on the Marketplace that originates from a source other than Google.\n\nThis rule identifies when the global allow-all setting is enabled for Google Workspace Marketplace applications.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- This rule relies on data from `google_workspace.admin`, thus indicating the associated user has administrative privileges to the Marketplace.\n- Search for `event.action` is `ADD_APPLICATION` to identify applications installed after these changes were made.\n - The `google_workspace.admin.application.name` field will help identify what applications were added.\n- With the user account, review other potentially related events within the last 48 hours.\n- Re-assess the permissions and reviews of the Marketplace applications to determine if they violate organizational policies or introduce unexpected risks.\n- With access to the Google Workspace admin console, determine if the application was installed domain-wide or individually by visiting `Apps > Google Workspace Marketplace Apps`.\n\n### False positive analysis\n\n- Identify the user account associated with this action and assess their administrative privileges with Google Workspace Marketplace.\n- Google Workspace administrators may intentionally add an application from the marketplace based on organizational needs.\n - Follow up with the user who added the application to ensure this was intended.\n- Verify the application identified has been assessed thoroughly by an administrator.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CHANGE_APPLICATION_SETTING\" and event.category:(iam or configuration)\n and google_workspace.event.type:\"APPLICATION_SETTINGS\" and google_workspace.admin.application.name:\"Google Workspace Marketplace\"\n and google_workspace.admin.setting.name:\"Apps Access Setting Allowlist access\" and google_workspace.admin.new_value:\"ALLOW_ALL\"\n", "references": ["https://support.google.com/a/answer/6089179?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.application.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a2795334-2499-11ed-9e1a-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "a2795334-2499-11ed-9e1a-f661ea17fbce_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json deleted file mode 100644 index c4ac74d4e3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json deleted file mode 100644 index 965d78d44a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n )\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json deleted file mode 100644 index 58d7c047cb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : ( \n \"::olFolderInBox\" or \n Interop.Outlook.olDefaultFolders or \n Microsoft.Exchange.WebServices.Data.FileAttachment or \n Microsoft.Exchange.WebServices.Data.Folder or \n Microsoft.Office.Interop.Outlook)\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json deleted file mode 100644 index 12060fcc183..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n )\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json deleted file mode 100644 index 588c1af50e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json deleted file mode 100644 index f2a02f6cb0e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json deleted file mode 100644 index 443992d6815..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_8.json b/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_8.json deleted file mode 100644 index c7a40cb6f77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a2d04374-187c-4fd9-b513-3ad4e7fdd67a_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to collect data from mailboxes. Adversaries may target user email to collect sensitive information.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Mailbox Collection Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Mailbox Collection Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nEmail mailboxes and their information can be valuable assets for attackers. Company mailboxes often contain sensitive information such as login credentials, intellectual property, financial data, and personal information, making them high-value targets for malicious actors.\n\nThis rule identifies scripts that contains methods and classes that can be abused to collect emails from local and remote mailboxes.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Determine whether the script was executed and capture relevant information, such as arguments that reveal intent or are indicators of compromise (IoCs).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n - Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and it is done with proper approval.\n\n### Related rules\n\n- Exporting Exchange Mailbox via PowerShell - 6aace640-e631-4870-ba8e-5fdda09325db\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- If the involved host is not the Exchange server, isolate the host to prevent further post-compromise behavior.\n- Prioritize cases that involve personally identifiable information (PII) or other classified data.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (\n \"Microsoft.Office.Interop.Outlook\" or\n \"Interop.Outlook.olDefaultFolders\" or\n \"::olFolderInBox\"\n ) or\n powershell.file.script_block_text : (\n \"Microsoft.Exchange.WebServices.Data.Folder\" or\n \"Microsoft.Exchange.WebServices.Data.FileAttachment\"\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/dafthack/MailSniper/blob/master/MailSniper.ps1", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.001", "name": "Local Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/001/"}, {"id": "T1114.002", "name": "Remote Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "a2d04374-187c-4fd9-b513-3ad4e7fdd67a_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json deleted file mode 100644 index f24025c8283..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json deleted file mode 100644 index 0d8ea6e342f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json deleted file mode 100644 index d73a2fb0a42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json deleted file mode 100644 index 7aa7540012a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json deleted file mode 100644 index 3ec34d89bfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n\n", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json deleted file mode 100644 index 781c937a03a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json b/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json deleted file mode 100644 index d2bf055632a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation, change, or deletion of a DLL module within a Windows SxS local folder. Adversaries may abuse shared modules to execute malicious payloads by instructing the Windows module loader to load DLLs from arbitrary local paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via local SxS Shared Module", "note": "## Triage and analysis\n\nThe SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.\n", "query": "file where host.os.type == \"windows\" and file.extension : \"dll\" and file.path : \"C:\\\\*\\\\*.exe.local\\\\*.dll\"\n", "references": ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1129", "name": "Shared Modules", "reference": "https://attack.mitre.org/techniques/T1129/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a3ea12f3-0d4e-4667-8b44-4230c63f3c75_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1.json b/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1.json deleted file mode 100644 index 21b44af4a95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \"i-\" which is the beginning pattern for assumed role sessions started by an EC2 instance.", "false_positives": ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS EC2 Instance Interaction with IAM Service", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"iam.amazonaws.com\"\n and aws.cloudtrail.user_identity.type == \"AssumedRole\"\n and stringContains (user.id, \":i-\")\n", "references": ["https://redcanary.com/blog/aws-sts/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}, {"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1.json b/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1.json deleted file mode 100644 index 950368a49ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an EC2 instance interacts with the AWS IAM service via an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. For example, an assumed role could be used to create new users for persistence or add permissions for privilege escalation. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \"i-\" which is the beginning pattern for assumed role sessions started by an EC2 instance.", "false_positives": ["Administrators may use EC2 instances to interact with IAM services as part of an automation workflow, ensure validity of the triggered event and include exceptions where necessary."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS EC2 Instance Interaction with IAM Service", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"iam.amazonaws.com\"\n and aws.cloudtrail.user_identity.type == \"AssumedRole\"\n and stringContains (user.id, \":i-\")\n", "references": ["https://redcanary.com/blog/aws-sts/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}, {"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a44bcb58-5109-4870-a7c6-11f5fe7dd4b1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json deleted file mode 100644 index 27899cfac4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\*\\\\UPM_Profile\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\UsrClass.dat*\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json deleted file mode 100644 index 623e57dd542..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json deleted file mode 100644 index 2165052fb77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json deleted file mode 100644 index 78a4cd57fc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\")\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json deleted file mode 100644 index 83b127029ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json b/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json deleted file mode 100644 index 64da51ff618..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a medium-size registry hive file on a Server Message Block (SMB) share, which may indicate an exfiltration attempt of a previously dumped Security Account Manager (SAM) registry hive for credential extraction on an attacker-controlled system.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Registry File Creation in SMB Share", "note": "## Triage and analysis\n\n### Investigating Windows Registry File Creation in SMB Share\n\nDumping registry hives is a common way to access credential information. Some hives store credential material, as is the case for the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nAttackers can try to evade detection on the host by transferring this data to a system that is not monitored to be parsed and decrypted. This rule identifies the creation or modification of a medium-size registry hive file on an SMB share, which may indicate this kind of exfiltration attempt.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/source host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Inspect the source host for suspicious or abnormal behaviors in the alert timeframe.\n- Capture the registry file(s) to determine the extent of the credential compromise in an eventual incident response.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes. Check whether the user should be performing this kind of activity and is aware of it.\n\n### Related rules\n\n- Credential Acquisition via Registry Hive Dumping - a7e7bfa3-088e-4f13-b29e-3986e0e756b8\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n /* regf file header */\n file.Ext.header_bytes : \"72656766*\" and file.size >= 30000 and\n process.pid == 4 and user.id : (\"S-1-5-21*\", \"S-1-12-1-*\") and\n not file.path : (\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT\",\n \"?:\\\\*\\\\UPM_Profile\\\\NTUSER.DAT.LASTGOOD.LOAD\",\n \"?:\\\\Windows\\\\Netwrix\\\\Temp\\\\????????.???.offreg\",\n \"?:\\\\*\\\\AppData\\\\Local\\\\Packages\\\\Microsoft.*\\\\Settings\\\\settings.dat*\"\n )\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547.json b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547.json deleted file mode 100644 index 3df41e3ac4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data.", "false_positives": ["There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" \nand event.action in (\"fork\", \"exec\") and \n(\nprocess.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") or\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\nprocess.args: (\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\")\n) and (\n /* bind shell to echo for command execution */\n (process.args:(\"-*l*\", \"--listen\", \"-*p*\", \"--source-port\") and process.args:(\"-c\", \"--sh-exec\", \"-e\", \"--exec\", \"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-*l*\", \"--listen\", \"-*p*\", \"--source-port\")\n )\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a52a9439-d52c-401c-be37-2785235c6547", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "a52a9439-d52c-401c-be37-2785235c6547", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json b/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json deleted file mode 100644 index e030184efc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a52a9439-d52c-401c-be37-2785235c6547_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an established netcat listener running inside a container. Netcat is a utility used for reading and writing data across network connections, and it can be used for malicious purposes such as establishing a backdoor for persistence or exfiltrating data.", "false_positives": ["There is a potential for false positives if the container is used for legitimate tasks that require the use of netcat, such as network troubleshooting, testing or system monitoring. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Netcat Listener Established Inside A Container", "query": "process where container.id: \"*\" and event.type== \"start\" \nand event.action in (\"fork\", \"exec\") and \n(\nprocess.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") or\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\nprocess.args: (\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\")\n) and (\n /* bind shell to echo for command execution */\n (process.args:(\"-*l*\", \"--listen\", \"-*p*\", \"--source-port\") and process.args:(\"-c\", \"--sh-exec\", \"-e\", \"--exec\", \"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-*l*\", \"--listen\", \"-*p*\", \"--source-port\")\n )\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "a52a9439-d52c-401c-be37-2785235c6547", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a52a9439-d52c-401c-be37-2785235c6547_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276.json b/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276.json deleted file mode 100644 index 7c2f084f068..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "CAP_SYS_ADMIN Assigned to Binary", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_SYS_ADMIN\" or process.thread.capabilities.permitted:\"CAP_SYS_ADMIN\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "a577e524-c2ee-47bd-9c5b-e917d01d3276", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "a577e524-c2ee-47bd-9c5b-e917d01d3276", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_1.json b/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_1.json deleted file mode 100644 index a04b97095a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a577e524-c2ee-47bd-9c5b-e917d01d3276_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies instances where a binary is granted the CAP_SYS_ADMIN capability. In Linux, the CAP_SYS_ADMIN capability is a powerful and broad capability that allows a process to perform a range of system administration operations, such as mounting and unmounting filesystems, configuring network interfaces, and accessing hardware devices. Attackers may leverage a misconfiguration for exploitation in order to escalate their privileges to root. The rule identifies previously unknown processes executing with CAP_SYS_ADMIN capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "CAP_SYS_ADMIN Assigned to Binary", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.action:\"exec\" and event.type:\"start\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_SYS_ADMIN\" or process.thread.capabilities.permitted:\"CAP_SYS_ADMIN\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "a577e524-c2ee-47bd-9c5b-e917d01d3276", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "a577e524-c2ee-47bd-9c5b-e917d01d3276_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037.json deleted file mode 100644 index e96a21874a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"executed\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n )]\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"socket\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and auditd.data.a1 == \"2\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connected-to\" and\n process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and network.direction == \"egress\" and destination.ip != null and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json deleted file mode 100644 index a9ec8578cb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n```\nFor this detection rule no additional audit rules are required to be added to the integration. \n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n```\nFor this detection rule no additional audit rules are required to be added to the integration.\n```\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "medium", "tags": ["OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json deleted file mode 100644 index 92967f26fdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "\nThis rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json deleted file mode 100644 index d7473ca55f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json deleted file mode 100644 index 2177ee3bd21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"execve\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\",\n \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\",\n \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\")]\n[process where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"socket\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"connect\" and process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\",\n \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\", \"ruby\", \"openssl\",\n \"awk\", \"telnet\", \"lua*\", \"socat\") and network.direction == \"egress\" and destination.ip != null and \n destination.ip != \"127.0.0.1\" and destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "keyword"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json deleted file mode 100644 index ff728651827..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"execve\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n )\n ]\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"socket\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and\n auditd.data.a0 == \"2\" and auditd.data.a1 : (\"2\", \"802\")]\n[network where host.os.type == \"linux\" and auditd.data.syscall == \"connect\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and\n network.direction == \"egress\" and destination.ip != null and destination.ip != \"127.0.0.1\" and\n destination.ip != \"127.0.0.53\" and destination.ip != \"::1\"]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json b/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json deleted file mode 100644 index 5abbf018058..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies suspicious network traffic patterns associated with UDP reverse shell activity. This activity consists of a sample of an execve, socket and connect syscall executed by the same process, where the auditd.data.a0-1 indicate a UDP connection, ending with an egress connection event. An attacker may establish a Linux UDP reverse shell to bypass traditional firewall restrictions and gain remote access to a target system covertly.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via UDP", "query": "sample by host.id, process.pid, process.parent.pid\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"executed\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n )]\n [process where host.os.type == \"linux\" and auditd.data.syscall == \"socket\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and auditd.data.a1 == \"2\"]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connected-to\" and\n process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl\", \"python*\", \"nc\", \"ncat\", \"netcat\", \"php*\",\n \"ruby\", \"openssl\", \"awk\", \"telnet\", \"lua*\", \"socat\"\n ) and network.direction == \"egress\" and destination.ip != null and\n not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a1", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Auditbeat\n- Auditd Manager\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required to be added to the integration.\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "a5eb21b7-13cc-4b94-9fe2-29bb2914e037_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json deleted file mode 100644 index 8f8db431ccf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json deleted file mode 100644 index 3bc94a59b99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json deleted file mode 100644 index e541b0ca76e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json deleted file mode 100644 index 18e19061d7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json b/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json deleted file mode 100644 index b51e4c29856..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Policy updates from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Assume Role Policy Update", "note": "## Triage and analysis\n\n### Investigating AWS IAM Assume Role Policy Update\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nThe role trust policy is a JSON document in which you define the principals you trust to assume the role. This policy is a required resource-based policy that is attached to a role in IAM. An attacker may attempt to modify this policy by using the `UpdateAssumeRolePolicy` API action to gain the privileges of that role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the service. Tuning is needed in order to have higher confidence. Consider adding exceptions \u2014 preferably with a combination of the user agent and user ID conditions \u2014 to cover administrator activities and infrastructure as code tooling.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Use AWS [policy versioning](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-versioning.html) to restore the trust policy to the desired state.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and event.outcome:success\n", "references": ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "a60326d7-dca7-4fb7-93eb-1ca03a1febbd_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json deleted file mode 100644 index aecccec266b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", "false_positives": ["Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory PowerShell Sign-in", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized access if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings that weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users as exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.app_display_name", "type": "keyword"}, {"ecs": false, "name": "azure.signinlogs.properties.token_issuer_type", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json b/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json deleted file mode 100644 index 72c5d561899..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a605c51a-73ad-406d-bf3a-f24cc41d5c97_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.", "false_positives": ["Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Active Directory PowerShell Sign-in", "note": "## Triage and analysis\n\n### Investigating Azure Active Directory PowerShell Sign-in\n\nAzure Active Directory PowerShell for Graph (Azure AD PowerShell) is a module IT professionals commonly use to manage their Azure Active Directory. The cmdlets in the Azure AD PowerShell module enable you to retrieve data from the directory, create new objects in the directory, update existing objects, remove objects, as well as configure the directory and its features.\n\nThis rule identifies sign-ins that use the Azure Active Directory PowerShell module, which can indicate unauthorized access if done outside of IT or engineering.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Evaluate whether the user needs to access Azure AD using PowerShell to complete its tasks.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Consider the source IP address and geolocation for the involved user account. Do they look normal?\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate suspicious actions taken by the user using the module, for example, modifications in security settings that weakens the security policy, persistence-related tasks, and data access.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding IT, Engineering, and other authorized users as exceptions \u2014 preferably with a combination of user and device conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.signinlogs and\n azure.signinlogs.properties.app_display_name:\"Azure Active Directory PowerShell\" and\n azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)\n", "references": ["https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.signinlogs.properties.app_display_name", "type": "keyword"}, {"ecs": false, "name": "azure.signinlogs.properties.token_issuer_type", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a605c51a-73ad-406d-bf3a-f24cc41d5c97_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json deleted file mode 100644 index a57534295f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 7}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json deleted file mode 100644 index 09d562f7d19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 1}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json deleted file mode 100644 index b8a45ae5fb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 2}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json deleted file mode 100644 index 90682071f1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 3}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json deleted file mode 100644 index e3b1828db2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 4}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_5.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_5.json deleted file mode 100644 index 64478756d31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 5}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json b/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json deleted file mode 100644 index 1310cbcfee3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a61809f3-fb5b-465c-8bff-23a8a068ac60_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains registry data.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Windows Registry Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Windows Registry Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a Windows registry indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains registry data.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Check related threat reports to gain context about the registry indicator of compromise (IoC) and to understand if it's a system-native mechanism abused for persistence, to store data, to disable security mechanisms, etc. Use this information to define the appropriate triage and respond steps.\n- Identify the process responsible for the registry operation and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries can leverage dual-use registry mechanisms that are commonly used by normal applications. These registry keys can be added into indicator lists creating the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry.path:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 99, "rule_id": "a61809f3-fb5b-465c-8bff-23a8a068ac60", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "registry.path", "type": "mapping", "value": "threat.indicator.registry.path"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.registry.path:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 6}, "id": "a61809f3-fb5b-465c-8bff-23a8a068ac60_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json deleted file mode 100644 index 13f604f9a1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json deleted file mode 100644 index ae135a0b4f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json deleted file mode 100644 index 333c06d2835..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json deleted file mode 100644 index 39df00a76c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json deleted file mode 100644 index 89075c18500..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json deleted file mode 100644 index d577e162220..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\", \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\") and\n process.name : (\"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\", \"certutil.exe\",\n \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\", \"dsquery.exe\", \"forfiles.exe\",\n \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\", \"installutil.exe\", \"ipconfig.exe\",\n \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\", \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\",\n \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\", \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\",\n \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\", \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\",\n \"wmic.exe\", \"wscript.exe\", \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\")\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_110.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_110.json deleted file mode 100644 index d05020913e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json deleted file mode 100644 index 4b659659c65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json deleted file mode 100644 index 32f896004c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_113.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_113.json deleted file mode 100644 index 5384da9504e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_313.json b/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_313.json deleted file mode 100644 index 567e659f321..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a624863f-a70d-417f-a7d2-7a404638d47f_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious MS Office Child Process", "note": "## Triage and analysis\n\n### Investigating Suspicious MS Office Child Process\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThis rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\n \"eqnedt32.exe\", \"excel.exe\", \"fltldr.exe\", \"msaccess.exe\",\n \"mspub.exe\", \"powerpnt.exe\", \"winword.exe\", \"outlook.exe\"\n ) and\n process.name : (\n \"Microsoft.Workflow.Compiler.exe\", \"arp.exe\", \"atbroker.exe\", \"bginfo.exe\", \"bitsadmin.exe\", \"cdb.exe\",\n \"certutil.exe\", \"cmd.exe\", \"cmstp.exe\", \"control.exe\", \"cscript.exe\", \"csi.exe\", \"dnx.exe\", \"dsget.exe\",\n \"dsquery.exe\", \"forfiles.exe\", \"fsi.exe\", \"ftp.exe\", \"gpresult.exe\", \"hostname.exe\", \"ieexec.exe\", \"iexpress.exe\",\n \"installutil.exe\", \"ipconfig.exe\", \"mshta.exe\", \"msxsl.exe\", \"nbtstat.exe\", \"net.exe\", \"net1.exe\", \"netsh.exe\",\n \"netstat.exe\", \"nltest.exe\", \"odbcconf.exe\", \"ping.exe\", \"powershell.exe\", \"pwsh.exe\", \"qprocess.exe\",\n \"quser.exe\", \"qwinsta.exe\", \"rcsi.exe\", \"reg.exe\", \"regasm.exe\", \"regsvcs.exe\", \"regsvr32.exe\", \"sc.exe\",\n \"schtasks.exe\", \"systeminfo.exe\", \"tasklist.exe\", \"tracert.exe\", \"whoami.exe\", \"wmic.exe\", \"wscript.exe\",\n \"xwizard.exe\", \"explorer.exe\", \"rundll32.exe\", \"hh.exe\", \"msdt.exe\"\n ) and\n not (\n process.parent.name : \"outlook.exe\" and\n process.name : \"rundll32.exe\" and\n process.args : \"shell32.dll,Control_RunDLL\" and\n process.args : \"srchadmin.dll\"\n )\n", "references": ["https://www.elastic.co/blog/vulnerability-summary-follina"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a624863f-a70d-417f-a7d2-7a404638d47f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "a624863f-a70d-417f-a7d2-7a404638d47f_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6788d4b-b241-4bf0-8986-a3b4315c5b70.json b/packages/security_detection_engine/kibana/security_rule/a6788d4b-b241-4bf0-8986-a3b4315c5b70.json deleted file mode 100644 index 10a5dd88f93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6788d4b-b241-4bf0-8986-a3b4315c5b70.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when server access logging is disabled for an Amazon S3 bucket. Server access logs provide a detailed record of requests made to an S3 bucket. When server access logging is disabled for a bucket, it could indicate an adversary's attempt to impair defenses by disabling logs that contain evidence of malicious activity.", "false_positives": ["Bucket logging may be disabled by a system or network administrator. Verify whether the user identity and/or user agent should be making changes in your environment. Bucket component deletions by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Bucket Server Access Logging Disabled", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Bucket Server Access Logging Disabled\n\nThis rule detects when server access logging is disabled for an S3 bucket in AWS. Such configurations could potentially hide evidence of unauthorized access or malicious activity by preventing the recording of those requests.\n\n#### Detailed Investigation Steps\n\n- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where server access logging has been disabled.\n - Determine the contents and importance of the data stored in this bucket to assess the impact of disabled logging.\n- **Review User Identity and Activity**:\n - Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.\n - Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.\n - Contact the account owner and confirm whether they are aware of this activity.\n - Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- **Contextualize with Recent Changes**: Compare this event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False Positive Analysis\n\n- Verify the operational requirements that might necessitate disabling access logging, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.\n\n### Response and Remediation\n\n- **Immediate Review**: If the change was unauthorized, consider reverting the change immediately to prevent potential data loss.\n- **Enhance Monitoring**: Implement monitoring to alert on changes to logging configurations across your S3 environments.\n- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.\n\n### Additional Information\n\nFor further guidance on monitoring Amazon S3 and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [Monitoring Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/monitoring-overview.html).\n", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.action == \"PutBucketLogging\" \n and event.outcome == \"success\" \n and not stringContains(aws.cloudtrail.request_parameters, \"LoggingEnabled\")\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "a6788d4b-b241-4bf0-8986-a3b4315c5b70", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.008", "name": "Disable or Modify Cloud Logs", "reference": "https://attack.mitre.org/techniques/T1562/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "a6788d4b-b241-4bf0-8986-a3b4315c5b70", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json deleted file mode 100644 index 0b79b7f9653..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json deleted file mode 100644 index 961ec6085cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json deleted file mode 100644 index fdf77696d28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json deleted file mode 100644 index 9923d76a1e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "note": "", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json deleted file mode 100644 index 0bb9627a8eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json b/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json deleted file mode 100644 index 241df92adea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Emond Rules Creation or Modification", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.path : (\"/private/etc/emond.d/rules/*.plist\", \"/etc/emon.d/rules/*.plist\", \"/private/var/db/emondClients/*\")\n", "references": ["https://www.xorrior.com/emond-persistence/", "https://www.sentinelone.com/blog/how-malware-persists-on-macos/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.014", "name": "Emond", "reference": "https://attack.mitre.org/techniques/T1546/014/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1.json deleted file mode 100644 index ec25b09aef2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_session_duration", "name": "High Mean of RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a74c60cb-70ee-4629-a127-608ead14ebf1", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "a74c60cb-70ee-4629-a127-608ead14ebf1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json deleted file mode 100644 index 08411ea0f1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_session_duration", "name": "High Mean of RDP Session Duration", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "a74c60cb-70ee-4629-a127-608ead14ebf1", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "a74c60cb-70ee-4629-a127-608ead14ebf1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_2.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_2.json deleted file mode 100644 index 48bb0f0ca45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_session_duration", "name": "High Mean of RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a74c60cb-70ee-4629-a127-608ead14ebf1", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "a74c60cb-70ee-4629-a127-608ead14ebf1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json b/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json deleted file mode 100644 index 5f917905552..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a74c60cb-70ee-4629-a127-608ead14ebf1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high mean of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_mean_rdp_session_duration", "name": "High Mean of RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a74c60cb-70ee-4629-a127-608ead14ebf1", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "a74c60cb-70ee-4629-a127-608ead14ebf1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json deleted file mode 100644 index c6f83553fc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json deleted file mode 100644 index d767e2d2a48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json deleted file mode 100644 index f56f0699dc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json deleted file mode 100644 index cde6aa11ddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json deleted file mode 100644 index c2ebb6e4a2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json deleted file mode 100644 index 4e9cba5a4af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_109.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_109.json deleted file mode 100644 index 778f883bbf5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json deleted file mode 100644 index b4f9bee5f23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json deleted file mode 100644 index 073e1f271e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_112.json b/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_112.json deleted file mode 100644 index 56213d8e56f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7ccae7b-9d2c-44b2-a061-98e5946971fa_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including CVE-2020-1048 and CVE-2020-1337.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler SPL File Created", "note": "## Triage and analysis\n\n### Investigating Suspicious Print Spooler SPL File Created\n\nPrint Spooler is a Windows service enabled by default in all Windows clients and servers. The service manages print jobs by loading printer drivers, receiving files to be printed, queuing them, scheduling, etc.\n\nThe Print Spooler service has some known vulnerabilities that attackers can abuse to escalate privileges to SYSTEM, like CVE-2020-1048 and CVE-2020-1337. This rule looks for unusual processes writing SPL files to the location `?:\\Windows\\System32\\spool\\PRINTERS\\`, which is an essential step in exploiting these vulnerabilities.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of process executable and file conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Ensure that the machine has the latest security updates and is not running legacy Windows versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : \"spl\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\PRINTERS\\\\*\" and\n not process.name : (\"spoolsv.exe\",\n \"printfilterpipelinesvc.exe\",\n \"PrintIsolationHost.exe\",\n \"splwow64.exe\",\n \"msiexec.exe\",\n \"poqexec.exe\",\n \"System\") and\n not user.id : \"S-1-5-18\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"\\\\Device\\\\Mup\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\mmc.exe\",\n \"?:\\\\Windows\\\\System32\\\\printui.exe\",\n \"?:\\\\Windows\\\\System32\\\\mstsc.exe\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\PROGRA~1\\\\*.exe\",\n \"?:\\\\PROGRA~2\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\")\n", "references": ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "a7ccae7b-9d2c-44b2-a061-98e5946971fa_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json deleted file mode 100644 index 860f2f6fc7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json deleted file mode 100644 index c88c0c24f09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json deleted file mode 100644 index 8737aedcacf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json deleted file mode 100644 index c5df59a4a68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json deleted file mode 100644 index e0263f303dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name == \"reg.exe\" and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_108.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_108.json deleted file mode 100644 index 1bd8f3aa7bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json deleted file mode 100644 index ed6b1902e3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json deleted file mode 100644 index 6b59df1a148..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_111.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_111.json deleted file mode 100644 index 111106ac2a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_311.json b/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_311.json deleted file mode 100644 index 875100d77fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a7e7bfa3-088e-4f13-b29e-3986e0e756b8_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Credential Acquisition via Registry Hive Dumping", "note": "## Triage and analysis\n\n### Investigating Credential Acquisition via Registry Hive Dumping\n\nDumping registry hives is a common way to access credential information as some hives store credential material.\n\nFor example, the SAM hive stores locally cached credentials (SAM Secrets), and the SECURITY hive stores domain cached credentials (LSA secrets).\n\nDumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets.\n\nThis rule identifies the usage of `reg.exe` to dump SECURITY and/or SAM hives, which potentially indicates the compromise of the credentials stored in the host.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate if the credential material was exfiltrated or processed locally by other tools.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n\n### False positive analysis\n\n- Administrators can export registry hives for backup purposes using command line tools like `reg.exe`. Check whether the user is legitamitely performing this kind of activity.\n\n### Related rules\n\n- Registry Hive File Creation via SMB - a4c7473a-5cb4-4bc1-9d06-e4a75adbc494\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"reg.exe\" or process.name : \"reg.exe\") and\n process.args : (\"save\", \"export\") and\n process.args : (\"hklm\\\\sam\", \"hklm\\\\security\")\n", "references": ["https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.004", "name": "LSA Secrets", "reference": "https://attack.mitre.org/techniques/T1003/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "a7e7bfa3-088e-4f13-b29e-3986e0e756b8_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496.json b/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496.json deleted file mode 100644 index de29953b129..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.process*"], "language": "kuery", "license": "Elastic License v2", "name": "Privileged Docker Container Creation", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\nprocess.args:(run and --privileged)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a80d96cd-1164-41b3-9852-ef58724be496", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "a80d96cd-1164-41b3-9852-ef58724be496", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496_1.json b/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496_1.json deleted file mode 100644 index 0d3e24ffd80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a80d96cd-1164-41b3-9852-ef58724be496_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the new_terms rule type to identify the creation of a potentially unsafe docker container from an unusual parent process. Attackers can use the `--privileged` flag to create containers with escalated privileges, which can lead to trivial privilege escalation, docker escaping and persistence. access.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.process*"], "language": "kuery", "license": "Elastic License v2", "name": "Privileged Docker Container Creation", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:docker and\nprocess.args:(run and --privileged)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "a80d96cd-1164-41b3-9852-ef58724be496", "setup": "## Setup\nThis rule requires data coming in from Elastic Defend.\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1609", "name": "Container Administration Command", "reference": "https://attack.mitre.org/techniques/T1609/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "a80d96cd-1164-41b3-9852-ef58724be496_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a83b3dac-325a-11ef-b3e6-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/a83b3dac-325a-11ef-b3e6-f661ea17fbce.json deleted file mode 100644 index c2740f8af2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a83b3dac-325a-11ef-b3e6-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e).", "from": "now-9m", "index": ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"], "language": "kuery", "license": "Elastic License v2", "name": "Entra ID Device Code Auth with Broker Client", "query": " event.dataset:(azure.activitylogs or azure.signinlogs)\n and azure.signinlogs.properties.authentication_protocol:deviceCode\n and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e\n and event.outcome:success or (\n azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e\n and azure.activitylogs.properties.authentication_protocol:deviceCode)\n", "references": ["https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf", "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in", "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.properties.appId", "type": "unknown"}, {"ecs": false, "name": "azure.activitylogs.properties.authentication_protocol", "type": "unknown"}, {"ecs": false, "name": "azure.signinlogs.properties.authentication_protocol", "type": "keyword"}, {"ecs": false, "name": "azure.signinlogs.properties.conditional_access_audiences.application_id", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "a83b3dac-325a-11ef-b3e6-f661ea17fbce", "setup": "This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Data Source: Microsoft Entra ID", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1528", "name": "Steal Application Access Token", "reference": "https://attack.mitre.org/techniques/T1528/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "a83b3dac-325a-11ef-b3e6-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json deleted file mode 100644 index e093240d0a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.", "false_positives": ["Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: POST Request Declined", "query": "http.response.status_code:403 and http.request.method:post\n", "references": ["https://en.wikipedia.org/wiki/HTTP_403"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "http.request.method", "type": "keyword"}, {"ecs": true, "name": "http.response.status_code", "type": "long"}], "risk_score": 47, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "severity": "medium", "tags": ["Data Source: APM"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json b/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json deleted file mode 100644 index 9b7b22e71c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.", "false_positives": ["Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: POST Request Declined", "query": "http.response.status_code:403 and http.request.method:post\n", "references": ["https://en.wikipedia.org/wiki/HTTP_403"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "http.request.method", "type": "keyword"}, {"ecs": true, "name": "http.response.status_code", "type": "long"}], "risk_score": 47, "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e", "severity": "medium", "tags": ["Elastic", "APM"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004.json b/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004.json deleted file mode 100644 index d2766538de2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8aaa49d-9834-462d-bf8f-b1255cebc004.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects successful authentications via PAM grantors that are not commonly used. This could indicate an attacker is attempting to escalate privileges or maintain persistence on the system by modifying the default PAM configuration.", "from": "now-9m", "history_window_start": "now-14d", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "Authentication via Unusual PAM Grantor", "new_terms_fields": ["auditd.data.grantors", "agent.id"], "query": "event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and\nauditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*))\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.grantors", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "a8aaa49d-9834-462d-bf8f-b1255cebc004", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, no additional configuration is required.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "a8aaa49d-9834-462d-bf8f-b1255cebc004", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json deleted file mode 100644 index eda44c71925..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.", "false_positives": ["Approved third-party applications that use Google Drive download URLs.", "Legitimate publicly shared files from Google Drive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint*", "logs-system.security*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Downloaded from Google Drive", "query": "process where\n\n /* common browser processes */\n event.action in (\"exec\", \"fork\", \"start\") and \n\n process.name : (\"Microsoft Edge\", \"chrome.exe\", \"Google Chrome\", \"google-chrome-stable\", \n \"google-chrome-beta\", \"google-chrome\", \"msedge.exe\", \"firefox.exe\", \"brave.exe\", \n \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"firefox\", \n \"powershell.exe\", \"curl\", \"curl.exe\", \"wget\", \"wget.exe\") and \n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.command_line : \"*drive.google.com*\" and process.command_line : \"*export=download*\" and process.command_line : \"*confirm=no_antivirus*\")\n", "references": ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json deleted file mode 100644 index e82799ae57a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.", "false_positives": ["Approved third-party applications that use Google Drive download URLs.", "Legitimate publicly shared files from Google Drive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Malicious File Downloaded from Google Drive", "query": "sequence by host.id, process.entity_id with maxspan=30s\n[any where\n\n /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */\n (event.action in (\"exec\", \"fork\", \"start\", \"load\")) or\n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.args : \"*drive.google.com*\" and process.args : \"*export=download*\" and process.args : \"*confirm=no_antivirus*\")\n]\n\n[network where\n /* Look for DNS requests for Google Drive */\n (dns.question.name : \"drive.google.com\" and dns.question.type : \"A\") or\n\n /* Look for connection attempts to address that resolves to Google */\n (destination.as.organization.name : \"GOOGLE\" and event.action == \"connection_attempted\")\n\n /* NOTE: Add LoLBins if tuning is required\n process.name : (\n \"cmd.exe\", \"bitsadmin.exe\", \"certutil.exe\", \"esentutl.exe\", \"wmic.exe\", \"PowerShell.exe\",\n \"homedrive.exe\",\"regsvr32.exe\", \"mshta.exe\", \"rundll32.exe\", \"cscript.exe\", \"wscript.exe\",\n \"curl\", \"wget\", \"scp\", \"ftp\", \"python\", \"perl\", \"ruby\"))] */\n]\n\n/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */\n[file where event.action == \"creation\" and file.extension : (\n \"exe\", \"dll\", \"scr\", \"jar\", \"pif\", \"app\", \"dmg\", \"pkg\", \"elf\", \"so\", \"bin\", \"deb\", \"rpm\",\"sh\",\"hta\",\"lnk\"\n )\n]\n", "references": ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.as.organization.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 1}, "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json deleted file mode 100644 index 2c1a122a7e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential malicious file download and execution from Google Drive. The rule checks for download activity from Google Drive URL, followed by the creation of files commonly leveraged by or for malware. This could indicate an attempt to run malicious scripts, executables or payloads.", "false_positives": ["Approved third-party applications that use Google Drive download URLs.", "Legitimate publicly shared files from Google Drive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Malicious File Downloaded from Google Drive", "query": "sequence by host.id, process.entity_id with maxspan=30s\n[any where\n\n /* Look for processes started or libraries loaded from untrusted or unsigned Windows, Linux or macOS binaries */\n (event.action in (\"exec\", \"fork\", \"start\", \"load\")) or\n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.args : \"*drive.google.com*\" and process.args : \"*export=download*\" and process.args : \"*confirm=no_antivirus*\")\n\n /* ignore trusted processes */\n and not (\n process.code_signature.trusted == true and\n process.code_signature.subject_name:\n (\"Mozilla Corporation\",\n \"Google LLC\",\n \"Google Inc\",\n \"Bitdefender SRL\",\n \"Microsoft Corporation\",\n \"Netskope, Inc.\",\n \"Avast Software s.r.o.\",\n \"Microsoft Windows\",\n \"AVG Technologies USA, LLC\",\n \"Symantec Corporation\",\n \"Trend Micro, Inc.\",\n \"Palo Alto Networks (Netherlands) B.V.\",\n \"Docker Inc\"))\n\n /* ignore common benign processes */\n and not process.executable:\n (\"/bin/terraform\",\n \"*/bin/dockerd\",\n \"/usr/local/bin/docker-init\",\n \"*/bin/go\",\n \"?:\\\\Program Files*\\\\Mozilla Firefox\\firefox.exe\",\n \"?:\\\\Program Files*\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\")\n\n /* ignore shellscripts + go install from legitimate repository*/\n and not (process.executable == \"/bin/sh\" and process.args : \"go install google.golang.org*\")]\n\n[network where\n /* Look for DNS requests for Google Drive */\n (dns.question.name : \"drive.google.com\" and dns.question.type : \"A\") or\n\n /* Look for connection attempts to address that resolves to Google */\n (destination.as.organization.name : \"GOOGLE\" and event.action == \"connection_attempted\")]\n\n/* Identify the creation of files following Google Drive connection with extensions commonly used for executables or libraries */\n[file where event.action == \"creation\" and\n file.extension :\n (\"exe\", \"dll\", \"scr\", \"jar\", \"pif\", \"app\", \"dmg\",\n \"pkg\", \"elf\", \"so\", \"bin\", \"deb\", \"rpm\",\"sh\",\"hta\",\"lnk\")]\n", "references": ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.as.organization.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "type": "eql", "version": 2}, "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json b/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json deleted file mode 100644 index 5a6a7b35b4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.", "false_positives": ["Approved third-party applications that use Google Drive download URLs.", "Legitimate publicly shared files from Google Drive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Downloaded from Google Drive", "query": "process where\n\n /* common browser processes */\n event.action in (\"exec\", \"fork\", \"start\") and \n\n process.name : (\"Microsoft Edge\", \"chrome.exe\", \"Google Chrome\", \"google-chrome-stable\", \n \"google-chrome-beta\", \"google-chrome\", \"msedge.exe\", \"firefox.exe\", \"brave.exe\", \n \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\", \"firefox\", \n \"powershell.exe\", \"curl\", \"curl.exe\", \"wget\", \"wget.exe\") and \n\n /* Look for Google Drive download URL with AV flag skipping */\n (process.command_line : \"*drive.google.com*\" and process.command_line : \"*export=download*\" and process.command_line : \"*confirm=no_antivirus*\")\n", "references": ["https://intelligence.abnormalsecurity.com/blog/google-drive-matanbuchus-malware"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "a8afdce2-0ec1-11ee-b843-f661ea17fbcd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a.json deleted file mode 100644 index bacc4480f2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_var_rdp_session_duration", "name": "High Variance in RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json deleted file mode 100644 index 2788c35056d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_var_rdp_session_duration", "name": "High Variance in RDP Session Duration", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_2.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_2.json deleted file mode 100644 index d3f6bd31a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_var_rdp_session_duration", "name": "High Variance in RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json b/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json deleted file mode 100644 index a957b2499f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that might require uninterrupted access to a compromised machine.", "from": "now-12h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_var_rdp_session_duration", "name": "High Variance in RDP Session Duration", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "a8d35ca0-ad8d-48a9-9f6c-553622dca61a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json deleted file mode 100644 index c2c4a690784..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "false_positives": ["Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json deleted file mode 100644 index b7a894301a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "false_positives": ["Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json deleted file mode 100644 index dbb158c5f0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "false_positives": ["Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json deleted file mode 100644 index 0b45cae8a6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "false_positives": ["Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json b/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json deleted file mode 100644 index 17a42f897ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Safe Link policy is disabled in Microsoft 365. Safe Link policies for Office applications extend phishing protection to documents that contain hyperlinks, even after they have been delivered to a user.", "false_positives": ["Disabling safe links may be done by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Safe Link Policy Disabled", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Disable-SafeLinksRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json deleted file mode 100644 index 5d511f7ac7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Password Policy Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json deleted file mode 100644 index 365cd574158..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Password Policy Modified", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json deleted file mode 100644 index 1546bb538f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Password Policy Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json b/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json deleted file mode 100644 index 28e4f3fbaa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a Google Workspace password policy is modified. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["Password policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Password Policy Modified", "note": "## Triage and analysis\n\n### Investigating Google Workspace Password Policy Modified\n\nGoogle Workspace administrators manage password policies to enforce password requirements for an organization's compliance needs. Administrators have the capability to set restrictions on password length, reset frequency, reuse capability, expiration, and much more. Google Workspace also allows multi-factor authentication (MFA) and 2-step verification (2SV) for authentication.\n\nThreat actors might rely on weak password policies or restrictions to attempt credential access by using password stuffing or spraying techniques for cloud-based user accounts. Administrators might introduce increased risk to credential access from a third-party by weakening the password restrictions for an organization.\n\nThis rule detects when a Google Workspace password policy is modified to decrease password complexity or to adjust the reuse and reset frequency.\n\n#### Possible investigation steps\n\n- Identify associated user account(s) by reviewing the `user.name` or `source.user.email` fields in the alert.\n- Identify the password setting that was created or adjusted by reviewing `google_workspace.admin.setting.name` field.\n- Check if a password setting was enabled or disabled by reviewing the `google_workspace.admin.new_value` and `google_workspace.admin.old_value` fields.\n- After identifying the involved user, verify administrative privileges are scoped properly to change.\n- Filter `event.dataset` for `google_workspace.login` and aggregate by `user.name`, `event.action`.\n - The `google_workspace.login.challenge_method` field can be used to identify the challenge method used for failed and successful logins.\n\n### False positive analysis\n\n- After identifying the user account that updated the password policy, verify whether the action was intentional.\n- Verify whether the user should have administrative privileges in Google Workspace to modify password policies.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider resetting passwords for potentially affected users.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators might observe lag times ranging from several minutes to 3 days between the event occurrence time and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and\n event.action:(CHANGE_APPLICATION_SETTING or CREATE_APPLICATION_SETTING) and\n google_workspace.admin.setting.name:(\n \"Password Management - Enforce strong password\" or\n \"Password Management - Password reset frequency\" or\n \"Password Management - Enable password reuse\" or\n \"Password Management - Enforce password policy at next login\" or\n \"Password Management - Minimum password length\" or\n \"Password Management - Maximum password length\"\n )\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.setting.name", "type": "keyword"}], "risk_score": 47, "rule_id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73", "setup": "The Google Workspace Fleet integration, the Filebeat module, or data that's similarly structured is required for this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json deleted file mode 100644 index ee77e48a029..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and event.type == \"change\" and length(registry.data.strings) > 0 and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json deleted file mode 100644 index 7b192947485..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json deleted file mode 100644 index e8dc38bbaea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json deleted file mode 100644 index 69a25ec9a83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json deleted file mode 100644 index 29ec6f27a54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "note": "", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json deleted file mode 100644 index 50259ee0303..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json deleted file mode 100644 index 0cc18b28960..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json deleted file mode 100644 index ded5f33c990..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and /* length(registry.data.strings) > 0 and */\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_109.json b/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_109.json deleted file mode 100644 index f63b04718de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9b05c3b-b304-4bf9-970d-acdfaef2944c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key. An adversary may use this method to hide from system utilities such as the Registry Editor (regedit).", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Hidden Run Key Detected", "query": "/* Registry Path ends with backslash */\nregistry where host.os.type == \"windows\" and event.type == \"change\" and length(registry.data.strings) > 0 and\n registry.path : (\"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKLM\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\WOW6432Node\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run\\\\\")\n", "references": ["https://github.com/outflanknl/SharpHide", "https://github.com/ewhitehats/InvisiblePersistence/blob/master/InvisibleRegValues_Whitepaper.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "a9b05c3b-b304-4bf9-970d-acdfaef2944c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json deleted file mode 100644 index f2978a0f50b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", "false_positives": ["Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json deleted file mode 100644 index 0f5c63c09b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", "false_positives": ["Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "event.category:(network or network_traffic) and network.transport:udp and destination.port:4500\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json deleted file mode 100644 index 879ff77ab51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", "false_positives": ["Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json deleted file mode 100644 index 586c37041f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", "false_positives": ["Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "event.dataset: network_traffic.flow and network.transport:udp and destination.port:4500\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json b/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json deleted file mode 100644 index 839961f76e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that could be describing IPSEC NAT Traversal traffic. IPSEC is a VPN technology that allows one system to talk to another using encrypted tunnels. NAT Traversal enables these tunnels to communicate over the Internet where one of the sides is behind a NAT router gateway. This may be common on your network, but this technique is also used by threat actors to avoid detection.", "false_positives": ["Some networks may utilize these protocols but usage that is unfamiliar to local network administrators can be unexpected and suspicious. Because this port is in the ephemeral range, this rule may false under certain conditions, such as when an application server with a public IP address replies to a client which has used a UDP port in the range by coincidence. This is uncommon but such servers can be excluded."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "IPSEC NAT Traversal Port Activity", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and network.transport:udp and destination.port:4500\n", "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json deleted file mode 100644 index 1393e7d235f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", "false_positives": ["Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Custom Role Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/understanding-custom-roles"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "aa8007f0-d1df-49ef-8520-407857594827", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json b/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json deleted file mode 100644 index 7699f153899..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa8007f0-d1df-49ef-8520-407857594827_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP). Custom roles are user-defined, and allow for the bundling of one or more supported permissions to meet specific needs. Custom roles will not be updated automatically and could lead to privilege creep if not carefully scrutinized.", "false_positives": ["Custom role creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Custom Role Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.CreateRole and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/understanding-custom-roles"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "aa8007f0-d1df-49ef-8520-407857594827", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "aa8007f0-d1df-49ef-8520-407857594827_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json deleted file mode 100644 index 72b4dab975b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\",\n \"/var/log/dmesg\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "aa895aea-b69c-4411-b110-8d7599634b30", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json deleted file mode 100644 index a4f6d157a99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json deleted file mode 100644 index 053548c07d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json deleted file mode 100644 index 3f06c3450a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json deleted file mode 100644 index 7c0c0e6854a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name : (\"gzip\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json deleted file mode 100644 index 7e7dd96f1cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json deleted file mode 100644 index 98cb3af9bf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json deleted file mode 100644 index 1b79858167e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_111.json b/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_111.json deleted file mode 100644 index ca70a836e7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa895aea-b69c-4411-b110-8d7599634b30_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of sensitive Linux system logs. This may indicate an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Log File Deletion", "query": "file where host.os.type == \"linux\" and event.type == \"deletion\" and\n file.path :\n (\n \"/var/run/utmp\",\n \"/var/log/wtmp\",\n \"/var/log/btmp\",\n \"/var/log/lastlog\",\n \"/var/log/faillog\",\n \"/var/log/syslog\",\n \"/var/log/messages\",\n \"/var/log/secure\",\n \"/var/log/auth.log\",\n \"/var/log/boot.log\",\n \"/var/log/kern.log\",\n \"/var/log/dmesg\"\n ) and\n not process.name in (\"gzip\", \"executor\", \"dockerd\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aa895aea-b69c-4411-b110-8d7599634b30", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.002", "name": "Clear Linux or Mac System Logs", "reference": "https://attack.mitre.org/techniques/T1070/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "aa895aea-b69c-4411-b110-8d7599634b30_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json deleted file mode 100644 index ea4677947c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 112}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json deleted file mode 100644 index eb5d8dfd344..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 104}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json deleted file mode 100644 index 4d8869ade1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 105}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json deleted file mode 100644 index 24d22afca86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.name : \"svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.name : \"msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 106}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json deleted file mode 100644 index 9a40a9a4584..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 107}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json deleted file mode 100644 index 51148bdc0dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and process.args : \"tiledatamodelsvc\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")\n ] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 108}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_109.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_109.json deleted file mode 100644 index 5dea07c19e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 109}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json deleted file mode 100644 index eac48dc6d51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 110}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json deleted file mode 100644 index 6c0a388ba3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 111}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_112.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_112.json deleted file mode 100644 index 1bbec84bd2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 112}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_113.json b/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_113.json deleted file mode 100644 index 523b6be7df7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aa9a274d-6b53-424d-ac5e-cb8ca4251650_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies remote execution of Windows services over remote procedure call (RPC). This could be indicative of lateral movement, but will be noisy if commonly done by administrators.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Remotely Started Services via RPC", "note": "## Triage and analysis\n\n### Investigating Remotely Started Services via RPC\n\nThe Service Control Manager Remote Protocol is a client/server protocol used for configuring and controlling service programs running on a remote computer. A remote service management session begins with the client initiating the connection request to the server. If the server grants the request, the connection is established. The client can then make multiple requests to modify, query the configuration, or start and stop services on the server by using the same session until the session is terminated.\n\nThis rule detects the remote creation or start of a service by correlating a `services.exe` network connection and the spawn of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Review login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. Use the `source.address` field to help identify the source system.\n- Review network events from the source system using the source port identified on the alert and try to identify the program used to initiate the action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- Remote management software like SCCM may trigger this rule. If noisy on your environment, consider adding exceptions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1s\n [network where host.os.type == \"windows\" and process.name : \"services.exe\" and\n network.direction : (\"incoming\", \"ingress\") and network.transport == \"tcp\" and\n source.port >= 49152 and destination.port >= 49152 and source.ip != \"127.0.0.1\" and source.ip != \"::1\"\n ] by host.id, process.entity_id\n [process where host.os.type == \"windows\" and \n event.type == \"start\" and process.parent.name : \"services.exe\" and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"/V\") and\n not process.executable : (\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\srmhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\"\n )] by host.id, process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/705b624a-13de-43cc-b8a2-99573da3635f", "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 113}, "id": "aa9a274d-6b53-424d-ac5e-cb8ca4251650_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6.json b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6.json deleted file mode 100644 index 68176f9fc93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Veeam Backup Library Loaded by Unusual Process", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n (dll.name : \"Veeam.Backup.Common.dll\" or dll.pe.original_file_name : \"Veeam.Backup.Common.dll\") and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aaab30ec-b004-4191-95e1-4a14387ef6a6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "aaab30ec-b004-4191-95e1-4a14387ef6a6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json b/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json deleted file mode 100644 index 3e762a9e2ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aaab30ec-b004-4191-95e1-4a14387ef6a6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential credential decrypt operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["logs-endpoint.events.library*"], "language": "eql", "license": "Elastic License v2", "name": "Veeam Backup Library Loaded by Unusual Process", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n (dll.name : \"Veeam.Backup.Common.dll\" or dll.pe.original_file_name : \"Veeam.Backup.Common.dll\") and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aaab30ec-b004-4191-95e1-4a14387ef6a6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "aaab30ec-b004-4191-95e1-4a14387ef6a6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json deleted file mode 100644 index 7f4bbff66da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 8}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json deleted file mode 100644 index 3e71062202c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "query": "file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:* or dll.pe.imphash:* \n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": true, "name": "dll.pe.imphash", "type": "keyword"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}, {"ecs": true, "name": "process.pe.imphash", "type": "keyword"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "file.pe.imphash", "type": "mapping", "value": "threat.indicator.file.pe.imphash"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.pe.imphash", "type": "mapping", "value": "threat.indicator.file.pe.imphash"}]}, {"entries": [{"field": "process.pe.imphash", "type": "mapping", "value": "threat.indicator.file.pe.imphash"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 1}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json deleted file mode 100644 index 3bbe3884f23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or file.pe.imphash:* or process.hash.*:* or process.pe.imphash:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}, {"ecs": true, "name": "process.pe.imphash", "type": "keyword"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "file.pe.imphash", "type": "mapping", "value": "threat.indicator.file.pe.imphash"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.pe.imphash", "type": "mapping", "value": "threat.indicator.file.pe.imphash"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 2}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json deleted file mode 100644 index 783fab49025..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 3}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json deleted file mode 100644 index 8928153e013..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 4}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json deleted file mode 100644 index 5df22c8393c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 5}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_6.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_6.json deleted file mode 100644 index cec0bfc7370..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 6}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json b/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json deleted file mode 100644 index 618617be6bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aab184d3-72b3-4639-b242-6597c99d8bca_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a hash indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains file hashes, such as antivirus alerts, process creation, library load, and file operation events.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel Hash Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel Hash Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a hash indicator from the Threat Intel Filebeat module or an indicator ingested from a threat intelligence integration matches against an event that contains file hashes, such as antivirus alerts, file operation events, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Gain context about the field that matched the local observation. This information can be found in the `threat.indicator.matched.field` field.\n- Investigate the hash , which can be found in the `threat.indicator.matched.atomic` field:\n - Search for the existence and reputation of the hash in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Scope other potentially compromised hosts in your environment by mapping hosts with file operations involving the same hash.\n- Identify the process that created the file.\n - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Enrich the information that you have right now by determining how the file was dropped, where it was downloaded from, etc. This can help you determine if the event is part of an ongoing campaign against the organization.\n- Retrieve the involved file and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- Adversaries often use legitimate tools as network administrators, such as `PsExec` or `AdFind`. These tools are often included in indicator lists, which creates the potential for false positives.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file.hash.*:* or process.hash.*:* or dll.hash.*:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": false, "name": "dll.hash.*", "type": "unknown"}, {"ecs": false, "name": "file.hash.*", "type": "unknown"}, {"ecs": false, "name": "process.hash.*", "type": "unknown"}], "risk_score": 99, "rule_id": "aab184d3-72b3-4639-b242-6597c99d8bca", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "file.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "file.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "file.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "dll.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "dll.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "dll.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}, {"entries": [{"field": "process.hash.md5", "type": "mapping", "value": "threat.indicator.file.hash.md5"}]}, {"entries": [{"field": "process.hash.sha1", "type": "mapping", "value": "threat.indicator.file.hash.sha1"}]}, {"entries": [{"field": "process.hash.sha256", "type": "mapping", "value": "threat.indicator.file.hash.sha256"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 7}, "id": "aab184d3-72b3-4639-b242-6597c99d8bca_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json deleted file mode 100644 index e2bb575e9c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n /* Veeam related processes */\n (\n process.name : (\n \"VeeamGuestHelper.exe\", \"VeeamGuestIndexer.exe\", \"VeeamAgent.exe\", \"VeeamLogShipper.exe\", \"Veeam.VSS.Sharepoint2010.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\"\n ) or\n /* PDQ related processes */\n (\n process.name : (\n \"PDQInventoryScanner.exe\", \"PDQInventoryMonitor.exe\", \"PDQInventory-Scanner-?.exe\",\n \"PDQInventoryWakeCommand-?.exe\", \"PDQDeployRunner-?.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"PDQ.com Corporation\"\n ) or\n /* CrowdStrike related processes */\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-WindowsSensor.*.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"CrowdStrike, Inc.\") or\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-CsInstallerService.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Microsoft Windows Hardware Compatibility Publisher\")\n )\n )\n ] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 112}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json deleted file mode 100644 index 13f881baa5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 104}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json deleted file mode 100644 index b5d0de645e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 105}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json deleted file mode 100644 index eac37086769..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 106}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json deleted file mode 100644 index 58afab01f9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and process.pid == 4 and file.extension : \"exe\"] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 107}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json deleted file mode 100644 index 55f958cf787..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 108}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json deleted file mode 100644 index 511eb0c7b89..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\"] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 109}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_110.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_110.json deleted file mode 100644 index cda2f5e1768..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n /* Veeam related processes */\n (\n process.name : (\n \"VeeamGuestHelper.exe\", \"VeeamGuestIndexer.exe\", \"VeeamAgent.exe\", \"VeeamLogShipper.exe\", \"Veeam.VSS.Sharepoint2010.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\"\n ) or\n /* PDQ related processes */\n (\n process.name : (\n \"PDQInventoryScanner.exe\", \"PDQInventoryMonitor.exe\", \"PDQInventory-Scanner-?.exe\", \"PDQInventoryWakeCommand-?.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"PDQ.com Corporation\"\n )\n )\n ] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 110}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_111.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_111.json deleted file mode 100644 index 807b29d0f5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n /* Veeam related processes */\n (\n process.name : (\n \"VeeamGuestHelper.exe\", \"VeeamGuestIndexer.exe\", \"VeeamAgent.exe\", \"VeeamLogShipper.exe\", \"Veeam.VSS.Sharepoint2010.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\"\n ) or\n /* PDQ related processes */\n (\n process.name : (\n \"PDQInventoryScanner.exe\", \"PDQInventoryMonitor.exe\", \"PDQInventory-Scanner-?.exe\", \"PDQInventoryWakeCommand-?.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"PDQ.com Corporation\"\n )\n )\n ] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 111}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_112.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_112.json deleted file mode 100644 index c93dedac9e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n /* Veeam related processes */\n (\n process.name : (\n \"VeeamGuestHelper.exe\", \"VeeamGuestIndexer.exe\", \"VeeamAgent.exe\", \"VeeamLogShipper.exe\", \"Veeam.VSS.Sharepoint2010.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\"\n ) or\n /* PDQ related processes */\n (\n process.name : (\n \"PDQInventoryScanner.exe\", \"PDQInventoryMonitor.exe\", \"PDQInventory-Scanner-?.exe\",\n \"PDQInventoryWakeCommand-?.exe\", \"PDQDeployRunner-?.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"PDQ.com Corporation\"\n ) or\n /* CrowdStrike related processes */\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-WindowsSensor.*.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"CrowdStrike, Inc.\") or\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-CsInstallerService.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Microsoft Windows Hardware Compatibility Publisher\")\n )\n )\n ] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 112}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_113.json b/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_113.json deleted file mode 100644 index 8ddd9b022cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab75c24b-2502-43a0-bf7c-e60e662c811e_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Execution via File Shares", "note": "## Triage and analysis\n\n### Investigating Remote Execution via File Shares\n\nAdversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Review the privileges needed to write to the network share and restrict write access as needed.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1m\n [file where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and \n process.pid == 4 and (file.extension : \"exe\" or file.Ext.header_bytes : \"4d5a*\")] by host.id, file.path\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (\n /* Veeam related processes */\n (\n process.name : (\n \"VeeamGuestHelper.exe\", \"VeeamGuestIndexer.exe\", \"VeeamAgent.exe\", \"VeeamLogShipper.exe\", \"Veeam.VSS.Sharepoint20??.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"Veeam Software Group GmbH\"\n ) or\n /* PDQ related processes */\n (\n process.name : (\n \"PDQInventoryScanner.exe\", \"PDQInventoryMonitor.exe\", \"PDQInventory-Scanner-?.exe\",\n \"PDQInventoryWakeCommand-?.exe\", \"PDQDeployRunner-?.exe\"\n ) and process.code_signature.trusted == true and process.code_signature.subject_name : \"PDQ.com Corporation\"\n ) or\n /* CrowdStrike related processes */\n (\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-WindowsSensor.*.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"CrowdStrike, Inc.\") or\n (process.executable : \"?:\\\\Windows\\\\System32\\\\drivers\\\\CrowdStrike\\\\*-CsInstallerService.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Microsoft Windows Hardware Compatibility Publisher\")\n ) or\n /* MS related processes */\n (\n process.executable == \"System\" or\n (process.executable : \"?:\\\\Windows\\\\ccmsetup\\\\ccmsetup.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Microsoft Corporation\")\n ) or\n /* CyberArk processes */\n (\n process.executable : \"?:\\\\Windows\\\\CAInvokerService.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"CyberArk Software Ltd.\"\n ) or\n /* Sophos processes */\n (\n process.executable : \"?:\\\\ProgramData\\\\Sophos\\\\AutoUpdate\\\\Cache\\\\sophos_autoupdate1.dir\\\\SophosUpdate.exe\" and \n process.code_signature.trusted == true and process.code_signature.subject_name : \"Sophos Ltd\"\n ) \n )\n ] by host.id, process.executable\n", "references": ["http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "ab75c24b-2502-43a0-bf7c-e60e662c811e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 113}, "id": "ab75c24b-2502-43a0-bf7c-e60e662c811e_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9.json b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9.json deleted file mode 100644 index f4523ffdbac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.", "false_positives": ["Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Object Encryption Using External KMS Key", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Object Encryption Using External KMS Key\n\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation:\n\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "from logs-aws.cloudtrail-*\n\n// any successful copy event\n| where event.dataset == \"aws.cloudtrail\" \n and event.provider == \"s3.amazonaws.com\" \n and event.action == \"CopyObject\" \n and event.outcome == \"success\"\n\n// abstract key account id, key id, encrypted object bucket name and object name\n| dissect aws.cloudtrail.request_parameters \"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\"\n\n// filter for s3 objects whose account id is different from the encryption key's account id\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\n| where cloud.account.id != key.account.id \n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/", "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/", "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"], "risk_score": 47, "rule_id": "ab8f074c-5565-4bc4-991c-d49770e19fc9", "setup": "AWS S3 data event types need to be enabled in the CloudTrail trail configuration.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Data Source: AWS KMS", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "ab8f074c-5565-4bc4-991c-d49770e19fc9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_1.json b/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_1.json deleted file mode 100644 index 24b7e73a5bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ab8f074c-5565-4bc4-991c-d49770e19fc9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies `CopyObject` events within an S3 bucket using an AWS KMS key from an external account for encryption. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.", "false_positives": ["Administrators within an AWS Organization structure may legitimately encrypt bucket objects with a key from an account different from the target bucket. Ensure that this behavior is not part of a legitimate operation before taking action."], "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "AWS S3 Object Encryption Using External KMS Key", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Object Encryption Using External KMS Key\n\nThis rule detects the use of an external AWS KMS key to encrypt objects within an S3 bucket. Adversaries with access to a misconfigured S3 bucket may use an external key to copy objects within a bucket and deny victims the ability to access their own data.\nThis rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule) to look for use of the `CopyObject` operation where the target bucket's `cloud.account.id` is different from the `key.account.id` dissected from the AWS KMS key used for encryption.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who performed the action. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific details of the `CopyObject` action. Look for any unusual parameters that could suggest unauthorized or malicious modifications or usage of an unknown KMS keyId.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the object was copied. Changes during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this action to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Check for Object Deletion or Access**: Look for `DeleteObject`, `DeleteObjects`, or `GetObject` API calls to the same S3 bucket that may indicate the adversary accessing and destroying objects including older object versions.\n- **Interview Relevant Personnel**: If the copy event was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing S3 buckets.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the `CopyObject` action aligns with scheduled updates, maintenance activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar activities performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation:\n\n- **Immediate Review**: If the activity was unauthorized, search for potential ransom note placed in S3 bucket and review the bucket's access logs for any suspicious activity.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar `CopyObject` actions, especially those involving sensitive data or unusual file extensions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning S3 bucket management and the risks of ransomware.\n- **Audit S3 Bucket Policies and Permissions**: Conduct a comprehensive audit of all S3 bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket security and protecting against ransomware, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html) and AWS best practices for security. Additionally, consult the following resources for specific details on S3 ransomware protection:\n- [ERMETIC REPORT - AWS S3 Ransomware Exposure in the Wild](https://s3.amazonaws.com/bizzabo.file.upload/PtZzA0eFQwV2RA5ysNeo_ERMETIC%20REPORT%20-%20AWS%20S3%20Ransomware%20Exposure%20in%20the%20Wild.pdf)\n- [S3 Ransomware Part 1: Attack Vector](https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/)\n", "query": "from logs-aws.cloudtrail-*\n\n// any successful copy event\n| where event.dataset == \"aws.cloudtrail\" \n and event.provider == \"s3.amazonaws.com\" \n and event.action == \"CopyObject\" \n and event.outcome == \"success\"\n\n// abstract key account id, key id, encrypted object bucket name and object name\n| dissect aws.cloudtrail.request_parameters \"{%{?bucketName}=%{target.bucketName},%{?x-amz-server-side-encryption-aws-kms-key-id}=%{?arn}:%{?aws}:%{?kms}:%{?region}:%{key.account.id}:%{?key}/%{keyId},%{?Host}=%{?tls.client.server_name},%{?x-amz-server-side-encryption}=%{?server-side-encryption},%{?x-amz-copy-source}=%{?bucket.objectName},%{?key}=%{target.objectName}}\"\n\n// filter for s3 objects whose account id is different from the encryption key's account id\n// add exceptions based on key.account.id or keyId for known external accounts or encryption keys\n| where cloud.account.id != key.account.id \n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html/", "https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html/", "https://www.gem.security/post/cloud-ransomware-a-new-take-on-an-old-attack-pattern/", "https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/"], "risk_score": 47, "rule_id": "ab8f074c-5565-4bc4-991c-d49770e19fc9", "setup": "AWS S3 data event types need to be enabled in the CloudTrail trail configuration.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Data Source: AWS KMS", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "ab8f074c-5565-4bc4-991c-d49770e19fc9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json deleted file mode 100644 index a7503b5b535..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json deleted file mode 100644 index 183d850ffa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 101}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json deleted file mode 100644 index 2ece5e31866..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 102}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json deleted file mode 100644 index 25929b46d8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 103}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json deleted file mode 100644 index f8f043665ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_105.json b/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_105.json deleted file mode 100644 index c03bad0f8c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/abae61a8-c560-4dbd-acca-1e1438bff36b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this detection rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_process"], "name": "Unusual Windows Process Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "abae61a8-c560-4dbd-acca-1e1438bff36b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 105}, "id": "abae61a8-c560-4dbd-acca-1e1438bff36b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json deleted file mode 100644 index 6f0e2cccbb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n not process.name: (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\" or storagekitd or CloneKitService)\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json deleted file mode 100644 index d1f0852003c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json deleted file mode 100644 index 003a23df0b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json deleted file mode 100644 index fe313745511..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json deleted file mode 100644 index 904bf457f29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json b/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json deleted file mode 100644 index c67427dd186..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac412404-57a5-476f-858f-4e8fbb4f48d8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Login Hook", "note": "## Triage and analysis\n\nStarting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.name:\"com.apple.loginwindow.plist\" and\n process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or \"iMazing Profile Editor\"\n))\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac412404-57a5-476f-858f-4e8fbb4f48d8", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "ac412404-57a5-476f-858f-4e8fbb4f48d8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json deleted file mode 100644 index 3530dbd3001..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and\n\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and\n\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json deleted file mode 100644 index 198329353b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json deleted file mode 100644 index ddd063b3062..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json deleted file mode 100644 index 72610d93484..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json deleted file mode 100644 index 67a30257560..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json deleted file mode 100644 index 5f552a41d16..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json deleted file mode 100644 index 8ae668ab6bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json deleted file mode 100644 index 95793cc0acc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json deleted file mode 100644 index f51c5aef1e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and \n \n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and \n \n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_213.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_213.json deleted file mode 100644 index 937075784ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and\n\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and\n\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 213}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json b/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json deleted file mode 100644 index b0cd27e4ace..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5012b8-8da8-440b-aaaf-aedafdea2dff_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.", "false_positives": ["Custom Windows error reporting debugger or applications restarted by WerFault after a crash."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WerFault Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"WerFault.exe\" and\n\n /* args -s and -t used to execute a process via SilentProcessExit mechanism */\n (process.parent.args : \"-s\" and process.parent.args : \"-t\" and process.parent.args : \"-c\") and\n\n not process.executable : (\"?:\\\\Windows\\\\SysWOW64\\\\Initcrypt.exe\", \"?:\\\\Program Files (x86)\\\\Heimdal\\\\Heimdal.Guard.exe\")\n", "references": ["https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/", "https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx", "http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.012", "name": "Image File Execution Options Injection", "reference": "https://attack.mitre.org/techniques/T1546/012/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "ac5012b8-8da8-440b-aaaf-aedafdea2dff_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37.json b/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37.json deleted file mode 100644 index 7ea2058a2c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Created or Modified", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.path : \"*.git/hooks/*\" and\nfile.extension == null and process.executable != null and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/usr/bin/pamac-daemon\", \"/bin/pamac-daemon\",\n \"/usr/local/bin/dockerd\", \"/sbin/dockerd\"\n ) or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\") or\n process.name in (\"git\", \"dirname\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://git-scm.com/docs/githooks/2.26.0"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_1.json b/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_1.json deleted file mode 100644 index 9efc73dc203..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Created or Modified", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.path : \"*.git/hooks/*\" and\nfile.extension == null and process.executable != null and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/usr/bin/pamac-daemon\", \"/bin/pamac-daemon\",\n \"/usr/local/bin/dockerd\", \"/sbin/dockerd\"\n ) or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\") or\n process.name in (\"git\", \"dirname\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://git-scm.com/docs/githooks/2.26.0"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_2.json b/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_2.json deleted file mode 100644 index e2035132062..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac531fcc-1d3b-476d-bbb5-1357728c9a37_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of a Git hook file on a Linux system. Git hooks are scripts that Git executes before or after events such as commit, push, and receive. They are used to automate tasks, enforce policies, and customize Git's behavior. Attackers can abuse Git hooks to maintain persistence on a system by executing malicious code whenever a specific Git event occurs.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Created or Modified", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and file.path : \"*.git/hooks/*\" and\nfile.extension == null and process.executable != null and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/usr/bin/pamac-daemon\", \"/bin/pamac-daemon\",\n \"/usr/local/bin/dockerd\", \"/sbin/dockerd\"\n ) or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\") or\n process.name in (\"git\", \"dirname\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://git-scm.com/docs/githooks/2.26.0", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ac531fcc-1d3b-476d-bbb5-1357728c9a37_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6.json b/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6.json deleted file mode 100644 index 32d8908f36e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Outlook Home Page Registry Modification", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and registry.value : \"URL\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\",\n \"HKU\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\"\n ) and registry.data.strings : \"*http*\"\n", "references": ["https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", "https://github.com/trustedsec/specula"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5a2759-5c34-440a-b0c4-51fe674611d6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.004", "name": "Outlook Home Page", "reference": "https://attack.mitre.org/techniques/T1137/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ac5a2759-5c34-440a-b0c4-51fe674611d6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6_1.json b/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6_1.json deleted file mode 100644 index d97a636d92a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac5a2759-5c34-440a-b0c4-51fe674611d6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Outlook Home Page Registry Modification", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and registry.value : \"URL\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\",\n \"HKU\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL\"\n ) and registry.data.strings : \"*http*\"\n", "references": ["https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/", "https://github.com/trustedsec/specula"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "ac5a2759-5c34-440a-b0c4-51fe674611d6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.004", "name": "Outlook Home Page", "reference": "https://attack.mitre.org/techniques/T1137/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ac5a2759-5c34-440a-b0c4-51fe674611d6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac6bc744-e82b-41ad-b58d-90654fa4ebfb_1.json b/packages/security_detection_engine/kibana/security_rule/ac6bc744-e82b-41ad-b58d-90654fa4ebfb_1.json deleted file mode 100644 index 7620047b33b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac6bc744-e82b-41ad-b58d-90654fa4ebfb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a remote library by the WPS Office promecefpluginhost.exe executable. This may indicate the successful exploitation of CVE-2024-7262 or CVE-2024-7263 via DLL hijack abusing the ksoqing custom protocol handler.", "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WPS Office Exploitation via DLL Hijack", "query": "any where host.os.type == \"windows\" and process.name : \"promecefpluginhost.exe\" and \n(\n (event.category == \"library\" and \n ?dll.path : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\wps\\\\INetCache\\\\*\", \n \"\\\\Device\\\\Mup\\\\**\", \"\\\\\\\\*\")) or \n\n ((event.category == \"process\" and event.action : \"Image loaded*\") and \n ?file.path : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\wps\\\\INetCache\\\\*\", \n \"\\\\Device\\\\Mup\\\\**\", \"\\\\\\\\*\"))\n)\n", "references": ["https://www.welivesecurity.com/en/eset-research/analysis-of-two-arbitrary-code-execution-vulnerabilities-affecting-wps-office/", "https://mp.weixin.qq.com/s/F8hNyESBdKhwXkQPgtGpew"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ac6bc744-e82b-41ad-b58d-90654fa4ebfb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ac6bc744-e82b-41ad-b58d-90654fa4ebfb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json deleted file mode 100644 index 06283d3d589..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 209}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json deleted file mode 100644 index 1017be12474..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"], "type": "machine_learning", "version": 104}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json deleted file mode 100644 index 41071c8072c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 105}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_106.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_106.json deleted file mode 100644 index a971b5597f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 106}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_107.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_107.json deleted file mode 100644 index 61f4e1db895..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 107}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_208.json b/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_208.json deleted file mode 100644 index 4d7cefc6d51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an AWS API command that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.", "false_positives": ["New or unusual user command activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_username", "name": "Unusual AWS Command for a User", "note": "## Triage and analysis\n\n### Investigating Unusual AWS Command for a User\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is being made by a user context that does not normally use the command. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual Country For an AWS Command - dca28dee-c999-400f-b640-50a081cc0fd1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 208}, "id": "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f.json deleted file mode 100644 index 2e3d6c76014..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_accepted\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 6}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json deleted file mode 100644 index 9b9faa7564a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 1}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json deleted file mode 100644 index fce7345aef8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 2}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json deleted file mode 100644 index 50fd21ecc14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 3}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_4.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_4.json deleted file mode 100644 index 7dcbed8c637..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 4}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json b/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json deleted file mode 100644 index 1c5d33b8ad1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac8805f6-1e08-406c-962e-3937057fa86f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Protocol Tunneling via Chisel Server", "note": "## Triage and analysis\n\n### Investigating Potential Protocol Tunneling via Chisel Server\n\nAttackers can leverage `chisel` to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for a sequence of command line arguments that are consistent with `chisel` server tunneling behavior, followed by a network event by an uncommon process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Linux Tunneling and/or Port Forwarding - 6ee947e9-de7e-4281-a55d-09289bdf947e\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.args == \"server\" and process.args in (\"--port\", \"-p\", \"--reverse\", \"--backend\", \"--socks5\") and \n process.args_count >= 3 and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action == \"connection_accepted\" and event.type == \"start\" and \n destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" and \n not process.name : (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"java\", \"telnet\",\n \"ftp\", \"socat\", \"curl\", \"wget\", \"dpkg\", \"docker\", \"dockerd\", \"yum\", \"apt\", \"rpm\", \"dnf\", \"ssh\", \"sshd\", \"hugo\")]\n", "references": ["https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ac8805f6-1e08-406c-962e-3937057fa86f", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1572", "name": "Protocol Tunneling", "reference": "https://attack.mitre.org/techniques/T1572/"}]}], "type": "eql", "version": 5}, "id": "ac8805f6-1e08-406c-962e-3937057fa86f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json deleted file mode 100644 index e0b9e1ac210..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json deleted file mode 100644 index 4bbbaef686f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json deleted file mode 100644 index 90c879a7fa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "The 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json deleted file mode 100644 index fa081c68fc6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json deleted file mode 100644 index d94897e5543..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_109.json b/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_109.json deleted file mode 100644 index 87a81aaab12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ac96ceb8-4399-4191-af1d-4feeac1f1f46_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. This rule detects Invoke-Mimikatz PowerShell script and alike.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Invoke-Mimikatz PowerShell Script", "note": "## Triage and analysis\n\n### Investigating Mimikatz PowerShell Activity\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to move laterally and pivot across a network.\n\nThis rule looks for PowerShell scripts that load mimikatz in memory, like Invoke-Mimikataz, which are used to dump credentials from the Local Security Authority Subsystem Service (LSASS). Any activity triggered from this rule should be treated with high priority as it typically represents an active adversary.\n\nMore information about Mimikatz components and how to detect/prevent them can be found on [ADSecurity](https://adsecurity.org/?page_id=1821).\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Invoke-Mimitakz and alike scripts heavily use other capabilities covered by other detections described in the \"Related Rules\" section.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host.\n - Examine network and security events in the environment to identify potential lateral movement using compromised credentials.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- Mimikatz Memssp Log File Detected - ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6\n- Modification of WDigest Security Provider - d703a5af-d5b0-43bd-8ddb-7a5d500b7da5\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Validate that cleartext passwords are disabled in memory for use with `WDigest`.\n- Look into preventing access to `LSASS` using capabilities such as LSA protection or antivirus/EDR tools that provide this capability.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\npowershell.file.script_block_text:(\n (DumpCreds and\n DumpCerts) or\n \"sekurlsa::logonpasswords\" or\n (\"crypto::certificates\" and\n \"CERT_SYSTEM_STORE_LOCAL_MACHINE\")\n)\n", "references": ["https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be configured (Enable).\n\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "ac96ceb8-4399-4191-af1d-4feeac1f1f46_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json deleted file mode 100644 index 799a1fd3a60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", "false_positives": ["Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation", "note": "## Triage and analysis\n\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin\n and event.provider:admin\n and event.category:iam\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\n and event.outcome:success\n", "references": ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json deleted file mode 100644 index cb33367a3cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", "false_positives": ["Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", "references": ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json deleted file mode 100644 index 208a38363ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", "false_positives": ["Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "note": "## Triage and analysis\n\n### Investigating API Access Granted via Domain-Wide Delegation of Authority\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", "references": ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json deleted file mode 100644 index 541c44c1826..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", "false_positives": ["Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation of Authority", "note": "## Triage and analysis\n\n### Investigating API Access Granted via Domain-Wide Delegation of Authority\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:AUTHORIZE_API_CLIENT_ACCESS\n", "references": ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_206.json b/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_206.json deleted file mode 100644 index 5b8eabd2083..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acbc8bb9-2486-49a8-8779-45fb5f9a93ee_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may configure domain-wide delegation to maintain access to their target\u2019s data.", "false_positives": ["Domain-wide delegation of authority may be granted to service accounts by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace API Access Granted via Domain-Wide Delegation", "note": "## Triage and analysis\n\n### Investigating Google Workspace API Access Granted via Domain-Wide Delegation\n\nDomain-wide delegation is a feature that allows apps to access users' data across an organization's Google Workspace environment. Only super admins can manage domain-wide delegation, and they must specify each API scope that the application can access. Google Workspace services all have APIs that can be interacted with after domain-wide delegation is established with an OAuth2 client ID of the application. Typically, GCP service accounts and applications are created where the Google Workspace APIs are enabled, thus allowing the application to access resources and services in Google Workspace.\n\nApplications authorized to interact with Google Workspace resources and services through APIs have a wide range of capabilities depending on the scopes applied. If the principle of least privilege (PoLP) is not practiced when setting API scopes, threat actors could abuse additional privileges if the application is compromised. New applications created and given API access could indicate an attempt by a threat actor to register their malicious application with the Google Workspace domain in an attempt to establish a command and control foothold.\n\nThis rule identifies when an application is authorized API client access.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - Only users with super admin privileges can authorize API client access.\n- Identify the API client name by reviewing the `google_workspace.admin.api.client.name` field in the alert.\n - If GCP audit logs are ingested, pivot to reviewing the last 48 hours of activity related to the service account ID.\n - Search for the `google_workspace.admin.api.client.name` value with wildcards in the `gcp.audit.resource_name` field.\n - Search for API client name and aggregated results on `event.action` to determine what the service account is being used for in GWS.\n- After identifying the involved user, verify super administrative privileges to access domain-wide delegation settings.\n\n### False positive analysis\n\n- Changes to domain-wide delegation require super admin privileges. Check with the user to ensure these changes were expected.\n- Review scheduled maintenance notes related to expected API access changes.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Review the scope of the authorized API client access in Google Workspace.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin\n and event.provider:admin\n and event.category:iam\n and event.action:AUTHORIZE_API_CLIENT_ACCESS\n and event.outcome:success\n", "references": ["https://developers.google.com/admin-sdk/directory/v1/guides/delegation"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "acbc8bb9-2486-49a8-8779-45fb5f9a93ee_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json deleted file mode 100644 index 596a2285bc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", "false_positives": ["Processes such as MS Office using IEproxy to render HTML content."], "from": "now-9m", "index": ["logs-endpoint.events.library-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 106}, "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json deleted file mode 100644 index d856efc40ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", "false_positives": ["Processes such as MS Office using IEproxy to render HTML content."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 102}, "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json deleted file mode 100644 index 5423537aceb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", "false_positives": ["Processes such as MS Office using IEproxy to render HTML content."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 103}, "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json deleted file mode 100644 index e045e4f0b74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", "false_positives": ["Processes such as MS Office using IEproxy to render HTML content."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 104}, "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json b/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json deleted file mode 100644 index 5d79d9ea27d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances of Internet Explorer (iexplore.exe) being started via the Component Object Model (COM) making unusual network connections. Adversaries could abuse Internet Explorer via COM to avoid suspicious processes making network connections and bypass host-based firewall restrictions.", "false_positives": ["Processes such as MS Office using IEproxy to render HTML content."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Command and Control via Internet Explorer", "query": "sequence by host.id, user.name with maxspan = 5s\n [library where host.os.type == \"windows\" and dll.name : \"IEProxy.dll\" and process.name : (\"rundll32.exe\", \"regsvr32.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"iexplore.exe\" and process.parent.args : \"-Embedding\"]\n /* IE started via COM in normal conditions makes few connections, mainly to Microsoft and OCSP related domains, add FPs here */\n [network where host.os.type == \"windows\" and network.protocol == \"dns\" and process.name : \"iexplore.exe\" and\n not dns.question.name :\n (\n \"*.microsoft.com\",\n \"*.digicert.com\",\n \"*.msocsp.com\",\n \"*.windowsupdate.com\",\n \"*.bing.com\",\n \"*.identrust.com\",\n \"*.sharepoint.com\",\n \"*.office365.com\",\n \"*.office.com\"\n )\n ] /* with runs=5 */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "type": "eql", "version": 105}, "id": "acd611f3-2b93-47b3-a0a3-7723bcc46f6d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json deleted file mode 100644 index 8a86b3f64c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 108}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json deleted file mode 100644 index e269896a8d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "type": "threshold", "version": 103}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json deleted file mode 100644 index a5865999172..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "type": "threshold", "version": 104}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json deleted file mode 100644 index d33714aa61a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "type": "threshold", "version": 105}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json deleted file mode 100644 index 0e9364d57fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "type": "threshold", "version": 106}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_107.json b/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_107.json deleted file mode 100644 index 3c35fa33884..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ace1e989-a541-44df-93a8-a8b0591b63c0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential macOS SSH Brute Force Detected", "query": "event.category:process and host.os.type:macos and event.type:start and process.name:\"sshd-keygen-wrapper\" and process.parent.name:launchd\n", "references": ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ace1e989-a541-44df-93a8-a8b0591b63c0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["host.id"], "value": 20}, "timestamp_override": "event.ingested", "type": "threshold", "version": 107}, "id": "ace1e989-a541-44df-93a8-a8b0591b63c0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json deleted file mode 100644 index 2dbe06e344b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")\n", "references": ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json deleted file mode 100644 index 9c0d09787f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 102}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json deleted file mode 100644 index 6a4667c6734..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 103}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json deleted file mode 100644 index 66c3853437f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 104}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json deleted file mode 100644 index e82169e2417..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 105}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json deleted file mode 100644 index 73c5c99769a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\", \"cscript.exe\", \"mshta.exe\", \"wmic.exe\", \"regsvr32.exe\", \"svchost.exe\", \"dllhost.exe\", \"cmstp.exe\")]\n [file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")]\n", "references": ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "type": "eql", "version": 106}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_107.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_107.json deleted file mode 100644 index 1c8573d417b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")\n", "references": ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json deleted file mode 100644 index 30569369e64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")\n", "references": ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_308.json b/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_308.json deleted file mode 100644 index 28551b7d7f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/acf738b5-b5b2-4acc-bad9-1e18ee234f40_308.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Managed Code Hosting Process", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : (\"wscript.exe.log\",\n \"cscript.exe.log\",\n \"mshta.exe.log\",\n \"wmic.exe.log\",\n \"svchost.exe.log\",\n \"dllhost.exe.log\",\n \"cmstp.exe.log\",\n \"regsvr32.exe.log\")\n", "references": ["http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 308}, "id": "acf738b5-b5b2-4acc-bad9-1e18ee234f40_308", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json deleted file mode 100644 index 2f8af3105dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json deleted file mode 100644 index 7659b81cc5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json deleted file mode 100644 index 79a385e19b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json deleted file mode 100644 index 94296e22b4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_107.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_107.json deleted file mode 100644 index 2c8fe24d634..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json deleted file mode 100644 index 47f7461c4f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_109.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_109.json deleted file mode 100644 index ef875131274..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_309.json b/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_309.json deleted file mode 100644 index 1d31177031e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad0d2742-9a49-11ec-8d6b-acde48001122_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of Windows Work Folders to execute a potentially masqueraded control.exe file in the current working directory. Misuse of Windows Work Folders could indicate malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Signed Proxy Execution via MS Work Folders", "note": "## Triage and analysis\n\n### Investigating Signed Proxy Execution via MS Work Folders\n\nWork Folders is a role service for file servers running Windows Server that provides a consistent way for users to access their work files from their PCs and devices. This allows users to store work files and access them from anywhere. When called, Work Folders will automatically execute any Portable Executable (PE) named control.exe as an argument before accessing the synced share.\n\nUsing Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the location of the WorkFolders.exe binary to determine if it was copied to the location of the control.exe binary. It resides in the System32 directory by default.\n- Trace the activity related to the control.exe binary to identify any continuing intrusion activity on the host.\n- Review the control.exe binary executed with Work Folders to determine maliciousness such as additional host activity or network traffic.\n- Determine if control.exe was synced to sync share, indicating potential lateral movement.\n- Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to\ndisk from a separate binary.\n\n### False positive analysis\n\n- Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Review the Work Folders synced share to determine if the control.exe was shared and if so remove it.\n- If no lateral movement was identified during investigation, take the affected host offline if possible and remove the control.exe binary as well as any additional artifacts identified during investigation.\n- Review integrating Windows Information Protection (WIP) to enforce data protection by encrypting the data on PCs using Work Folders.\n- Confirm with the user whether this was expected or not, and reset their password.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and process.name : \"control.exe\" and process.parent.name : \"WorkFolders.exe\"\n and not process.executable : (\"?:\\\\Windows\\\\System32\\\\control.exe\", \"?:\\\\Windows\\\\SysWOW64\\\\control.exe\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/storage/work-folders/work-folders-overview", "https://twitter.com/ElliotKillick/status/1449812843772227588", "https://lolbas-project.github.io/lolbas/Binaries/WorkFolders/"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad0d2742-9a49-11ec-8d6b-acde48001122", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "ad0d2742-9a49-11ec-8d6b-acde48001122_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json deleted file mode 100644 index 2f94276a547..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json deleted file mode 100644 index fc6db301bd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json deleted file mode 100644 index bdd3e9ca1e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json b/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json deleted file mode 100644 index f2fe32d9f66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad3f2807-2b3e-47d7-b282-f84acbbe14be_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a custom admin role is created in Google Workspace. An adversary may create a custom admin role in order to elevate the permissions of other user accounts and persist in their target\u2019s environment.", "false_positives": ["Custom Google Workspace admin roles may be created by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace Custom Admin Role Created", "note": "## Triage and analysis\n\n### Investigating Google Workspace Custom Admin Role Created\n\nGoogle Workspace roles allow administrators to assign specific permissions to users or groups where the principle of least privilege (PoLP) is recommended. Admin roles in Google Workspace grant users access to the Google Admin console, where more domain-wide settings are accessible. Google Workspace contains prebuilt administrator roles for performing business functions related to users, groups, and services. Custom administrator roles can be created where prebuilt roles are not preferred.\n\nRoles assigned to users will grant them additional permissions and privileges within the Google Workspace domain. Threat actors might create new admin roles with privileges to advance their intrusion efforts and laterally move throughout the organization if existing roles or users do not have privileges aligned with their modus operandi. Users with unexpected privileges from new admin roles may also cause operational dysfunction if unfamiliar settings are adjusted without warning. Instead of modifying existing roles, administrators might create new roles to accomplish short-term goals and unintentionally introduce additional risk exposure.\n\nThis rule identifies when a Google Workspace administrative role is added within the Google Workspace admin console.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- Identify the role added by reviewing the `google_workspace.admin.role.name` field in the alert.\n- After identifying the involved user, verify if they should have administrative privileges to add administrative roles.\n- To identify if users have been assigned this role, search for `event.action: ASSIGN_ROLE`.\n - Add `google_workspace.admin.role.name` with the role added as an additional filter.\n - Adjust the relative time accordingly to identify all users that were possibly assigned this admin role.\n- Monitor users assigned the admin role for the next 24 hours and look for attempts to use related privileges.\n - The `event.provider` field will help filter for specific services in Google Workspace such as Drive or Admin.\n - The `event.action` field will help trace what actions are being taken by users.\n\n### False positive analysis\n\n- After identifying the user account that created the role, verify whether the action was intentional.\n- Verify that the user who created the role should have administrative privileges in Google Workspace to create custom roles.\n- Review organizational units or groups the role may have been added to and ensure the new privileges align properly.\n- Create a filter with the user's `user.name` and filter for `event.action`. In the results, check if there are multiple `CREATE_ROLE` actions and note whether they are new or historical.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:CREATE_ROLE\n", "references": ["https://support.google.com/a/answer/2406043?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "ad3f2807-2b3e-47d7-b282-f84acbbe14be_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad5a3757-c872-4719-8c72-12d3f08db655_1.json b/packages/security_detection_engine/kibana/security_rule/ad5a3757-c872-4719-8c72-12d3f08db655_1.json deleted file mode 100644 index bea1b0dc76b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad5a3757-c872-4719-8c72-12d3f08db655_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies when the openssl client or server is used to establish a connection. Attackers may use openssl to establish a secure connection to a remote server or to create a secure server to receive connections. This activity may be used to exfiltrate data or establish a command and control channel.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Openssl Client or Server Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"openssl\" and (\n (process.args == \"s_client\" and process.args : (\"-connect\", \"*:*\") and not process.args == \"-showcerts\") or\n (process.args == \"s_server\" and process.args == \"-port\")\n)\n", "references": ["https://gtfobins.github.io/gtfobins/openssl/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ad5a3757-c872-4719-8c72-12d3f08db655", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ad5a3757-c872-4719-8c72-12d3f08db655_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json deleted file mode 100644 index 450318fe295..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json deleted file mode 100644 index e47a223629f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json deleted file mode 100644 index bbc207f4c52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json deleted file mode 100644 index c8c96aba4dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json deleted file mode 100644 index d61742ea8e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json deleted file mode 100644 index ad26cf8f765..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json deleted file mode 100644 index 1b16db7daf8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_111.json b/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_111.json deleted file mode 100644 index 1708d597259..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad84d445-b1ce-4377-82d9-7c633f28bf9a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the presence of a portable executable (PE) in a PowerShell script by looking for its encoded header. Attackers embed PEs into PowerShell scripts to inject them into memory, avoiding defences by not writing to disk.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Portable Executable Encoded in Powershell Script", "note": "## Triage and analysis\n\n### Investigating Suspicious Portable Executable Encoded in Powershell Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell in-memory capabilities to inject executables into memory without touching the disk, bypassing file-based security protections. These executables are generally base64 encoded.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious .NET Reflection via PowerShell - e26f042e-c590-4e82-8e05-41e81bd822ad\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n TVqQAAMAAAAEAAAA\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "ad84d445-b1ce-4377-82d9-7c633f28bf9a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json deleted file mode 100644 index d999286af3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Cached Credentials Dumping", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json deleted file mode 100644 index 930f6b16cc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Cached Credentials Dumping", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json deleted file mode 100644 index 473dc5be83f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Cached Credentials Dumping", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json deleted file mode 100644 index e8b84572b92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Cached Credentials Dumping", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json b/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json deleted file mode 100644 index f58118cdd65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad88231f-e2ab-491c-8fc6-64746da26cfe_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Cached Credentials Dumping", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:kcc and\n process.args:copy_cred_cache\n", "references": ["https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py", "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ad88231f-e2ab-491c-8fc6-64746da26cfe", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ad88231f-e2ab-491c-8fc6-64746da26cfe_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005.json deleted file mode 100644 index 45b9a1d0835..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Execution", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 3}, "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json deleted file mode 100644 index 7952b6b1e27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Execution", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json deleted file mode 100644 index af2c3151a08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Execution", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 2}, "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_3.json b/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_3.json deleted file mode 100644 index 30655994dd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ad959eeb-2b7b-4722-ba08-a45f6622f005_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious process events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Execution", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\",\n \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ad959eeb-2b7b-4722-ba08-a45f6622f005", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 3}, "id": "ad959eeb-2b7b-4722-ba08-a45f6622f005_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json deleted file mode 100644 index 21ae3a0f54c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 110}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json deleted file mode 100644 index e1d13c0e638..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 105}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json deleted file mode 100644 index 47723cd3e62..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 106}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json deleted file mode 100644 index b7080997bef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 107}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json deleted file mode 100644 index a11d41386af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 108}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json b/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json deleted file mode 100644 index 500af66b445..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adb961e0-cb74-42a0-af9e-29fc41f88f5f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A netcat process is engaging in network activity on a Linux host. Netcat is often used as a persistence mechanism by exporting a reverse shell or by serving a shell on a listening port. Netcat is also sometimes used for data exfiltration.", "false_positives": ["Netcat is a dual-use tool that can be used for benign or malicious activity. Netcat is included in some Linux distributions so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "File Transfer or Listener Established via Netcat", "note": "## Triage and analysis\n\n### Investigating Netcat Network Activity\n\nNetcat is a dual-use command line tool that can be used for various purposes, such as port scanning, file transfers, and connection tests. Attackers can abuse its functionality for malicious purposes such creating bind shells or reverse shells to gain access to the target system.\n\nA reverse shell is a mechanism that's abused to connect back to an attacker-controlled system. It effectively redirects the system's input and output and delivers a fully functional remote shell to the attacker. Even private systems are vulnerable since the connection is outgoing.\n\nA bind shell is a type of backdoor that attackers set up on the target host and binds to a specific port to listen for an incoming connection from the attacker.\n\nThis rule identifies potential reverse shell or bind shell activity using Netcat by checking for the execution of Netcat followed by a network connection.\n\n#### Possible investigation steps\n\n- Examine the command line to identify if the command is suspicious.\n- Extract and examine the target domain or IP address.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - Scope other potentially compromised hosts in your environment by mapping hosts that also communicated with the domain or IP address.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- Netcat is a dual-use tool that can be used for benign or malicious activity. It is included in some Linux distributions, so its presence is not necessarily suspicious. Some normal use of this program, while uncommon, may originate from scripts, automation tools, and frameworks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and\n process.name:(\"nc\",\"ncat\",\"netcat\",\"netcat.openbsd\",\"netcat.traditional\") and (\n /* bind shell to echo for command execution */\n (process.args:(\"-l\",\"-p\") and process.args:(\"-c\",\"echo\",\"$*\"))\n /* bind shell to specific port */\n or process.args:(\"-l\",\"-p\",\"-lp\")\n /* reverse shell to command-line interpreter used for command execution */\n or (process.args:(\"-e\") and process.args:(\"/bin/bash\",\"/bin/sh\"))\n /* file transfer via stdout */\n or process.args:(\">\",\"<\")\n /* file transfer via pipe */\n or (process.args:(\"|\") and process.args:(\"nc\",\"ncat\"))\n )]\n [network where host.os.type == \"linux\" and (process.name == \"nc\" or process.name == \"ncat\" or process.name == \"netcat\" or\n process.name == \"netcat.openbsd\" or process.name == \"netcat.traditional\")]\n", "references": ["http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf", "https://en.wikipedia.org/wiki/Netcat", "https://www.hackers-arise.com/hacking-fundamentals", "https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-netcat-swiss-army-knife-hacking-tools-0148657/", "https://levelup.gitconnected.com/ethical-hacking-part-15-netcat-nc-and-netcat-f6a8f7df43fd"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "type": "eql", "version": 109}, "id": "adb961e0-cb74-42a0-af9e-29fc41f88f5f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880.json deleted file mode 100644 index b3e0abf7851..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Communication App Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin*\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\BrowserCore\\\\BrowserCore.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and \n (\n process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n ) or\n process.args : (\n \"C:\\\\WINDOWS/System32/nvidia-smi.exe\",\n \"C:\\\\WINDOWS\\\\System32\\\\nvidia-smi.exe\",\n \"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository/*/nvidia-smi.exe*\"\n )\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\system32\\\\wermgr.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.name : \"rundll32.exe\" and\n process.args : \"*hpmsn???.dll,MonitorPrintJobStatus*\"\n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json deleted file mode 100644 index 434b339668a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Communication App Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and process.code_signature.trusted == true \n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json deleted file mode 100644 index 638ec632a43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Communication App Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and process.code_signature.trusted == true \n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json deleted file mode 100644 index 4893681dd2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Communication App Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin*\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\BrowserCore\\\\BrowserCore.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and \n (\n process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n ) or\n process.args : (\n \"C:\\\\WINDOWS/System32/nvidia-smi.exe\",\n \"C:\\\\WINDOWS\\\\System32\\\\nvidia-smi.exe\"\n )\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\system32\\\\wermgr.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_4.json b/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_4.json deleted file mode 100644 index ef854174b1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/adbfa3ee-777e-4747-b6b0-7bd645f30880_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious child processes of communications apps, which can indicate a potential masquerading as the communication app or the exploitation of a vulnerability on the application causing it to execute code.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Communication App Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n /* Slack */\n (process.parent.name : \"slack.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin*\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\rundll32.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"powershell.exe\" and process.command_line : \"powershell.exe -c Invoke-WebRequest -Uri https://slackb.com/*\") or\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"%windir%\\\\System32\\\\rundll32.exe User32.dll,SetFocus 0\\\"\")\n )\n )\n ) or\n\n /* WebEx */\n (process.parent.name : (\"CiscoCollabHost.exe\", \"WebexHost.exe\") and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Cisco Systems, Inc.\",\n \"Cisco WebEx LLC\",\n \"Cisco Systems Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Teams */\n (process.parent.name : \"Teams.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\BrowserCore\\\\BrowserCore.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Microsoft Corporation\",\n \"Microsoft 3rd Party Application Component\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"taskkill.exe\" and process.args : \"Teams.exe\")\n )\n )\n ) or\n\n /* Discord */\n (process.parent.name : \"Discord.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Discord Inc.\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"cmd.exe\" and \n (\n process.command_line : (\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /d /s /c \\\"chcp\\\"\",\n \"C:\\\\WINDOWS\\\\system32\\\\cmd.exe /q /d /s /c \\\"C:\\\\Program^ Files\\\\NVIDIA^ Corporation\\\\NVSMI\\\\nvidia-smi.exe\\\"\"\n ) or\n process.args : (\n \"C:\\\\WINDOWS/System32/nvidia-smi.exe\",\n \"C:\\\\WINDOWS\\\\System32\\\\nvidia-smi.exe\",\n \"C:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository/*/nvidia-smi.exe*\"\n )\n )\n )\n )\n ) or\n\n /* WhatsApp */\n (process.parent.name : \"Whatsapp.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\reg.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\reg.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true\n ) or\n (\n (process.name : \"cmd.exe\" and process.command_line : \"C:\\\\Windows\\\\system32\\\\cmd.exe /d /s /c \\\"C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe*\")\n )\n )\n ) or\n\n /* Zoom */\n (process.parent.name : \"Zoom.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Zoom Video Communications, Inc.\"\n ) and process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Outlook */\n (process.parent.name : \"outlook.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\system32\\\\wermgr.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Teams\\\\current\\\\Teams.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\NewOutlookInstall\\\\NewOutlookInstaller.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Island\\\\Island\\\\Application\\\\Island.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Mozilla Firefox\\\\firefox.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\Zoom.exe\",\n \"?:\\\\Windows\\\\System32\\\\IME\\\\SHARED\\\\IMEWDBLD.EXE\",\n \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\prevhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\dwwin.exe\",\n \"?:\\\\Windows\\\\System32\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\mspaint.exe\",\n \"?:\\\\Windows\\\\System32\\\\notepad.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\notepad.exe\",\n \"?:\\\\Windows\\\\System32\\\\smartscreen.exe\",\n \"?:\\\\Windows\\\\explorer.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.name : \"rundll32.exe\" and\n process.args : \"*hpmsn???.dll,MonitorPrintJobStatus*\"\n )\n )\n ) or\n\n /* Thunderbird */\n (process.parent.name : \"thunderbird.exe\" and not\n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\splwow64.exe\"\n ) and process.code_signature.trusted == true \n ) or\n (\n process.code_signature.subject_name : (\n \"Mozilla Corporation\"\n ) and process.code_signature.trusted == true\n )\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "adbfa3ee-777e-4747-b6b0-7bd645f30880", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "adbfa3ee-777e-4747-b6b0-7bd645f30880_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e.json deleted file mode 100644 index 30763934471..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation via Kworker", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation via Kworker\n\nKworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.\n\nAttackers may attempt to evade detection by masquerading as a kernel worker process.\n\nThis rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b\n- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\n process.name : \"kworker*\" and not (\n (process.name : \"kworker*kcryptd*\") or\n (file.path : (\n \"/var/log/*\", \"/var/crash/*\", \"/var/run/*\", \"/var/lib/systemd/coredump/*\", \"/var/spool/*\",\n \"/var/lib/nfs/nfsdcltrack/main.sqlite-journal\", \"/proc/*/cwd/core.*\", \"/var/run/apport.lock\",\n \"/var/spool/abrt/ccpp-*\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json deleted file mode 100644 index 38da2290805..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation via Kworker", "query": "file where event.action == \"creation\" and process.name : \"kworker*\" and not (\n process.name : \"kworker*kcryptd*\" or file.path : (\"/var/log/*\", \"/var/crash/*\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_2.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_2.json deleted file mode 100644 index 79d6dc73042..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation via Kworker", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation via Kworker\n\nKworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.\n\nAttackers may attempt to evade detection by masquerading as a kernel worker process.\n\nThis rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b\n- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where event.action == \"creation\" and process.name : \"kworker*\" and not (\n process.name : \"kworker*kcryptd*\" or file.path : (\"/var/log/*\", \"/var/crash/*\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json deleted file mode 100644 index 3f5cbe6fd0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation via Kworker", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation via Kworker\n\nKworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.\n\nAttackers may attempt to evade detection by masquerading as a kernel worker process.\n\nThis rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b\n- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where event.action in (\"creation\", \"file_create_event\") and process.name : \"kworker*\" and not (\n (process.name : \"kworker*kcryptd*\") or \n (file.path : (\"/var/log/*\", \"/var/crash/*\", \"/var/run/*\", \"/var/lib/systemd/coredump/*\", \"/var/spool/*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_4.json b/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_4.json deleted file mode 100644 index 415576580c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae343298-97bc-47bc-9ea2-5f2ad831c16e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious File Creation via Kworker", "note": "## Triage and analysis\n\n### Investigating Suspicious File Creation via Kworker\n\nKworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks.\n\nAttackers may attempt to evade detection by masquerading as a kernel worker process.\n\nThis rule monitors for suspicious file creation events through the kworker process. This is not common, and could indicate malicious behaviour.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious Kworker UID Elevation - 7dfaaa17-425c-4fe7-bd36-83705fde7c2b\n- Network Activity Detected via Kworker - 25d917c4-aa3c-4111-974c-286c0312ff95\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.action in (\"creation\", \"file_create_event\") and\n process.name : \"kworker*\" and not (\n (process.name : \"kworker*kcryptd*\") or\n (file.path : (\"/var/log/*\", \"/var/crash/*\", \"/var/run/*\", \"/var/lib/systemd/coredump/*\", \"/var/spool/*\"))\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "ae343298-97bc-47bc-9ea2-5f2ad831c16e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json deleted file mode 100644 index aed62037597..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json deleted file mode 100644 index 6a0a4f13c2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json deleted file mode 100644 index f0604ae935c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json deleted file mode 100644 index 70f83ff281a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json deleted file mode 100644 index b39c27fc4dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json b/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json deleted file mode 100644 index a89b6f7c619..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution via Microsoft Office Add-Ins", "query": "process where \n \n host.os.type == \"windows\" and event.type == \"start\" and \n \n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSACCESS.EXE\", \"VSTOInstaller.exe\") and \n \n process.args regex~ \"\"\".+\\.(wll|xll|ppa|ppam|xla|xlam|vsto)\"\"\" and \n \n /* Office Add-In from suspicious paths */\n (process.args :\n (\"?:\\\\Users\\\\*\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Rar$*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\Temp\\\\BNZ.*\",\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\",\n \"?:\\\\Users\\\\Public\\\\*\",\n \"?:\\\\ProgramData\\\\*\",\n \"?:\\\\Windows\\\\Temp\\\\*\",\n \"\\\\Device\\\\*\",\n \"http*\") or\n\t \n process.parent.name : (\"explorer.exe\", \"OpenWith.exe\") or \n \n /* Office Add-In from suspicious parent */\n process.parent.name : (\"cmd.exe\", \"powershell.exe\")) and\n\t \n /* False Positives */\n not (process.args : \"*.vsto\" and\n process.parent.executable :\n (\"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Logitech\\\\LogiOptions\\\\PlugInInstallerUtility.exe\",\n \"?:\\\\Program Files\\\\LogiOptionsPlus\\\\PlugInInstallerUtility*.exe\",\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptionsPlus\\\\Plugins\\\\VSTO\\\\*\\\\VSTOInstaller.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\microsoft shared\\\\VSTO\\\\*\\\\VSTOInstaller.exe\")) and\n not (process.args : \"/Uninstall\" and process.name : \"VSTOInstaller.exe\") and\n not (process.parent.name : \"rundll32.exe\" and\n process.parent.args : \"?:\\\\WINDOWS\\\\Installer\\\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc\") and\n not (process.name : \"VSTOInstaller.exe\" and process.args : \"https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto\")\n", "references": ["https://github.com/Octoberfest7/XLL_Phishing", "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "ae8a142c-6a1d-4918-bea7-0b617e99ecfa_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json deleted file mode 100644 index a2d241da287..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Shared Object Created or Changed by Previously Unknown Process\n\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\n\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\n\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the shared object that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\n process.name:(\"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"yum\" or \"vmis-launcher\" or \"pacman\" or\n \"apt-get\" or \"dnf\" or \"podman\" or \"platform-python\") or \n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\n)\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json deleted file mode 100644 index 0271e303d13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name:(* and not (5 or dockerd or dpkg or rpm or snapd))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json deleted file mode 100644 index f9c43c35d4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name: ( * and not (\"5\" or \"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"exe\" or \"yum\" or \"vmis-launcher\"))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json deleted file mode 100644 index 0901ed91e85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name: ( * and not (\"5\" or \"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"exe\" or \"yum\" or \"vmis-launcher\"))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json deleted file mode 100644 index 32f2d370f8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name: ( * and not (\"5\" or \"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"exe\" or \"yum\" or \"vmis-launcher\"\n or \"pacman\" or \"apt-get\" or \"dnf\"))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json deleted file mode 100644 index 650b4242909..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name: ( * and not (\"5\" or \"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"exe\" or \"yum\" or \"vmis-launcher\"\n or \"pacman\" or \"apt-get\" or \"dnf\"))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_6.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_6.json deleted file mode 100644 index 7136ee7ca9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Shared Object Created or Changed by Previously Unknown Process\n\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\n\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\n\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the shared object that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and \nprocess.name: ( * and not (\"5\" or \"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"exe\" or \"yum\" or \"vmis-launcher\"\n or \"pacman\" or \"apt-get\" or \"dnf\" or \"podman\" or \"platform-python\"))\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json deleted file mode 100644 index ff7606cea29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Shared Object Created or Changed by Previously Unknown Process\n\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\n\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\n\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the shared object that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\n process.name:(\"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"yum\" or \"vmis-launcher\" or \"pacman\" or\n \"apt-get\" or \"dnf\" or \"podman\" or \"platform-python\") or \n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\n)\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_8.json b/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_8.json deleted file mode 100644 index 428b6eb03e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/aebaa51f-2a91-4f6a-850b-b601db2293f4_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors the creation of shared object files by previously unknown processes. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime. While this process is typically used for legitimate purposes, malicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Shared Object Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Shared Object Created or Changed by Previously Unknown Process\n\nA shared object file is a compiled library file (typically with a .so extension) that can be dynamically linked to executable programs at runtime, allowing for code reuse and efficient memory usage. The creation of a shared object file involves compiling code into a dynamically linked library that can be loaded by other programs at runtime.\n\nMalicious actors can leverage shared object files to execute unauthorized code, inject malicious functionality into legitimate processes, or bypass security controls. This allows malware to persist on the system, evade detection, and potentially compromise the integrity and confidentiality of the affected system and its data.\n\nThis rule monitors the creation of shared object files by previously unknown processes through the usage of the new terms rule type.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the shared object that was created or modified through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE path = {{file.path}}\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE path = {{file.path}}\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and \nfile.path:(/dev/shm/* or /usr/lib/*) and file.extension:so and process.name:* and not (\n process.name:(\"dockerd\" or \"dpkg\" or \"rpm\" or \"snapd\" or \"yum\" or \"vmis-launcher\" or \"pacman\" or\n \"apt-get\" or \"dnf\" or \"podman\" or \"platform-python\") or \n (process.name:vmware-install.pl and file.path:/usr/lib/vmware-tools/*)\n)\n", "references": ["https://threatpost.com/sneaky-malware-backdoors-linux/180158/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "aebaa51f-2a91-4f6a-850b-b601db2293f4", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "aebaa51f-2a91-4f6a-850b-b601db2293f4_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47.json deleted file mode 100644 index a83166dbc5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a sequence of 20 \"id\" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the \"id\" command to enumerate the privileges of all users present on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual User Privilege Enumeration via id", "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"id\" and process.args_count == 2 and \n not (process.parent.name == \"rpm\" or process.parent.args : \"/var/tmp/rpm-tmp*\")] with runs=20\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "afa135c0-a365-43ab-aa35-fd86df314a47", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "eql", "version": 4}, "id": "afa135c0-a365-43ab-aa35-fd86df314a47", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json deleted file mode 100644 index 9ddcdb6530c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a sequence of 20 \"id\" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the \"id\" command to enumerate the privileges of all users present on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual User Privilege Enumeration via id", "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"id\" and process.args_count == 2] with runs=20\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 21, "rule_id": "afa135c0-a365-43ab-aa35-fd86df314a47", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "eql", "version": 1}, "id": "afa135c0-a365-43ab-aa35-fd86df314a47_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json deleted file mode 100644 index d5cb84a2e11..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a sequence of 20 \"id\" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the \"id\" command to enumerate the privileges of all users present on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual User Privilege Enumeration via id", "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"id\" and process.args_count == 2 and \n not (process.parent.name == \"rpm\" or process.parent.args : \"/var/tmp/rpm-tmp*\")] with runs=20\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "afa135c0-a365-43ab-aa35-fd86df314a47", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "eql", "version": 2}, "id": "afa135c0-a365-43ab-aa35-fd86df314a47_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json b/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json deleted file mode 100644 index 7aea24ec09a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afa135c0-a365-43ab-aa35-fd86df314a47_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for a sequence of 20 \"id\" command executions within 1 second by the same parent process. This behavior is unusual, and may be indicative of the execution of an enumeration script such as LinPEAS or LinEnum. These scripts leverage the \"id\" command to enumerate the privileges of all users present on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual User Privilege Enumeration via id", "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"id\" and process.args_count == 2 and \n not (process.parent.name == \"rpm\" or process.parent.args : \"/var/tmp/rpm-tmp*\")] with runs=20\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "afa135c0-a365-43ab-aa35-fd86df314a47", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "type": "eql", "version": 3}, "id": "afa135c0-a365-43ab-aa35-fd86df314a47_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json deleted file mode 100644 index 8527bb705c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 107}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json deleted file mode 100644 index 2d9d4476a8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 103}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json deleted file mode 100644 index 3123a65b980..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 104}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json deleted file mode 100644 index 588fb7c2390..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 105}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json deleted file mode 100644 index b4627ae8402..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 106}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json deleted file mode 100644 index bae269ff411..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 107}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_108.json b/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_108.json deleted file mode 100644 index 2bded51acb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afcce5ad-65de-4ed2-8516-5e093d3ac99a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Indicates the creation of a scheduled task. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges.", "false_positives": ["Legitimate scheduled tasks may be created during installation of new software."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Local Scheduled Task Creation", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.type != \"end\" and\n ((process.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\", \"winrshost.exe\") or\n process.pe.original_file_name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"wmic.exe\", \"mshta.exe\",\n \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\", \"WmiPrvSe.exe\", \"wsmprovhost.exe\",\n \"winrshost.exe\")) or\n ?process.code_signature.trusted == false)] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"schtasks.exe\" or process.pe.original_file_name == \"schtasks.exe\") and\n process.args : (\"/create\", \"-create\") and process.args : (\"/RU\", \"/SC\", \"/TN\", \"/TR\", \"/F\", \"/XML\") and\n /* exclude SYSTEM Integrity Level - look for task creations by non-SYSTEM user */\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\")\n ] by process.parent.entity_id\n", "references": ["https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "type": "eql", "version": 108}, "id": "afcce5ad-65de-4ed2-8516-5e093d3ac99a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39.json deleted file mode 100644 index e625e275c97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "note": "## Triage and analysis\n\n### Investigating Network Activity Detected via cat\n\nAttackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. \n\nThis rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"cat\" and process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and\n process.name == \"cat\" and not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 6}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json deleted file mode 100644 index 03e86403577..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"cat\"]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and \n process.name == \"cat\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 1}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json deleted file mode 100644 index 90f95708004..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"cat\" and \n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and process.name == \"cat\" and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 2}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json deleted file mode 100644 index ce76848f690..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"cat\" and \n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and process.name == \"cat\" and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 3}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_4.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_4.json deleted file mode 100644 index 9b0c0b80e0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "note": "## Triage and analysis\n\n### Investigating Network Activity Detected via cat\n\nAttackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. \n\nThis rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"cat\" and \n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and process.name == \"cat\" and \n destination.ip != null and not cidrmatch(destination.ip, \"127.0.0.0/8\", \"169.254.0.0/16\", \"224.0.0.0/4\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 4}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json b/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json deleted file mode 100644 index 312d084412f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afd04601-12fc-4149-9b78-9c3f8fe45d39_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the cat command, followed by a connection attempt by the same process. Cat is capable of transfering data via tcp/udp channels by redirecting its read output to a /dev/tcp or /dev/udp channel. This activity is highly suspicious, and should be investigated. Attackers may leverage this capability to transfer tools or files to another host in the network or exfiltrate data while attempting to evade detection in the process.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Activity Detected via cat", "note": "## Triage and analysis\n\n### Investigating Network Activity Detected via cat\n\nAttackers may leverage the `cat` utility in conjunction with a listener to read all bytes of a file, and output the content to a `/dev/tcp` or `/dev/udp` channel to transfer/exfiltrate file contents to a remote system. \n\nThis rule looks for a sequence of a `cat` execution event followed by a network connection attempt by the same `cat` process. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate command and control activity or data exfiltration. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Suspicious Network Activity to the Internet by Previously Unknown Executable - 53617418-17b4-4e9c-8a2c-8deb8086ca4b\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name == \"cat\" and process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")]\n [network where host.os.type == \"linux\" and event.action in (\"connection_attempted\", \"disconnect_received\") and\n process.name == \"cat\" and not (destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "afd04601-12fc-4149-9b78-9c3f8fe45d39", "setup": "This rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": []}], "type": "eql", "version": 5}, "id": "afd04601-12fc-4149-9b78-9c3f8fe45d39_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d.json deleted file mode 100644 index 22682dbb708..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Container Misconfiguration", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.interactive", "type": "boolean"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json deleted file mode 100644 index 39f16b02da2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Container Misconfiguration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.interactive", "type": "boolean"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json deleted file mode 100644 index c9cc8b80f8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Container Misconfiguration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.interactive", "type": "boolean"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "setup": "This rule leverages `session` fields, which requires that the collection of session data is enabled for Linux operating systems. The following steps should be performed in order to enable session data event collection on a Linux system. ``` Kibana --> Management --> Fleet --> Agent Policies --> Agent Policy with Elastic Defend installed --> Elastic Defend integration --> Enable the \"Collect session data\" box under \"Event Collection\" for \"Linux\" ``` More information on this topic and how to enable session data collection can be found at https://www.elastic.co/blog/secure-your-cloud-with-cloud-workload-protection-in-elastic-security.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json deleted file mode 100644 index 56499d1f6e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Container Misconfiguration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.interactive", "type": "boolean"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to Manage \u2192 Policies, and edit one or more of your Elastic Defend integration policies.\n- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.\n- Check the box for Process events, and turn on the Include session data toggle.\n- If you want to include file and network alerts in Session View, check the boxes for Network and File events.\n- If you want to enable terminal output capture, turn on the Capture terminal output toggle.\nFor more information about the additional fields collected when this setting is enabled and\nthe usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json b/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json deleted file mode 100644 index 727bbf0130b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/afe6b0eb-dd9d-4922-b08a-1910124d524d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of processes that interact with Linux containers through an interactive shell without root permissions. Utilities such as runc and ctr are universal command-line utilities leveraged to interact with containers via root permissions. On systems where the access to these utilities are misconfigured, attackers might be able to create and run a container that mounts the root folder or spawn a privileged container vulnerable to a container escape attack, which might allow them to escalate privileges and gain further access onto the host file system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Container Misconfiguration", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"runc\" and process.args == \"run\") or\n (process.name == \"ctr\" and process.args == \"run\" and process.args in (\"--privileged\", \"--mount\"))\n) and not user.Ext.real.id == \"0\" and not group.Ext.real.id == \"0\" and \nprocess.interactive == true and process.parent.interactive == true\n", "references": ["https://book.hacktricks.xyz/linux-hardening/privilege-escalation/runc-privilege-escalation", "https://book.hacktricks.xyz/linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "group.Ext.real.id", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.interactive", "type": "boolean"}, {"ecs": false, "name": "user.Ext.real.id", "type": "unknown"}], "risk_score": 47, "rule_id": "afe6b0eb-dd9d-4922-b08a-1910124d524d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nSession View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.\n#### To confirm that Session View data is enabled:\n- Go to \u201cManage \u2192 Policies\u201d, and edit one or more of your Elastic Defend integration policies.\n- Select the\u201d Policy settings\u201d tab, then scroll down to the \u201cLinux event collection\u201d section near the bottom.\n- Check the box for \u201cProcess events\u201d, and turn on the \u201cInclude session data\u201d toggle.\n- If you want to include file and network alerts in Session View, check the boxes for \u201cNetwork and File events\u201d.\n- If you want to enable terminal output capture, turn on the \u201cCapture terminal output\u201d toggle.\nFor more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Domain: Container", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "afe6b0eb-dd9d-4922-b08a-1910124d524d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json deleted file mode 100644 index bf7df2da883..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\n \"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\"\n) and not process.parent.name in (\"pmlogger_daily\", \"pmlogger_janitor\", \"systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json deleted file mode 100644 index 2002e666f6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "note": "", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json deleted file mode 100644 index f863ad863d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "note": "", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json deleted file mode 100644 index 8f0554f4300..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "note": "", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json deleted file mode 100644 index b49da9917a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_105.json b/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_105.json deleted file mode 100644 index 47b570648c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0046934-486e-462f-9487-0d4cf9e429c6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Timestomping is an anti-forensics technique which is used to modify the timestamps of a file, often to mimic files that are in the same folder.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Timestomping using Touch Command", "query": "process where event.type == \"start\" and\n process.name : \"touch\" and user.id != \"0\" and\n process.args : (\"-r\", \"-t\", \"-a*\",\"-m*\") and\n not process.args : (\n \"/usr/lib/go-*/bin/go\", \"/usr/lib/dracut/dracut-functions.sh\", \"/tmp/KSInstallAction.*/m/.patch/*\"\n) and not process.parent.name in (\"pmlogger_daily\", \"pmlogger_janitor\", \"systemd\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b0046934-486e-462f-9487-0d4cf9e429c6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.006", "name": "Timestomp", "reference": "https://attack.mitre.org/techniques/T1070/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b0046934-486e-462f-9487-0d4cf9e429c6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json deleted file mode 100644 index bdbc8b3ebf4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "TCC Bypass via Mounted APFS Snapshot Access", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", "references": ["https://theevilbit.github.io/posts/cve_2020_9771/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "b00bcd89-000c-4425-b94c-716ef67762f6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json deleted file mode 100644 index 6caf3659f87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "TCC Bypass via Mounted APFS Snapshot Access", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", "references": ["https://theevilbit.github.io/posts/cve_2020_9771/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "CVE_2020_9771"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b00bcd89-000c-4425-b94c-716ef67762f6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json deleted file mode 100644 index 6f6ceab0e31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "TCC Bypass via Mounted APFS Snapshot Access", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", "references": ["https://theevilbit.github.io/posts/cve_2020_9771/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b00bcd89-000c-4425-b94c-716ef67762f6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json deleted file mode 100644 index 6f383fb8a59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "TCC Bypass via Mounted APFS Snapshot Access", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", "references": ["https://theevilbit.github.io/posts/cve_2020_9771/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b00bcd89-000c-4425-b94c-716ef67762f6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json b/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json deleted file mode 100644 index 9ad808937f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b00bcd89-000c-4425-b94c-716ef67762f6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple\u2019s privacy framework (TCC).", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "TCC Bypass via Mounted APFS Snapshot Access", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and\n process.args:(/System/Volumes/Data and noowners)\n", "references": ["https://theevilbit.github.io/posts/cve_2020_9771/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b00bcd89-000c-4425-b94c-716ef67762f6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b00bcd89-000c-4425-b94c-716ef67762f6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82.json b/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82.json deleted file mode 100644 index 2b7c9d7fbfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Netsh Helper DLL", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\netsh\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\netsh\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "b0638186-4f12-48ac-83d2-47e686d08e82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.007", "name": "Netsh Helper DLL", "reference": "https://attack.mitre.org/techniques/T1546/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b0638186-4f12-48ac-83d2-47e686d08e82", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json b/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json deleted file mode 100644 index 02d5d667fd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Netsh Helper DLL", "query": "registry where event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\netsh\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\netsh\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "b0638186-4f12-48ac-83d2-47e686d08e82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.007", "name": "Netsh Helper DLL", "reference": "https://attack.mitre.org/techniques/T1546/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b0638186-4f12-48ac-83d2-47e686d08e82_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_2.json b/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_2.json deleted file mode 100644 index 02218ff3eaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b0638186-4f12-48ac-83d2-47e686d08e82_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Netsh Helper DLL", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\netsh\\\\*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\netsh\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "b0638186-4f12-48ac-83d2-47e686d08e82", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.007", "name": "Netsh Helper DLL", "reference": "https://attack.mitre.org/techniques/T1546/007/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b0638186-4f12-48ac-83d2-47e686d08e82_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d.json b/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d.json deleted file mode 100644 index 63a01a17490..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.", "false_positives": ["Authorized heavy usage of the system that is business justified and monitored."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", "query": "from logs-aws_bedrock.invocation-*\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\n total_requests = count(*),\n avg_response_size = avg(gen_ai.usage.completion_tokens)\n by user.id\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\n| where risk_factor > 10\n| sort risk_factor desc\n", "references": ["https://atlas.mitre.org/techniques/AML.T0051", "https://owasp.org/www-project-top-10-for-large-language-model-applications/", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "b1773d05-f349-45fb-9850-287b8f92f02d", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "b1773d05-f349-45fb-9850-287b8f92f02d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_1.json b/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_1.json deleted file mode 100644 index 0e71b0c99c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.", "false_positives": ["Authorized heavy usage of the system that is business justified and monitored."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", "query": "from logs-aws_bedrock.invocation-*\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\n total_requests = count(*),\n avg_response_size = avg(gen_ai.usage.completion_tokens)\n by user.id\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\n| where risk_factor > 10\n| sort risk_factor desc\n", "references": ["https://atlas.mitre.org/techniques/AML.T0051", "https://owasp.org/www-project-top-10-for-large-language-model-applications/", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "b1773d05-f349-45fb-9850-287b8f92f02d", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "b1773d05-f349-45fb-9850-287b8f92f02d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_2.json b/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_2.json deleted file mode 100644 index a2182e71a7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b1773d05-f349-45fb-9850-287b8f92f02d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential resource exhaustion or data breach attempts by monitoring for users who consistently generate high input token counts, submit numerous requests, and receive large responses. This behavior could indicate an attempt to overload the system or extract an unusually large amount of data, possibly revealing sensitive information or causing service disruptions.", "false_positives": ["Authorized heavy usage of the system that is business justified and monitored."], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Potential Abuse of Resources by High Token Count and Large Response Sizes", "query": "from logs-aws_bedrock.invocation-*\n| keep user.id, gen_ai.usage.prompt_tokens, gen_ai.usage.completion_tokens\n| stats max_tokens = max(gen_ai.usage.prompt_tokens),\n total_requests = count(*),\n avg_response_size = avg(gen_ai.usage.completion_tokens)\n by user.id\n// tokens count depends on specific LLM, as is related to how embeddings are generated.\n| where max_tokens > 5000 and total_requests > 10 and avg_response_size > 500\n| eval risk_factor = (max_tokens / 1000) * total_requests * (avg_response_size / 500)\n| where risk_factor > 10\n| sort risk_factor desc\n", "references": ["https://atlas.mitre.org/techniques/AML.T0051", "https://owasp.org/www-project-top-10-for-large-language-model-applications/", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 47, "rule_id": "b1773d05-f349-45fb-9850-287b8f92f02d", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "medium", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Potential Overload", "Use Case: Resource Exhaustion", "Mitre Atlas: LLM04"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "b1773d05-f349-45fb-9850-287b8f92f02d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c.json deleted file mode 100644 index a122ab3dee8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "type": "eql", "version": 4}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json deleted file mode 100644 index d5abb1d52ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName : (\"\\\\*ADMIN$\", \"\\\\*C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName : (\"\\\\*ADMIN$\", \"\\\\*C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}], "type": "eql", "version": 1}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json deleted file mode 100644 index 56376fb7f47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName : (\"\\\\*ADMIN$\", \"\\\\*C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName : (\"\\\\*ADMIN$\", \"\\\\*C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "type": "eql", "version": 2}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_3.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_3.json deleted file mode 100644 index 9c7a540889a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "type": "eql", "version": 3}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_4.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_4.json deleted file mode 100644 index 9f927e4fda3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "type": "eql", "version": 4}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_5.json b/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_5.json deleted file mode 100644 index b3999100391..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2318c71-5959-469a-a3ce-3a0768e63b9c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may look for folders and drives shared on remote systems to identify sources of information to gather as a precursor for collection and identify potential systems of interest for Lateral Movement.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Network Share Discovery", "query": "sequence by user.name, source.port, source.ip with maxspan=15s \n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n [file where event.action == \"network-share-object-access-checked\" and \n winlog.event_data.ShareName in (\"\\\\\\\\*\\\\ADMIN$\", \"\\\\\\\\*\\\\C$\") and \n source.ip != null and source.ip != \"0.0.0.0\" and source.ip != \"::1\" and source.ip != \"::\" and source.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ShareName", "type": "unknown"}], "risk_score": 21, "rule_id": "b2318c71-5959-469a-a3ce-3a0768e63b9c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Collection", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1135", "name": "Network Share Discovery", "reference": "https://attack.mitre.org/techniques/T1135/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1039", "name": "Data from Network Shared Drive", "reference": "https://attack.mitre.org/techniques/T1039/"}]}], "type": "eql", "version": 5}, "id": "b2318c71-5959-469a-a3ce-3a0768e63b9c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json deleted file mode 100644 index 385fea79bb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_events", "name": "Spike in Network Traffic", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json deleted file mode 100644 index 245e01e3f24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_events", "name": "Spike in Network Traffic", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json deleted file mode 100644 index 74cf0452c03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_events", "name": "Spike in Network Traffic", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_103.json b/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_103.json deleted file mode 100644 index 00b2e340cb5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b240bfb8-26b7-4e5e-924e-218144a3fa71_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, if not caused by a surge in business activity, can be due to suspicious or malicious activity. Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_events", "name": "Spike in Network Traffic", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "b240bfb8-26b7-4e5e-924e-218144a3fa71", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "b240bfb8-26b7-4e5e-924e-218144a3fa71_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json deleted file mode 100644 index 5358e96bf17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer_Resource_??.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer*.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json deleted file mode 100644 index 705b22e6fb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json deleted file mode 100644 index 48d9270153a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json deleted file mode 100644 index 12cd4fb272b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json deleted file mode 100644 index 67dbbb36848..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\")\n", "references": ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json deleted file mode 100644 index 11dc8e58b1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json deleted file mode 100644 index a8158b900f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json deleted file mode 100644 index 16d66e85002..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json deleted file mode 100644 index 9122d4dafa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_112.json b/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_112.json deleted file mode 100644 index e33e0a408bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b25a7df2-120a-4db2-bd3f-3e4b86b24bee_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy via TeamViewer", "note": "## Triage and analysis\n\n### Investigating Remote File Copy via TeamViewer\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files.\n\nTeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Contact the user to gather information about who and why was conducting the remote access.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and process.name : \"TeamViewer.exe\" and\n file.extension : (\"exe\", \"dll\", \"scr\", \"com\", \"bat\", \"ps1\", \"vbs\", \"vbe\", \"js\", \"wsh\", \"hta\") and\n not \n (\n file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\*.js\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\?\\\\TeamViewer\\\\update.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer_Resource_??.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\TeamViewer\\\\CustomConfigs\\\\???????\\\\TeamViewer*.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}, {"id": "T1219", "name": "Remote Access Software", "reference": "https://attack.mitre.org/techniques/T1219/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b25a7df2-120a-4db2-bd3f-3e4b86b24bee_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json deleted file mode 100644 index 06dd83bd6e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", "false_positives": ["Users or System Administrator cleaning out folders."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b2951150-658f-4a60-832f-a00d1e6c6745", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json deleted file mode 100644 index b9ca081af9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", "false_positives": ["Users or System Administrator cleaning out folders."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "b2951150-658f-4a60-832f-a00d1e6c6745_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json deleted file mode 100644 index fa90d34d14d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", "false_positives": ["Users or System Administrator cleaning out folders."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b2951150-658f-4a60-832f-a00d1e6c6745_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json deleted file mode 100644 index ff8b62b6851..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", "false_positives": ["Users or System Administrator cleaning out folders."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b2951150-658f-4a60-832f-a00d1e6c6745_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json b/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json deleted file mode 100644 index 950a2052baa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b2951150-658f-4a60-832f-a00d1e6c6745_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.", "false_positives": ["Users or System Administrator cleaning out folders."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Unusual Volume of File Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:SecurityComplianceCenter and event.category:web and event.action:\"Unusual volume of file deletion\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy", "https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b2951150-658f-4a60-832f-a00d1e6c6745", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b2951150-658f-4a60-832f-a00d1e6c6745_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json deleted file mode 100644 index 3138e4bc2c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : \"localhost\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 108}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json deleted file mode 100644 index bb93ff4442d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 102}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json deleted file mode 100644 index 1c0785efe9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 103}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json deleted file mode 100644 index ee3ec9045b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 104}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json deleted file mode 100644 index 2ccb35a8a5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 105}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_106.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_106.json deleted file mode 100644 index 01ec618bff7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : \"localhost\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 106}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json deleted file mode 100644 index 41d5504e813..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : \"localhost\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 107}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_108.json b/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_108.json deleted file mode 100644 index 2090e2a654b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b29ee2be-bf99-446c-ab1a-2dc0183394b8_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Network Connection via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\nThis rule identifies network connections done by `hh.exe`, which can potentially indicate abuse to download malicious files or tooling, or masquerading.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Examine the command lines for suspicious activities.\n - Retrieve `.chm`, `.ps1`, and other files that were involved for further examination.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"hh.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"hh.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and\n not dns.question.name : \"localhost\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "type": "eql", "version": 108}, "id": "b29ee2be-bf99-446c-ab1a-2dc0183394b8_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json deleted file mode 100644 index 937c0c253bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_user_name"], "name": "Unusual Linux Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 104}, "id": "b347b919-665f-4aac-b9e8-68369bf2340c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json deleted file mode 100644 index 568721a9d20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_user_name"], "name": "Unusual Linux Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 101}, "id": "b347b919-665f-4aac-b9e8-68369bf2340c_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json deleted file mode 100644 index 5a7fe0dd949..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_user_name"], "name": "Unusual Linux Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 102}, "id": "b347b919-665f-4aac-b9e8-68369bf2340c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json b/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json deleted file mode 100644 index 79dd2fd4cd4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b347b919-665f-4aac-b9e8-68369bf2340c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected activity for a username that is not normally active, which can indicate unauthorized changes, activity by unauthorized users, lateral movement, or compromised credentials. In many organizations, new usernames are not often created apart from specific types of system activities, such as creating new accounts for new employees. These user accounts quickly become active and routine. Events from rarely used usernames can point to suspicious activity. Additionally, automated Linux fleets tend to see activity from rarely used usernames only when personnel log in to make authorized or unauthorized changes, or threat actors have acquired credentials and log in for malicious purposes. Unusual usernames can also indicate pivoting, where compromised credentials are used to try and move laterally from one host to another.", "false_positives": ["Uncommon user activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_anomalous_user_name"], "name": "Unusual Linux Username", "note": "## Triage and analysis\n\n### Investigating an Unusual Linux User\nDetection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation:\n- Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer?\n- Examine the history of user activity. If this user only manifested recently, it might be a service account for a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "b347b919-665f-4aac-b9e8-68369bf2340c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 103}, "id": "b347b919-665f-4aac-b9e8-68369bf2340c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1.json b/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1.json deleted file mode 100644 index 1204ea0fbb7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot.", "false_positives": ["Snapshots may be deleted by a system administrator. Verify whether the user identity should be making changes in your environment. Snapshot deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS Snapshot Deleted", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n event.action in (\"DeleteDBSnapshot\", \"DeleteDBClusterSnapshot\") or \n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"backupRetentionPeriod=0\"))\n )\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b36c99af-b944-4509-a523-7e0fad275be1", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b36c99af-b944-4509-a523-7e0fad275be1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_1.json b/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_1.json deleted file mode 100644 index e04526a3df3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b36c99af-b944-4509-a523-7e0fad275be1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS RDS DB snapshot. Snapshots contain a full backup of an entire DB instance. Unauthorized deletion of snapshots can make it impossible to recover critical or sensitive data. This rule detects deleted snapshots and instances modified so that backupRetentionPeriod is set to 0 which disables automated backups and is functionally similar to deleting the system snapshot.", "false_positives": ["Snapshots may be deleted by a system administrator. Verify whether the user identity should be making changes in your environment. Snapshot deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-10m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS Snapshot Deleted", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.outcome == \"success\"\n and (\n event.action in (\"DeleteDBSnapshot\", \"DeleteDBClusterSnapshot\") or \n (event.action == \"ModifyDBInstance\" and stringContains(aws.cloudtrail.request_parameters, \"backupRetentionPeriod=0\"))\n )\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteSnapshot.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSnapshot.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "b36c99af-b944-4509-a523-7e0fad275be1", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b36c99af-b944-4509-a523-7e0fad275be1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json deleted file mode 100644 index f9610c0d33a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json deleted file mode 100644 index 84f3bb0c6dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json deleted file mode 100644 index 1fc642bc0d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json deleted file mode 100644 index 55259a09adc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json deleted file mode 100644 index 1b62bc4c97d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json deleted file mode 100644 index 957e9543924..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\"C:\\\\Program Files\\\\Elastic\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\services.exe\",\n \"C:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"C:\\\\Windows\\\\System32\\\\wermgr.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json deleted file mode 100644 index 99c538dc41c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json deleted file mode 100644 index 4d46e801eb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json deleted file mode 100644 index 8d437040ac0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n \n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_112.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_112.json deleted file mode 100644 index 66b6cf779d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_113.json b/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_113.json deleted file mode 100644 index 4b686ec11a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b41a13c6-ba45-4bab-a534-df53d0cfed6a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Endpoint Security Parent Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"esensor.exe\", \"elastic-endpoint.exe\") and\n process.parent.executable != null and\n /* add FPs here */\n not process.parent.executable : (\n \"?:\\\\Program Files\\\\Elastic\\\\*\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault*.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\explorer.exe\"\n ) and\n not (\n process.parent.executable : (\n \"?:\\\\Windows\\\\System32\\\\cmd.exe\",\n \"?:\\\\Windows\\\\System32\\\\SecurityHealthHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\"\n ) and\n process.args : (\n \"test\", \"version\",\n \"top\", \"run\",\n \"*help\", \"status\",\n \"upgrade\", \"/launch\",\n \"/enable\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "b41a13c6-ba45-4bab-a534-df53d0cfed6a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json deleted file mode 100644 index 11e8e4f1fe1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json deleted file mode 100644 index f58398ec433..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n /* Windows */\n ((process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")) or\n \n /* MacOS */\n (process.executable: \"/usr/bin/csrutil\" and process.args: \"disable\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "macOS", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_209.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_209.json deleted file mode 100644 index 2e0b1f69116..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json deleted file mode 100644 index 47dc33c1b8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json deleted file mode 100644 index 50e856318b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json deleted file mode 100644 index 5cff04417b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_6.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_6.json deleted file mode 100644 index bde3474d397..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json deleted file mode 100644 index 32211a0340b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_8.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_8.json deleted file mode 100644 index 0bdb15bbc43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_9.json b/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_9.json deleted file mode 100644 index cbb378c990f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b43570de-a908-4f7f-8bdb-b2df6ffd8c80_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through system native utilities. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Built-in tools", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Built-in tools\n\nWindows Driver Signature Enforcement (DSE) is a security feature introduced by Microsoft to enforce that only signed drivers can be loaded and executed into the kernel (ring 0). This feature was introduced to prevent attackers from loading their malicious drivers on targets. If the driver has an invalid signature, the system will not allow it to be loaded.\n\nThis protection is essential for maintaining the security of the system. However, attackers or even administrators can disable this feature and load untrusted drivers, as this can put the system at risk. Therefore, it is important to keep this feature enabled and only load drivers from trusted sources to ensure the integrity and security of the system.\n\nThis rule identifies commands that can disable the Driver Signature Enforcement feature.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the command was executed.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name: \"bcdedit.exe\" or ?process.pe.original_file_name == \"bcdedit.exe\") and process.args: (\"-set\", \"/set\") and \n process.args: (\"TESTSIGNING\", \"nointegritychecks\", \"loadoptions\", \"DISABLE_INTEGRITY_CHECKS\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "b43570de-a908-4f7f-8bdb-b2df6ffd8c80_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json deleted file mode 100644 index cc426081cc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Atom Init Script Modification", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "b4449455-f986-4b5a-82ed-e36b129331f7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json deleted file mode 100644 index 2a344066ead..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Atom Init Script Modification", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "severity": "low", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b4449455-f986-4b5a-82ed-e36b129331f7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json deleted file mode 100644 index fc6aaebe5be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Atom Init Script Modification", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b4449455-f986-4b5a-82ed-e36b129331f7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json deleted file mode 100644 index 1025e14e7df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Atom Init Script Modification", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b4449455-f986-4b5a-82ed-e36b129331f7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json b/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json deleted file mode 100644 index cdd57052470..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4449455-f986-4b5a-82ed-e36b129331f7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Persistence via Atom Init Script Modification", "query": "event.category:file and host.os.type:macos and not event.type:\"deletion\" and\n file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root\n", "references": ["https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b4449455-f986-4b5a-82ed-e36b129331f7", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b4449455-f986-4b5a-82ed-e36b129331f7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json deleted file mode 100644 index 0d599ef45c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "false_positives": ["GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b45ab1d2-712f-4f01-a751-df3826969807", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json deleted file mode 100644 index b10198dd132..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "false_positives": ["GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b45ab1d2-712f-4f01-a751-df3826969807_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json deleted file mode 100644 index fbdc4818bbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "false_positives": ["GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b45ab1d2-712f-4f01-a751-df3826969807_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json deleted file mode 100644 index 538b3265541..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "false_positives": ["GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b45ab1d2-712f-4f01-a751-df3826969807_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json b/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json deleted file mode 100644 index 60173de9e15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b45ab1d2-712f-4f01-a751-df3826969807_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.", "false_positives": ["GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS STS GetSessionToken Abuse", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and\naws.cloudtrail.user_identity.type:IAMUser and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "b45ab1d2-712f-4f01-a751-df3826969807", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "b45ab1d2-712f-4f01-a751-df3826969807_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a.json deleted file mode 100644 index eba482dbe42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "At.exe Command Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"at.exe\" and process.args : \"\\\\\\\\*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b483365c-98a8-40c0-92d8-0458ca25058a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}, {"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "b483365c-98a8-40c0-92d8-0458ca25058a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json deleted file mode 100644 index ae190b80503..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "At.exe Command Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"at.exe\" and process.args : \"\\\\\\\\*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b483365c-98a8-40c0-92d8-0458ca25058a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b483365c-98a8-40c0-92d8-0458ca25058a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json deleted file mode 100644 index 71fd3ccbd34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "At.exe Command Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"at.exe\" and process.args : \"\\\\\\\\*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b483365c-98a8-40c0-92d8-0458ca25058a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}, {"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b483365c-98a8-40c0-92d8-0458ca25058a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_3.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_3.json deleted file mode 100644 index d74973d04f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "At.exe Command Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"at.exe\" and process.args : \"\\\\\\\\*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b483365c-98a8-40c0-92d8-0458ca25058a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}, {"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "b483365c-98a8-40c0-92d8-0458ca25058a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_4.json b/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_4.json deleted file mode 100644 index 2ce92a1d20e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b483365c-98a8-40c0-92d8-0458ca25058a_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies use of at.exe to interact with the task scheduler on remote hosts. Remote task creations, modifications or execution could be indicative of adversary lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "At.exe Command Lateral Movement", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"at.exe\" and process.args : \"\\\\\\\\*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b483365c-98a8-40c0-92d8-0458ca25058a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.002", "name": "At", "reference": "https://attack.mitre.org/techniques/T1053/002/"}, {"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "b483365c-98a8-40c0-92d8-0458ca25058a_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json deleted file mode 100644 index 50bb1215347..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json deleted file mode 100644 index 5ad819f2e8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json deleted file mode 100644 index 41258657605..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json deleted file mode 100644 index abfae28b2c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json deleted file mode 100644 index 091b4c4390c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json deleted file mode 100644 index ab0cb049135..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_207.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_207.json deleted file mode 100644 index 68ae34511da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_209.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_209.json deleted file mode 100644 index 90d49d960ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_309.json b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_309.json new file mode 100644 index 00000000000..1bf7f2f09a8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_309.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta policy. An adversary may attempt to delete an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to delete an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta policies are regularly deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy", + "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy\n\nOkta policies are critical to managing user access and enforcing security controls within an organization. The deletion of an Okta policy could drastically weaken an organization's security posture by allowing unrestricted access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. Adversaries may do this to bypass security barriers and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy deletion attempt.\n- Check if there are multiple policy deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57.json deleted file mode 100644 index a2919380ae0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via OverlayFS", "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", "references": ["https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", "https://twitter.com/liadeliyahu/status/1684841527959273472"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 5}, "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json deleted file mode 100644 index c862294a89d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via OverlayFS", "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", "references": ["https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", "https://twitter.com/liadeliyahu/status/1684841527959273472"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json deleted file mode 100644 index 58dbbb08a3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via OverlayFS", "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", "references": ["https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", "https://twitter.com/liadeliyahu/status/1684841527959273472"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json deleted file mode 100644 index aabf836fe50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via OverlayFS", "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", "references": ["https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", "https://twitter.com/liadeliyahu/status/1684841527959273472"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 3}, "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json b/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json deleted file mode 100644 index 20451804226..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b51dbc92-84e2-4af1-ba47-65183fcd0c57_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via OverlayFS", "query": "sequence by process.parent.entity_id, host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"unshare\" and process.args : (\"-r\", \"-rm\", \"m\") and process.args : \"*cap_setuid*\" and user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n user.id == \"0\"]\n", "references": ["https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability", "https://twitter.com/liadeliyahu/status/1684841527959273472"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 4}, "id": "b51dbc92-84e2-4af1-ba47-65183fcd0c57_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json deleted file mode 100644 index 4e25c4a591b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b5877334-677f-4fb9-86d5-a9721274223b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json deleted file mode 100644 index bffe22c9c33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json deleted file mode 100644 index 94335d7523d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json deleted file mode 100644 index 3c47a9a1942..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json deleted file mode 100644 index 7011515bea9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json deleted file mode 100644 index 0022acdd516..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_109.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_109.json deleted file mode 100644 index 9213134be4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json deleted file mode 100644 index ee6103ff110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json deleted file mode 100644 index 417ebdbd247..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_112.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_112.json deleted file mode 100644 index 547c4854c51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_312.json b/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_312.json deleted file mode 100644 index ec80f6ccff7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5877334-677f-4fb9-86d5-a9721274223b_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Console History", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Console History\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can try to cover their tracks by clearing PowerShell console history. PowerShell has two different ways of logging commands: the built-in history and the command history managed by the PSReadLine module. This rule looks for the execution of commands that can clear the built-in PowerShell logs or delete the `ConsoleHost_history.txt` file.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the PowerShell logs on the SIEM to determine if there was suspicious behavior that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility.\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n (process.args : \"*Clear-History*\" or\n (process.args : (\"*Remove-Item*\", \"rm\") and process.args : (\"*ConsoleHost_history.txt*\", \"*(Get-PSReadlineOption).HistorySavePath*\")) or\n (process.args : \"*Set-PSReadlineOption*\" and process.args : \"*SaveNothing*\"))\n", "references": ["https://stefanos.cloud/kb/how-to-clear-the-powershell-command-history/", "https://www.shellhacks.com/clear-history-powershell/", "https://community.sophos.com/sophos-labs/b/blog/posts/powershell-command-history-forensics"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b5877334-677f-4fb9-86d5-a9721274223b", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.003", "name": "Clear Command History", "reference": "https://attack.mitre.org/techniques/T1070/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "b5877334-677f-4fb9-86d5-a9721274223b_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json deleted file mode 100644 index 39ebc302ae0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json deleted file mode 100644 index f413a86ca9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json deleted file mode 100644 index 30c47e1988d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json deleted file mode 100644 index e13c93cda74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json deleted file mode 100644 index 1b9880d5e7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_109.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_109.json deleted file mode 100644 index 615a71332bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json deleted file mode 100644 index 9d10b56490f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json deleted file mode 100644 index ae728b41b7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_112.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_112.json deleted file mode 100644 index 8d27d6f7347..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_312.json b/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_312.json deleted file mode 100644 index f6690ba06d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of vssadmin.exe for shadow copy deletion or resizing on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deleted or Resized via VssAdmin", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deleted or Resized via VssAdmin\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of Vssadmin.exe to either delete or resize shadow copies.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule may produce benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\"\n and (process.name : \"vssadmin.exe\" or ?process.pe.original_file_name == \"VSSADMIN.EXE\") and\n process.args in (\"delete\", \"resize\") and process.args : \"shadows*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6.json b/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6.json deleted file mode 100644 index e5e82dd1d83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Systemd Service Started by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "note": "## Triage and analysis\n\n### Investigating Systemd Service Started by Unusual Parent Process\n\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \nprocess.entry_leader.entry_meta.type:* and\nnot (\n process.entry_leader.entry_meta.type:(container or init or unknown) or\n process.parent.pid:1 or\n process.parent.executable:(\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\n ) or\n process.args_count >= 5\n)\n", "references": ["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 47, "rule_id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_1.json b/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_1.json deleted file mode 100644 index 9b327b3f81b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Systemd Service Started by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "note": "## Triage and analysis\n\n### Investigating Systemd Service Started by Unusual Parent Process\n\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/user/.config/systemd/user/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\npath LIKE '/etc/systemd/system/%' OR \\npath LIKE '/usr/local/lib/systemd/system/%' OR \\npath LIKE '/lib/systemd/system/%' OR\\npath LIKE '/usr/lib/systemd/system/%' OR\\npath LIKE '/home/{{user.name}}/.config/systemd/user/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \nprocess.entry_leader.entry_meta.type:* and\nnot (\n process.entry_leader.entry_meta.type:(container or init or unknown) or\n process.parent.pid:1 or\n process.parent.executable:(\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\n ) or\n process.args_count >= 5\n)\n", "references": ["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 47, "rule_id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_2.json b/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_2.json deleted file mode 100644 index 3d821d5bdc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b605f262-f7dc-41b5-9ebc-06bafe7a83b6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Systemd Service Started by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "note": "## Triage and analysis\n\n### Investigating Systemd Service Started by Unusual Parent Process\n\nSystemd service files are configuration files in Linux systems used to define and manage systemd services.\n\nMalicious actors can leverage systemd service files to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the execution of the systemctl binary to start, enable or reenable a systemd service, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the currently enabled systemd services through the following command `sudo systemctl list-unit-files`.\n- Investigate whether any other files in any of the available systemd directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE\\n'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path\\nLIKE '/home/{{user.name}}/.config/systemd/user/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses systemd services for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and\nprocess.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and \nprocess.entry_leader.entry_meta.type:* and\nnot (\n process.entry_leader.entry_meta.type:(container or init or unknown) or\n process.parent.pid:1 or\n process.parent.executable:(\n /bin/adduser or /bin/dnf or /bin/dnf-automatic or /bin/dockerd or /bin/dpkg or /bin/microdnf or /bin/pacman or\n /bin/podman or /bin/rpm or /bin/snapd or /bin/sudo or /bin/useradd or /bin/yum or /usr/bin/dnf or\n /usr/bin/dnf-automatic or /usr/bin/dockerd or /usr/bin/dpkg or /usr/bin/microdnf or /usr/bin/pacman or\n /usr/bin/podman or /usr/bin/rpm or /usr/bin/snapd or /usr/bin/sudo or /usr/bin/yum or /usr/sbin/adduser or\n /usr/sbin/invoke-rc.d or /usr/sbin/useradd or /var/lib/dpkg/*\n ) or\n process.args_count >= 5\n)\n", "references": ["https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 47, "rule_id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "b605f262-f7dc-41b5-9ebc-06bafe7a83b6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json deleted file mode 100644 index e6deef8aeb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json deleted file mode 100644 index 05726296ff5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "note": "", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json deleted file mode 100644 index 6a0237f0be1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "note": "", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json deleted file mode 100644 index ccebc88c9c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "note": "", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json deleted file mode 100644 index f9ac329992e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "note": "", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json deleted file mode 100644 index 70c564a77a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json b/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json deleted file mode 100644 index 85fa2794696..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b627cd12-dac4-11ec-9582-f661ea17fbcd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* pkill , killall used to stop Elastic Agent on Linux */\n ( event.type == \"end\" and process.name : (\"pkill\", \"killall\") and process.args: \"elastic-agent\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b627cd12-dac4-11ec-9582-f661ea17fbcd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json deleted file mode 100644 index f1d71e592d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 110}, "id": "b64b183e-1a76-422d-9179-7b389513e74d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json deleted file mode 100644 index 5775df5d2cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 104}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json deleted file mode 100644 index 0a50414be24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 105}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json deleted file mode 100644 index 3d7bc73b980..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 106}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json deleted file mode 100644 index 821ad4a6226..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 107}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json deleted file mode 100644 index b6ec44d154a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 108}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_109.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_109.json deleted file mode 100644 index 4725509bb9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 109}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_110.json b/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_110.json deleted file mode 100644 index 38e175e29cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b64b183e-1a76-422d-9179-7b389513e74d_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the built-in Windows script interpreters (cscript.exe or wscript.exe) being used to execute a process via Windows Management Instrumentation (WMI). This may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Interpreter Executing Process via WMI", "query": "sequence by host.id with maxspan = 5s\n [any where host.os.type == \"windows\" and \n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (?dll.name : \"wmiutils.dll\" or file.name : \"wmiutils.dll\") and process.name : (\"wscript.exe\", \"cscript.exe\")]\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"wmiprvse.exe\" and\n user.domain != \"NT AUTHORITY\" and\n (process.pe.original_file_name :\n (\n \"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"Cmd.Exe\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\",\n \"RegAsm.exe\",\n \"RegSvcs.exe\",\n \"msxsl.exe\",\n \"CONTROL.EXE\",\n \"EXPLORER.EXE\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"msiexec.exe\"\n ) or\n process.executable : (\"C:\\\\Users\\\\*.exe\", \"C:\\\\ProgramData\\\\*.exe\")\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "b64b183e-1a76-422d-9179-7b389513e74d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "type": "eql", "version": 110}, "id": "b64b183e-1a76-422d-9179-7b389513e74d_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247.json b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247.json deleted file mode 100644 index fd417095a25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Veeam Credential Access Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"sqlcmd.exe\" or process.pe.original_file_name : \"sqlcmd.exe\") or\n process.args : (\"Invoke-Sqlcmd\", \"Invoke-SqlExecute\", \"Invoke-DbaQuery\", \"Invoke-SqlQuery\")\n ) and\n process.args : \"*[VeeamBackup].[dbo].[Credentials]*\"\n", "references": ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json deleted file mode 100644 index afe4b986b8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Veeam Credential Access Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"sqlcmd.exe\" or process.pe.original_file_name : \"sqlcmd.exe\") or\n process.args : (\"Invoke-Sqlcmd\", \"Invoke-SqlExecute\", \"Invoke-DbaQuery\", \"Invoke-SqlQuery\")\n ) and\n process.args : \"*[VeeamBackup].[dbo].[Credentials]*\"\n", "references": ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b661f86d-1c23-4ce7-a59e-2edbdba28247_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_2.json b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_2.json deleted file mode 100644 index e2efc8f4dec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Veeam Credential Access Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"sqlcmd.exe\" or process.pe.original_file_name : \"sqlcmd.exe\") or\n process.args : (\"Invoke-Sqlcmd\", \"Invoke-SqlExecute\", \"Invoke-DbaQuery\", \"Invoke-SqlQuery\")\n ) and\n process.args : \"*[VeeamBackup].[dbo].[Credentials]*\"\n", "references": ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b661f86d-1c23-4ce7-a59e-2edbdba28247_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_202.json b/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_202.json deleted file mode 100644 index 7d1ff6cc3cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b661f86d-1c23-4ce7-a59e-2edbdba28247_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies commands that can access and decrypt Veeam credentials stored in MSSQL databases. Attackers can use Veeam Credentials to target backups as part of destructive operations such as Ransomware attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Veeam Credential Access Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.name : \"sqlcmd.exe\" or ?process.pe.original_file_name : \"sqlcmd.exe\") or\n process.args : (\"Invoke-Sqlcmd\", \"Invoke-SqlExecute\", \"Invoke-DbaQuery\", \"Invoke-SqlQuery\")\n ) and\n process.args : \"*[VeeamBackup].[dbo].[Credentials]*\"\n", "references": ["https://thedfirreport.com/2021/12/13/diavol-ransomware/"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "b661f86d-1c23-4ce7-a59e-2edbdba28247", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 202}, "id": "b661f86d-1c23-4ce7-a59e-2edbdba28247_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b.json b/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b.json deleted file mode 100644 index fefe031470d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Service ImagePath Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and \n event.action == \"modification\" and registry.value == \"ImagePath\" and\n registry.key : (\n \"*\\\\ADWS\", \"*\\\\AppHostSvc\", \"*\\\\AppReadiness\", \"*\\\\AudioEndpointBuilder\", \"*\\\\AxInstSV\", \"*\\\\camsvc\", \"*\\\\CertSvc\",\n \"*\\\\COMSysApp\", \"*\\\\CscService\", \"*\\\\defragsvc\", \"*\\\\DeviceAssociationService\", \"*\\\\DeviceInstall\", \"*\\\\DevQueryBroker\",\n \"*\\\\Dfs\", \"*\\\\DFSR\", \"*\\\\diagnosticshub.standardcollector.service\", \"*\\\\DiagTrack\", \"*\\\\DmEnrollmentSvc\", \"*\\\\DNS\",\n \"*\\\\dot3svc\", \"*\\\\Eaphost\", \"*\\\\GraphicsPerfSvc\", \"*\\\\hidserv\", \"*\\\\HvHost\", \"*\\\\IISADMIN\", \"*\\\\IKEEXT\",\n \"*\\\\InstallService\", \"*\\\\iphlpsvc\", \"*\\\\IsmServ\", \"*\\\\LanmanServer\", \"*\\\\MSiSCSI\", \"*\\\\NcbService\", \"*\\\\Netlogon\",\n \"*\\\\Netman\", \"*\\\\NtFrs\", \"*\\\\PlugPlay\", \"*\\\\Power\", \"*\\\\PrintNotify\", \"*\\\\ProfSvc\", \"*\\\\PushToInstall\", \"*\\\\RSoPProv\",\n \"*\\\\sacsvr\", \"*\\\\SENS\", \"*\\\\SensorDataService\", \"*\\\\SgrmBroker\", \"*\\\\ShellHWDetection\", \"*\\\\shpamsvc\", \"*\\\\StorSvc\",\n \"*\\\\svsvc\", \"*\\\\swprv\", \"*\\\\SysMain\", \"*\\\\Themes\", \"*\\\\TieringEngineService\", \"*\\\\TokenBroker\", \"*\\\\TrkWks\",\n \"*\\\\UALSVC\", \"*\\\\UserManager\", \"*\\\\vm3dservice\", \"*\\\\vmicguestinterface\", \"*\\\\vmicheartbeat\", \"*\\\\vmickvpexchange\",\n \"*\\\\vmicrdv\", \"*\\\\vmicshutdown\", \"*\\\\vmicvmsession\", \"*\\\\vmicvss\", \"*\\\\vmvss\", \"*\\\\VSS\", \"*\\\\w3logsvc\", \"*\\\\W3SVC\",\n \"*\\\\WalletService\", \"*\\\\WAS\", \"*\\\\wercplsupport\", \"*\\\\WerSvc\", \"*\\\\Winmgmt\", \"*\\\\wisvc\", \"*\\\\wmiApSrv\",\n \"*\\\\WPDBusEnum\", \"*\\\\WSearch\"\n ) and\n not (\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\*.exe\",\n \"%systemroot%\\\\system32\\\\*.exe\",\n \"%windir%\\\\system32\\\\*.exe\",\n \"%SystemRoot%\\\\system32\\\\svchost.exe -k *\",\n \"%windir%\\\\system32\\\\svchost.exe -k *\"\n ) and\n not registry.data.strings : (\n \"*\\\\cmd.exe\",\n \"*\\\\cscript.exe\",\n \"*\\\\ieexec.exe\",\n \"*\\\\iexpress.exe\",\n \"*\\\\installutil.exe\",\n \"*\\\\Microsoft.Workflow.Compiler.exe\",\n \"*\\\\msbuild.exe\",\n \"*\\\\mshta.exe\",\n \"*\\\\msiexec.exe\",\n \"*\\\\msxsl.exe\",\n \"*\\\\net.exe\",\n \"*\\\\powershell.exe\",\n \"*\\\\pwsh.exe\",\n \"*\\\\reg.exe\",\n \"*\\\\RegAsm.exe\",\n \"*\\\\RegSvcs.exe\",\n \"*\\\\regsvr32.exe\",\n \"*\\\\rundll32.exe\",\n \"*\\\\vssadmin.exe\",\n \"*\\\\wbadmin.exe\",\n \"*\\\\wmic.exe\",\n \"*\\\\wscript.exe\"\n )\n )\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.key", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.011", "name": "Services Registry Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json b/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json deleted file mode 100644 index b61224d8a87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Service ImagePath Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and \n event.action == \"modification\" and registry.value == \"ImagePath\" and\n registry.key : (\n \"*\\\\ADWS\", \"*\\\\AppHostSvc\", \"*\\\\AppReadiness\", \"*\\\\AudioEndpointBuilder\", \"*\\\\AxInstSV\", \"*\\\\camsvc\", \"*\\\\CertSvc\",\n \"*\\\\COMSysApp\", \"*\\\\CscService\", \"*\\\\defragsvc\", \"*\\\\DeviceAssociationService\", \"*\\\\DeviceInstall\", \"*\\\\DevQueryBroker\",\n \"*\\\\Dfs\", \"*\\\\DFSR\", \"*\\\\diagnosticshub.standardcollector.service\", \"*\\\\DiagTrack\", \"*\\\\DmEnrollmentSvc\", \"*\\\\DNS\",\n \"*\\\\dot3svc\", \"*\\\\Eaphost\", \"*\\\\GraphicsPerfSvc\", \"*\\\\hidserv\", \"*\\\\HvHost\", \"*\\\\IISADMIN\", \"*\\\\IKEEXT\",\n \"*\\\\InstallService\", \"*\\\\iphlpsvc\", \"*\\\\IsmServ\", \"*\\\\LanmanServer\", \"*\\\\MSiSCSI\", \"*\\\\NcbService\", \"*\\\\Netlogon\",\n \"*\\\\Netman\", \"*\\\\NtFrs\", \"*\\\\PlugPlay\", \"*\\\\Power\", \"*\\\\PrintNotify\", \"*\\\\ProfSvc\", \"*\\\\PushToInstall\", \"*\\\\RSoPProv\",\n \"*\\\\sacsvr\", \"*\\\\SENS\", \"*\\\\SensorDataService\", \"*\\\\SgrmBroker\", \"*\\\\ShellHWDetection\", \"*\\\\shpamsvc\", \"*\\\\StorSvc\",\n \"*\\\\svsvc\", \"*\\\\swprv\", \"*\\\\SysMain\", \"*\\\\Themes\", \"*\\\\TieringEngineService\", \"*\\\\TokenBroker\", \"*\\\\TrkWks\",\n \"*\\\\UALSVC\", \"*\\\\UserManager\", \"*\\\\vm3dservice\", \"*\\\\vmicguestinterface\", \"*\\\\vmicheartbeat\", \"*\\\\vmickvpexchange\",\n \"*\\\\vmicrdv\", \"*\\\\vmicshutdown\", \"*\\\\vmicvmsession\", \"*\\\\vmicvss\", \"*\\\\vmvss\", \"*\\\\VSS\", \"*\\\\w3logsvc\", \"*\\\\W3SVC\",\n \"*\\\\WalletService\", \"*\\\\WAS\", \"*\\\\wercplsupport\", \"*\\\\WerSvc\", \"*\\\\Winmgmt\", \"*\\\\wisvc\", \"*\\\\wmiApSrv\",\n \"*\\\\WPDBusEnum\", \"*\\\\WSearch\"\n ) and\n not (\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\*.exe\",\n \"%systemroot%\\\\system32\\\\*.exe\",\n \"%windir%\\\\system32\\\\*.exe\",\n \"%SystemRoot%\\\\system32\\\\svchost.exe -k *\",\n \"%windir%\\\\system32\\\\svchost.exe -k *\"\n ) and\n not registry.data.strings : (\n \"*\\\\cmd.exe\",\n \"*\\\\cscript.exe\",\n \"*\\\\ieexec.exe\",\n \"*\\\\iexpress.exe\",\n \"*\\\\installutil.exe\",\n \"*\\\\Microsoft.Workflow.Compiler.exe\",\n \"*\\\\msbuild.exe\",\n \"*\\\\mshta.exe\",\n \"*\\\\msiexec.exe\",\n \"*\\\\msxsl.exe\",\n \"*\\\\net.exe\",\n \"*\\\\powershell.exe\",\n \"*\\\\pwsh.exe\",\n \"*\\\\reg.exe\",\n \"*\\\\RegAsm.exe\",\n \"*\\\\RegSvcs.exe\",\n \"*\\\\regsvr32.exe\",\n \"*\\\\rundll32.exe\",\n \"*\\\\vssadmin.exe\",\n \"*\\\\wbadmin.exe\",\n \"*\\\\wmic.exe\",\n \"*\\\\wscript.exe\"\n )\n )\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.key", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.011", "name": "Services Registry Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2.json b/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2.json deleted file mode 100644 index a2849d26446..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications to default services that could enable privilege escalation to SYSTEM. Attackers with privileges from groups like Server Operators may change the ImagePath of services to executables under their control or to execute commands.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Service ImagePath Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and \n event.action == \"modification\" and registry.value == \"ImagePath\" and\n registry.key : (\n \"*\\\\ADWS\", \"*\\\\AppHostSvc\", \"*\\\\AppReadiness\", \"*\\\\AudioEndpointBuilder\", \"*\\\\AxInstSV\", \"*\\\\camsvc\", \"*\\\\CertSvc\",\n \"*\\\\COMSysApp\", \"*\\\\CscService\", \"*\\\\defragsvc\", \"*\\\\DeviceAssociationService\", \"*\\\\DeviceInstall\", \"*\\\\DevQueryBroker\",\n \"*\\\\Dfs\", \"*\\\\DFSR\", \"*\\\\diagnosticshub.standardcollector.service\", \"*\\\\DiagTrack\", \"*\\\\DmEnrollmentSvc\", \"*\\\\DNS\",\n \"*\\\\dot3svc\", \"*\\\\Eaphost\", \"*\\\\GraphicsPerfSvc\", \"*\\\\hidserv\", \"*\\\\HvHost\", \"*\\\\IISADMIN\", \"*\\\\IKEEXT\",\n \"*\\\\InstallService\", \"*\\\\iphlpsvc\", \"*\\\\IsmServ\", \"*\\\\LanmanServer\", \"*\\\\MSiSCSI\", \"*\\\\NcbService\", \"*\\\\Netlogon\",\n \"*\\\\Netman\", \"*\\\\NtFrs\", \"*\\\\PlugPlay\", \"*\\\\Power\", \"*\\\\PrintNotify\", \"*\\\\ProfSvc\", \"*\\\\PushToInstall\", \"*\\\\RSoPProv\",\n \"*\\\\sacsvr\", \"*\\\\SENS\", \"*\\\\SensorDataService\", \"*\\\\SgrmBroker\", \"*\\\\ShellHWDetection\", \"*\\\\shpamsvc\", \"*\\\\StorSvc\",\n \"*\\\\svsvc\", \"*\\\\swprv\", \"*\\\\SysMain\", \"*\\\\Themes\", \"*\\\\TieringEngineService\", \"*\\\\TokenBroker\", \"*\\\\TrkWks\",\n \"*\\\\UALSVC\", \"*\\\\UserManager\", \"*\\\\vm3dservice\", \"*\\\\vmicguestinterface\", \"*\\\\vmicheartbeat\", \"*\\\\vmickvpexchange\",\n \"*\\\\vmicrdv\", \"*\\\\vmicshutdown\", \"*\\\\vmicvmsession\", \"*\\\\vmicvss\", \"*\\\\vmvss\", \"*\\\\VSS\", \"*\\\\w3logsvc\", \"*\\\\W3SVC\",\n \"*\\\\WalletService\", \"*\\\\WAS\", \"*\\\\wercplsupport\", \"*\\\\WerSvc\", \"*\\\\Winmgmt\", \"*\\\\wisvc\", \"*\\\\wmiApSrv\",\n \"*\\\\WPDBusEnum\", \"*\\\\WSearch\"\n ) and\n not (\n registry.data.strings : (\n \"?:\\\\Windows\\\\system32\\\\*.exe\",\n \"%systemroot%\\\\system32\\\\*.exe\",\n \"%windir%\\\\system32\\\\*.exe\",\n \"%SystemRoot%\\\\system32\\\\svchost.exe -k *\",\n \"%windir%\\\\system32\\\\svchost.exe -k *\"\n ) and\n not registry.data.strings : (\n \"*\\\\cmd.exe\",\n \"*\\\\cscript.exe\",\n \"*\\\\ieexec.exe\",\n \"*\\\\iexpress.exe\",\n \"*\\\\installutil.exe\",\n \"*\\\\Microsoft.Workflow.Compiler.exe\",\n \"*\\\\msbuild.exe\",\n \"*\\\\mshta.exe\",\n \"*\\\\msiexec.exe\",\n \"*\\\\msxsl.exe\",\n \"*\\\\net.exe\",\n \"*\\\\powershell.exe\",\n \"*\\\\pwsh.exe\",\n \"*\\\\reg.exe\",\n \"*\\\\RegAsm.exe\",\n \"*\\\\RegSvcs.exe\",\n \"*\\\\regsvr32.exe\",\n \"*\\\\rundll32.exe\",\n \"*\\\\vssadmin.exe\",\n \"*\\\\wbadmin.exe\",\n \"*\\\\wmic.exe\",\n \"*\\\\wscript.exe\"\n )\n )\n", "references": ["https://cube0x0.github.io/Pocing-Beyond-DA/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.key", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.011", "name": "Services Registry Permissions Weakness", "reference": "https://attack.mitre.org/techniques/T1574/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b66b7e2b-d50a-49b9-a6fc-3a383baedc6b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json deleted file mode 100644 index 2c2cc9d06ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", "false_positives": ["Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Authorization Rule Created or Updated", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json b/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json deleted file mode 100644 index e87f42bf0a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b6dce542-2b75-4ffb-b7d6-38787298ba9d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's recommended that you treat this rule like an administrative root account and don't use it in your application.", "false_positives": ["Authorization rule additions or modifications may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Authorization rule additions or modifications from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Authorization Rule Created or Updated", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b6dce542-2b75-4ffb-b7d6-38787298ba9d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json deleted file mode 100644 index 882d7fa7201..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json deleted file mode 100644 index 7473fe88850..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json deleted file mode 100644 index 5e98006ceb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json deleted file mode 100644 index 5767cfee9ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json deleted file mode 100644 index d35bbe5d161..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json deleted file mode 100644 index 14f4627a42b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_207.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_207.json deleted file mode 100644 index 403220f8278..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_209.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_209.json deleted file mode 100644 index f423d4a51e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", "false_positives": ["If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_309.json b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_309.json new file mode 100644 index 00000000000..3fd60f86d00 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b719a170-3bdb-4141-b0e3-13e3cf627bfe_309.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta policy. An adversary may attempt to deactivate an Okta policy in order to weaken an organization's security controls. For example, an adversary may attempt to deactivate an Okta multi-factor authentication (MFA) policy in order to weaken the authentication requirements for user accounts.", + "false_positives": [ + "If the behavior of deactivating Okta policies is expected, consider adding exceptions to this rule to filter false positives." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy", + "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy\n\nOkta policies define rules to manage user access to resources. Policies such as multi-factor authentication (MFA) are critical for enforcing strong security measures. Deactivation of an Okta policy could potentially weaken the security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule is designed to detect attempts to deactivate an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. For example, disabling an MFA policy could lower the security of user authentication processes.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy deactivation attempt.\n- Check if there are multiple policy deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:policy.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "b719a170-3bdb-4141-b0e3-13e3cf627bfe_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489.json b/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489.json deleted file mode 100644 index e32d9fa3ed0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential buffer overflow attacks by querying the \"Segfault Detected\" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.", "from": "now-9m", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Buffer Overflow Attack Detected", "query": "kibana.alert.rule.rule_id:\"5c81fc9d-1eae-437f-ba07-268472967013\" and host.os.type:linux and event.kind:signal\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "b7c05aaf-78c2-4558-b069-87fa25973489", "setup": "## Setup\n\n\nThis rule leverages alert data from other prebuilt detection rules to function correctly. \n\n### Dependent Elastic Detection Rule Enablement\nAs a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:\n- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Use Case: Vulnerability", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "threshold": {"field": ["event.kind", "host.id"], "value": 100}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "b7c05aaf-78c2-4558-b069-87fa25973489", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_1.json b/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_1.json deleted file mode 100644 index 5100464ecda..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential buffer overflow attacks by querying the \"Segfault Detected\" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.", "from": "now-9m", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Buffer Overflow Attack Detected", "query": "kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "b7c05aaf-78c2-4558-b069-87fa25973489", "setup": "\nThis rule leverages alert data from other prebuilt detection rules to function correctly. \n\n### Dependent Elastic Detection Rule Enablement\nAs a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:\n- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Use Case: Vulnerability", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "threshold": {"field": ["event.kind", "host.id"], "value": 100}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "b7c05aaf-78c2-4558-b069-87fa25973489_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json b/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json deleted file mode 100644 index 77179c9a687..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b7c05aaf-78c2-4558-b069-87fa25973489_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential buffer overflow attacks by querying the \"Segfault Detected\" pre-built rule signal index, through a threshold rule, with a minimum number of 100 segfault alerts in a short timespan. A large amount of segfaults in a short time interval could indicate application exploitation attempts.", "from": "now-9m", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Buffer Overflow Attack Detected", "query": "kibana.alert.rule.rule_id:5c81fc9d-1eae-437f-ba07-268472967013 and event.kind:signal\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "b7c05aaf-78c2-4558-b069-87fa25973489", "setup": "## Setup\n\n\nThis rule leverages alert data from other prebuilt detection rules to function correctly. \n\n### Dependent Elastic Detection Rule Enablement\nAs a higher-order rule (based on other detections), this rule also requires the following prerequisite Elastic detection rule to be installed and enabled:\n- Segfault Detected (5c81fc9d-1eae-437f-ba07-268472967013)\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Initial Access", "Use Case: Vulnerability", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "threshold": {"field": ["event.kind", "host.id"], "value": 100}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "b7c05aaf-78c2-4558-b069-87fa25973489_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json deleted file mode 100644 index 80a91d5a811..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "b8075894-0b62-46e5-977c-31275da34419", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json deleted file mode 100644 index ee1d78a2d2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "b8075894-0b62-46e5-977c-31275da34419_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json deleted file mode 100644 index 72a4c957e4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "b8075894-0b62-46e5-977c-31275da34419_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json deleted file mode 100644 index 4a2c4ddfa3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "b8075894-0b62-46e5-977c-31275da34419_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json deleted file mode 100644 index df5f633a973..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "b8075894-0b62-46e5-977c-31275da34419_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_206.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_206.json deleted file mode 100644 index b72cdae968e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "b8075894-0b62-46e5-977c-31275da34419_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_208.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_208.json deleted file mode 100644 index 29ca86d5ddd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Privileges Assigned to an Okta Group", "note": "", "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "b8075894-0b62-46e5-977c-31275da34419", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "b8075894-0b62-46e5-977c-31275da34419_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_308.json b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_308.json new file mode 100644 index 00000000000..33a3a3017f8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/b8075894-0b62-46e5-977c-31275da34419_308.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when an administrator role is assigned to an Okta group. An adversary may attempt to assign administrator privileges to an Okta group in order to assign additional permissions to compromised user accounts and maintain access to their target organization.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Privileges Assigned to an Okta Group", + "note": "", + "query": "event.dataset:okta.system and event.action:group.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "b8075894-0b62-46e5-977c-31275da34419", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "b8075894-0b62-46e5-977c-31275da34419_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5.json deleted file mode 100644 index 80d434497d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Enrich process events with uname and other command lines that imply Linux system information discovery.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Linux System Information Discovery", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and (\n process.name: \"uname\" or (\n process.name: (\"cat\", \"more\", \"less\") and process.args: (\"*issue*\", \"*version*\", \"*profile*\", \"*services*\", \"*cpuinfo*\")\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json deleted file mode 100644 index 19238ee816b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Enrich process events with uname and other command lines that imply Linux system information discovery.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Linux System Information Discovery", "query": "process where event.type == \"start\" and\n(\n process.name: \"uname\" or\n (process.name: (\"cat\", \"more\", \"less\") and\n process.args: (\"*issue*\", \"*version*\", \"*profile*\", \"*services*\", \"*cpuinfo*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json b/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json deleted file mode 100644 index 9712c807f40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Enrich process events with uname and other command lines that imply Linux system information discovery.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Linux System Information Discovery", "query": "process where event.type == \"start\" and\n(\n process.name: \"uname\" or\n (process.name: (\"cat\", \"more\", \"less\") and\n process.args: (\"*issue*\", \"*version*\", \"*profile*\", \"*services*\", \"*cpuinfo*\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b81bd314-db5b-4d97-82e8-88e3e5fc9de5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json deleted file mode 100644 index fe91711ff87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json deleted file mode 100644 index 2795aff4af0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json deleted file mode 100644 index 8f8fd139697..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json deleted file mode 100644 index 447390d5526..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json deleted file mode 100644 index 2919bcb9e76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_6.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_6.json deleted file mode 100644 index 9aa4284b167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_7.json b/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_7.json deleted file mode 100644 index 6473052d843..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8386923-b02c-4b94-986a-d223d9b01f88_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that contain the default exported functions used on Invoke-NinjaCopy. Attackers can use Invoke-NinjaCopy to read SYSTEM files that are normally locked, such as the NTDS.dit file or registry hives.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Invoke-NinjaCopy script", "note": "## Triage and analysis\n\n### Investigating PowerShell Invoke-NinjaCopy script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nInvoke-NinjaCopy is a PowerShell script capable of reading SYSTEM files that were normally locked, such as `NTDS.dit` or sensitive registry locations. It does so by using the direct volume access technique, which enables attackers to bypass access control mechanisms and file system monitoring by reading the raw data directly from the disk and extracting the file by parsing the file system structures.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Check if the imported function was executed and which file it targeted.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"StealthReadFile\" or\n \"StealthReadFileAddr\" or\n \"StealthCloseFileDelegate\" or\n \"StealthOpenFile\" or\n \"StealthCloseFile\" or\n \"StealthReadFile\" or\n \"Invoke-NinjaCopy\"\n )\n and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/collection/Invoke-NinjaCopy.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "b8386923-b02c-4b94-986a-d223d9b01f88", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "b8386923-b02c-4b94-986a-d223d9b01f88_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json deleted file mode 100644 index fcc6c615cd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json deleted file mode 100644 index 772e287c391..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json deleted file mode 100644 index 34f7e5e9698..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json deleted file mode 100644 index e1431773dca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json deleted file mode 100644 index 76073fcce5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json deleted file mode 100644 index 56bbd636139..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json deleted file mode 100644 index a7214a795db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_209.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_209.json deleted file mode 100644 index 03aecdbb4c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json deleted file mode 100644 index fa092e68905..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_311.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_311.json deleted file mode 100644 index cfd71401c0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_411.json b/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_411.json deleted file mode 100644 index 9833166169a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b83a7e96-2eb3-4edf-8346-427b6858d3bd_411.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API (DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Domain Backup DPAPI private key", "note": "## Triage and analysis\n\nDomain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.name : (\"ntds_capi_*.pfx\", \"ntds_capi_*.pvk\")\n", "references": ["https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 411}, "id": "b83a7e96-2eb3-4edf-8346-427b6858d3bd_411", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json deleted file mode 100644 index 79ae39b423a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 106}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json deleted file mode 100644 index 02c731c9861..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 102}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json deleted file mode 100644 index 8bc41efd227..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 103}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json deleted file mode 100644 index a063f446ea9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 104}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json deleted file mode 100644 index 4f10a96bb9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 105}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_106.json b/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_106.json deleted file mode 100644 index 27f18406466..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b86afe07-0d98-4738-b15d-8d7465f95ff5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via MsXsl", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and event.type == \"start\"]\n [network where host.os.type == \"windows\" and process.name : \"msxsl.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b86afe07-0d98-4738-b15d-8d7465f95ff5", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 106}, "id": "b86afe07-0d98-4738-b15d-8d7465f95ff5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a.json deleted file mode 100644 index 39e30eb2960..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json deleted file mode 100644 index a6ae3228958..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_106.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_106.json deleted file mode 100644 index 1dc53109419..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json deleted file mode 100644 index ab7991181cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json deleted file mode 100644 index 9b7470f7226..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_208.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_208.json deleted file mode 100644 index 304bfe1c38c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_209.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_209.json deleted file mode 100644 index 116dca11258..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 209}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json deleted file mode 100644 index 29e4be4feb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_310.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_310.json deleted file mode 100644 index 7a0a15612f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "winlogbeat-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json deleted file mode 100644 index 0e775f14f7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json b/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json deleted file mode 100644 index b68e736d374..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of .kirbi files. The creation of this kind of file is an indicator of an attacker running Kerberos ticket dump utilities, such as Mimikatz, and precedes attacks such as Pass-The-Ticket (PTT), which allows the attacker to impersonate users using Kerberos tickets.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Kirbi File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension : \"kirbi\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json deleted file mode 100644 index 657e13a9c1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json deleted file mode 100644 index 211239737f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json deleted file mode 100644 index 43754d48125..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json deleted file mode 100644 index 181127d2d0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json deleted file mode 100644 index af703010a22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json deleted file mode 100644 index 1cd4eef3a2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json deleted file mode 100644 index 76c84602ebb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json b/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json deleted file mode 100644 index e5412f52add..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to bypass User Account Control (UAC) by abusing an elevated COM Interface to launch a rogue Windows ClipUp program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"Clipup.exe\" and\n not process.executable : \"C:\\\\Windows\\\\System32\\\\ClipUp.exe\" and process.parent.name : \"dllhost.exe\" and\n /* CLSID of the Elevated COM Interface IEditionUpgradeManager */\n process.parent.args : \"/Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}\"\n", "references": ["https://github.com/hfiref0x/UACME"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b90cdde7-7e0d-4359-8bf0-2c112ce2008a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json deleted file mode 100644 index 1bdd6871896..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\n'/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n) and \nnot process.parent.name in (\"rpm\", \"qualys-scan-util\", \"qualys-cloud-agent\", \"update-alternatives\") and\nnot process.parent.args : (\"/var/tmp/rpm*\", \"/var/lib/waagent/*\")\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json deleted file mode 100644 index 4e444d23fb7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json deleted file mode 100644 index b57820cc741..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json deleted file mode 100644 index cfd6d34fcec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json deleted file mode 100644 index 25baf8d81bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json deleted file mode 100644 index 7ce4ab58886..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json deleted file mode 100644 index 22e6456efba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json deleted file mode 100644 index 3b18bc907a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n)\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_110.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_110.json deleted file mode 100644 index 901849dcef2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n) and \nnot process.parent.name in (\"rpm\", \"qualys-scan-util\", \"qualys-cloud-agent\", \"update-alternatives\") and\nnot process.parent.args : (\"/var/tmp/rpm*\", \"/var/lib/waagent/*\")\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json deleted file mode 100644 index fed120ad828..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n) and \nnot process.parent.name in (\"rpm\", \"qualys-scan-util\", \"qualys-cloud-agent\", \"update-alternatives\") and\nnot process.parent.args : (\"/var/tmp/rpm*\", \"/var/lib/waagent/*\")\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_112.json b/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_112.json deleted file mode 100644 index e1824dd559b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b910f25a-2d44-47f2-a873-aabdc0d355e6_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of the chkconfig binary to manually add a service for management by chkconfig. Threat actors may utilize this technique to maintain persistence on a system. When a new service is added, chkconfig ensures that the service has either a start or a kill entry in every runlevel and when the system is rebooted the service file added will run providing long-term persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Chkconfig Service Add", "note": "## Triage and analysis\n\n### Investigating Chkconfig Service Add\nService files are configuration files in Linux systems used to define and manage system services. The `Chkconfig` binary can be used to manually add, delete or modify a service. \n\nMalicious actors can leverage services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection.\n\nThis rule monitors the usage of the `chkconfig` binary to manually add a service for management by `chkconfig`, potentially indicating the creation of a persistence mechanism.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the service that was created or modified.\n- Investigate the currently enabled system services through the following commands `sudo chkconfig --list | grep on` and `sudo systemctl list-unit-files`.\n- Investigate the status of potentially suspicious services through the `chkconfig --list service_name` command. \n- Search for the `rc.d` or `init.d` service files that were created or modified, and analyze their contents.\n- Investigate whether any other files in any of the available `rc.d` or `init.d` directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/init.d/%' OR path LIKE '/etc/rc%.d/%')\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE (path LIKE '/etc/init.d/%' OR path LIKE\\n'/etc/rc%.d/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate syslog through the `sudo cat /var/log/syslog | grep 'LSB'` command to find traces of the LSB header of the script (if present). If syslog is being ingested into Elasticsearch, the same can be accomplished through Kibana.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses the `chkconfig` binary for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n( \n (process.executable : \"/usr/sbin/chkconfig\" and process.args : \"--add\") or\n (process.args : \"*chkconfig\" and process.args : \"--add\")\n) and \nnot process.parent.name in (\"rpm\", \"qualys-scan-util\", \"qualys-cloud-agent\", \"update-alternatives\") and\nnot process.parent.args : (\"/var/tmp/rpm*\", \"/var/lib/waagent/*\")\n", "references": ["https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "b910f25a-2d44-47f2-a873-aabdc0d355e6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/", "subtechnique": [{"id": "T1037.004", "name": "RC Scripts", "reference": "https://attack.mitre.org/techniques/T1037/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "b910f25a-2d44-47f2-a873-aabdc0d355e6_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc.json b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc.json deleted file mode 100644 index 1d5adf3818f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Discovery of Domain Groups", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n process.name in (\"ldapsearch\", \"dscacheutil\") or (process.name == \"dscl\" and process.args : \"*-list*\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json b/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json deleted file mode 100644 index daaec22ef4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of Linux built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Discovery of Domain Groups", "query": "process where event.type : (\"start\", \"process_started\") and host.os.type == \"linux\" and\n ( process.name : (\"ldapsearch\", \"dscacheutil\") or\n (process.name : \"dscl\" and process.args : \"*-list*\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "b92d5eae-70bb-4b66-be27-f98ba9d0ccdc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json deleted file mode 100644 index 097e8335531..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", "false_positives": ["False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host."], "from": "now-24h", "index": [".alerts-security.*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", "required_fields": [{"ecs": false, "name": "kibana.alert.rule.threat.tactic.id", "type": "unknown"}, {"ecs": false, "name": "signal.rule.name", "type": "unknown"}], "risk_score": 73, "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", "severity": "high", "tags": ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"], "threshold": {"cardinality": [{"field": "kibana.alert.rule.threat.tactic.id", "value": 3}], "field": ["host.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 4}, "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json b/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json deleted file mode 100644 index 8a3dec46167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are triggered. Analysts can use this to prioritize triage and response, as these hosts are more likely to be compromised.", "false_positives": ["False positives can occur because the rules may be mapped to a few MITRE ATT&CK tactics. Use the attached Timeline to determine which detections were triggered on the host."], "from": "now-24h", "index": [".alerts-security.*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Alerts in Different ATT&CK Tactics on a Single Host", "query": "signal.rule.name:* and kibana.alert.rule.threat.tactic.id:*\n", "required_fields": [{"ecs": false, "name": "kibana.alert.rule.threat.tactic.id", "type": "unknown"}, {"ecs": false, "name": "signal.rule.name", "type": "unknown"}], "risk_score": 73, "rule_id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c", "severity": "high", "tags": ["Elastic", "Threat Detection", "Higher-Order Rules"], "threshold": {"cardinality": [{"field": "kibana.alert.rule.threat.tactic.id", "value": 3}], "field": ["host.id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 3}, "id": "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json deleted file mode 100644 index bce3f601759..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", "query": "any where host.os.type == \"windows\" and event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName: \"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue: \"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\" and\n winlog.event_data.AttributeValue: \"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json deleted file mode 100644 index 647afd078f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", "query": "host.os.type:windows and event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json deleted file mode 100644 index ca5994fb344..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json deleted file mode 100644 index 5424aa7ad06..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.", "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "The 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json deleted file mode 100644 index b1d967f0ad1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n\n", "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json deleted file mode 100644 index 3382872ebc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json deleted file mode 100644 index 5c232dadc33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", "query": "event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*)\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_111.json b/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_111.json deleted file mode 100644 index eda6826344c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9554892-5e0e-424b-83a0-5aef95aa43bf_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Group Policy Abuse for Privilege Addition", "note": "## Triage and analysis\n\n### Investigating Group Policy Abuse for Privilege Addition\n\nGroup Policy Objects (GPOs) can be used to add rights and/or modify Group Membership on GPOs by changing the contents of an INF file named GptTmpl.inf, which is responsible for storing every setting under the Security Settings container in the GPO. This file is unique for each GPO, and only exists if the GPO contains security settings. Example Path: \"\\\\DC.com\\SysVol\\DC.com\\Policies\\{PolicyGUID}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf\"\n\n#### Possible investigation steps\n\n- This attack abuses a legitimate mechanism of Active Directory, so it is important to determine whether the activity is legitimate and the administrator is authorized to perform this operation.\n- Retrieve the contents of the `GptTmpl.inf` file, and under the `Privilege Rights` section, look for potentially dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelegationPrivilege, etc.\n- Inspect the user security identifiers (SIDs) associated with these privileges, and if they should have these privileges.\n\n### False positive analysis\n\n- Inspect whether the user that has done the modifications should be allowed to. The user name can be found in the `winlog.event_data.SubjectUserName` field.\n\n### Related rules\n\n- Scheduled Task Execution at Scale via GPO - 15a8ba77-1c13-4274-88fe-6bd14133861e\n- Startup/Logon Script added to Group Policy Object - 16fac1a1-21ee-4ca6-b720-458e3855d046\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- The investigation and containment must be performed in every computer controlled by the GPO, where necessary.\n- Remove the script from the GPO.\n- Check if other GPOs have suspicious scripts attached.\n", "query": "any where host.os.type == \"windows\" and event.code: \"5136\" and\n winlog.event_data.AttributeLDAPDisplayName: \"gPCMachineExtensionNames\" and\n winlog.event_data.AttributeValue: \"*827D319E-6EAC-11D2-A4EA-00C04F79F83A*\" and\n winlog.event_data.AttributeValue: \"*803E14A0-B4FB-11D0-A0D0-00A0C90F574B*\"\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0025_windows_audit_directory_service_changes.md", "https://labs.f-secure.com/tools/sharpgpoabuse"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 73, "rule_id": "b9554892-5e0e-424b-83a0-5aef95aa43bf", "setup": "## Setup\n\nThe 'Audit Directory Service Changes' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b9554892-5e0e-424b-83a0-5aef95aa43bf_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json deleted file mode 100644 index 79a5fbfc87e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json deleted file mode 100644 index 0f5acfe3cb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "note": "", "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json deleted file mode 100644 index ceb6f80597e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "note": "", "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\n process.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\n process.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\n not process.name in (\"ls\", \"find\", \"grep\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json deleted file mode 100644 index 60f624a908d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "note": "", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json deleted file mode 100644 index 8b4ce87c206..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json deleted file mode 100644 index 843fbf63ba7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json deleted file mode 100644 index dfd2ec610e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_108.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_108.json deleted file mode 100644 index 3071d0e179a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json deleted file mode 100644 index 22ccd90e7b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json b/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json deleted file mode 100644 index 079d42a4dd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9666521-4742-49ce-9ddc-b8e84c35acae_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users can mark specific files as hidden simply by putting a \".\" as the first character in the file or folder name. Adversaries can use this to their advantage to hide files and folders on the system for persistence and defense evasion. This rule looks for hidden files or folders in common writable directories.", "false_positives": ["Certain tools may create hidden temporary files or directories upon installation or as part of their normal behavior. These events can be filtered by the process arguments, username, or process name values."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Creation of Hidden Files and Directories via CommandLine", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.working_directory in (\"/tmp\", \"/var/tmp\", \"/dev/shm\") and\nprocess.args regex~ \"\"\"\\.[a-z0-9_\\-][a-z0-9_\\-\\.]{1,254}\"\"\" and\nnot process.name in (\"ls\", \"find\", \"grep\", \"git\", \"jq\", \"basename\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "b9666521-4742-49ce-9ddc-b8e84c35acae", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.001", "name": "Hidden Files and Directories", "reference": "https://attack.mitre.org/techniques/T1564/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b9666521-4742-49ce-9ddc-b8e84c35acae_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json deleted file mode 100644 index afec3283e4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Start\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b9960fef-82c6-4816-befa-44745030e917", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json deleted file mode 100644 index a29f5e86a37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "b9960fef-82c6-4816-befa-44745030e917_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json deleted file mode 100644 index d53fa5a4099..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "b9960fef-82c6-4816-befa-44745030e917_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json deleted file mode 100644 index ed8618e571c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "b9960fef-82c6-4816-befa-44745030e917_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json deleted file mode 100644 index 020613d5fed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "note": "", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "b9960fef-82c6-4816-befa-44745030e917_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json deleted file mode 100644 index b0bd7fc0c76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "b9960fef-82c6-4816-befa-44745030e917_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json deleted file mode 100644 index af934b23022..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "b9960fef-82c6-4816-befa-44745030e917_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json deleted file mode 100644 index 2961d06d9be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "b9960fef-82c6-4816-befa-44745030e917_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_110.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_110.json deleted file mode 100644 index fb2c76c8081..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "b9960fef-82c6-4816-befa-44745030e917_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_111.json b/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_111.json deleted file mode 100644 index 9c5d8ab290c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/b9960fef-82c6-4816-befa-44745030e917_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a SolarWinds binary modifying the start type of a service to be disabled. An adversary may abuse this technique to manipulate relevant security services.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SolarWinds Process Disabling Services via Registry", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"Start\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\Start\"\n ) and\n registry.data.strings : (\"4\", \"0x00000004\") and\n process.name : (\n \"SolarWinds.BusinessLayerHost*.exe\",\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\")\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "b9960fef-82c6-4816-befa-44745030e917", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "b9960fef-82c6-4816-befa-44745030e917_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json deleted file mode 100644 index 5ccc4d35eeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json deleted file mode 100644 index 5673b926571..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json deleted file mode 100644 index 810fa6b5ef0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_103.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_103.json deleted file mode 100644 index 7f60c636cbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json deleted file mode 100644 index 08720165e23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_105.json b/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_105.json deleted file mode 100644 index c87176101d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba342eb2-583c-439f-b04d-1fdd7c1417cc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Identifies Windows processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity. A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorized network applications.", "false_positives": ["A newly installed program or one that rarely uses the network could trigger this alert."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_anomalous_network_activity"], "name": "Unusual Windows Network Activity", "note": "## Triage and analysis\n\n### Investigating Unusual Network Activity\nDetection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation:\n- Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected?\n- If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses.\n- Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program?\n- Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process.\n- Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.\n- Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.\n- If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 105}, "id": "ba342eb2-583c-439f-b04d-1fdd7c1417cc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040.json b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040.json deleted file mode 100644 index e106f0f1546..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load by non-root User", "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\") and user.id != \"0\"\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ba81c182-4287-489d-af4d-8ae834b06040", "setup": "## Setup\n\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n -- \"-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "ba81c182-4287-489d-af4d-8ae834b06040", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_1.json b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_1.json deleted file mode 100644 index fe0f300a8cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load by non-root User", "query": "driver where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \nevent.action == \"loaded-kernel-module\" and auditd.data.syscall in (\"init_module\", \"finit_module\") and user.id != \"0\"\n", "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ba81c182-4287-489d-af4d-8ae834b06040", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n -- \"-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ba81c182-4287-489d-af4d-8ae834b06040_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json b/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json deleted file mode 100644 index 07b47eab79d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ba81c182-4287-489d-af4d-8ae834b06040_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Driver Load by non-root User", "query": "driver where host.os.type == \"linux\" and event.action == \"loaded-kernel-module\" and\nauditd.data.syscall in (\"init_module\", \"finit_module\") and user.id != \"0\"\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ba81c182-4287-489d-af4d-8ae834b06040", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n -- \"-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules\"\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1014", "name": "Rootkit", "reference": "https://attack.mitre.org/techniques/T1014/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ba81c182-4287-489d-af4d-8ae834b06040_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json deleted file mode 100644 index 771834e014a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json deleted file mode 100644 index b2def5de6ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json deleted file mode 100644 index 17a91c2f32f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json deleted file mode 100644 index 3266c6e791f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json deleted file mode 100644 index 2fae3cb8a31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json deleted file mode 100644 index 7ae75c90e9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json deleted file mode 100644 index 3a2ceca5630..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json deleted file mode 100644 index f494690db26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json b/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json deleted file mode 100644 index 83a2925f281..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Image Load (taskschd.dll) from MS Office", "note": "## Triage and analysis\n\n### Investigating Suspicious Image Load (taskschd.dll) from MS Office\n\nMicrosoft Office, a widely used suite of productivity applications, is frequently targeted by attackers due to its popularity in corporate environments. These attackers exploit its extensive capabilities, like macro scripts in Word and Excel, to gain initial access to systems. They often use Office documents as delivery mechanisms for malware or phishing attempts, taking advantage of their trusted status in professional settings.\n\n`taskschd.dll` provides Command Object Model (COM) interfaces for the Windows Task Scheduler service, allowing developers to programmatically manage scheduled tasks.\n\nThis rule looks for an MS Office process loading `taskschd.dll`, which may indicate an adversary abusing COM to configure a scheduled task. This can happen as part of a phishing attack, when a malicious office document registers the scheduled task to download the malware \"stage 2\" or to establish persistent access.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Analyze the host's scheduled tasks and explore the related Windows events to determine if tasks were created or deleted (Event IDs 4698 and 4699).\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Examine the files downloaded during the past 24 hours.\n - Identify files that are related or can be executed in MS Office.\n - Identify and analyze macros that these documents contain.\n - Identify suspicious traits in the office macros, such as encoded or encrypted sections.\n- Retrieve the suspicious files identified in the previous step and determine if they are malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Related Rules\n\n- Suspicious WMI Image Load from MS Office - 891cb88e-441a-4c3e-be2d-120d99fe7b0d\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"library\", \"driver\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n process.name : (\"WINWORD.EXE\", \"EXCEL.EXE\", \"POWERPNT.EXE\", \"MSPUB.EXE\", \"MSACCESS.EXE\") and\n (?dll.name : \"taskschd.dll\" or file.name : \"taskschd.dll\")\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "baa5d22c-5e1c-4f33-bfc9-efa73bb53022_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json deleted file mode 100644 index 04419320252..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", "false_positives": ["Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Resource Group Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json b/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json deleted file mode 100644 index ed4afe12b58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally destroy data.", "false_positives": ["Deletion of a resource group may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Resource group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Resource Group Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json deleted file mode 100644 index 5a8f5e464fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", "false_positives": ["Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json deleted file mode 100644 index 193bde39f83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", "false_positives": ["Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json deleted file mode 100644 index d06e75c405e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", "false_positives": ["Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json deleted file mode 100644 index 2c330b65a40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", "false_positives": ["Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json b/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json deleted file mode 100644 index 82986da0495..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bb9b13b2-1700-48a8-a750-b43b0a72ab69_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes.", "false_positives": ["Disabling encryption may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Disabling encryption by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Encryption Disabled", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:DisableEbsEncryptionByDefault and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisableEbsEncryptionByDefault.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1565", "name": "Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/", "subtechnique": [{"id": "T1565.001", "name": "Stored Data Manipulation", "reference": "https://attack.mitre.org/techniques/T1565/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "bb9b13b2-1700-48a8-a750-b43b0a72ab69_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json deleted file mode 100644 index 45fafdb8582..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json deleted file mode 100644 index 70ca5951388..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json deleted file mode 100644 index 238cd9789b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json deleted file mode 100644 index 92006f7ab1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json b/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json deleted file mode 100644 index 9f2a586253d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunity to gain initial access to other endpoints in the environment.", "false_positives": ["Benign files can trigger signatures in the built-in virus protection"], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "OneDrive Malware File Upload", "note": "", "query": "event.dataset:o365.audit and event.provider:OneDrive and event.code:SharePointFileOperation and event.action:FileMalwareDetected\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1080", "name": "Taint Shared Content", "reference": "https://attack.mitre.org/techniques/T1080/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json deleted file mode 100644 index 0d17542b8d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json deleted file mode 100644 index 774c013d47e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port :* and network.packets <= 2\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}], "risk_score": 47, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "medium", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 10}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 1}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json deleted file mode 100644 index da7e6649d2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 2}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json deleted file mode 100644 index e35d8786592..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 3}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json deleted file mode 100644 index 474c5f7fe66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "type": "threshold", "version": 4}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_5.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_5.json deleted file mode 100644 index 5b143b8b0af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 5}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_6.json b/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_6.json deleted file mode 100644 index d21c37f5744..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbaa96b9-f36c-4898-ace2-581acb00a409_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a potential SYN-Based port scan. A SYN port scan is a technique employed by attackers to scan a target network for open ports by sending SYN packets to multiple ports and observing the response. Attackers use this method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts from one source host to 10 or more destination ports using 2 or less packets per port.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 5, "name": "Potential SYN-Based Network Scan Detected", "query": "destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "network.packets", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 21, "rule_id": "bbaa96b9-f36c-4898-ace2-581acb00a409", "severity": "low", "tags": ["Domain: Network", "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": "https://attack.mitre.org/techniques/T1046/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0043", "name": "Reconnaissance", "reference": "https://attack.mitre.org/tactics/TA0043/"}, "technique": [{"id": "T1595", "name": "Active Scanning", "reference": "https://attack.mitre.org/techniques/T1595/", "subtechnique": [{"id": "T1595.001", "name": "Scanning IP Blocks", "reference": "https://attack.mitre.org/techniques/T1595/001/"}]}]}], "threshold": {"cardinality": [{"field": "destination.port", "value": 250}], "field": ["destination.ip", "source.ip"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 6}, "id": "bbaa96b9-f36c-4898-ace2-581acb00a409_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json deleted file mode 100644 index 66ef5fbe8f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "keyword"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json deleted file mode 100644 index fc5e9de8d6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json deleted file mode 100644 index 3fdba38fea5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "unknown"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json deleted file mode 100644 index 408c70680cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "keyword"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json deleted file mode 100644 index a88ee7674e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "keyword"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json b/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json deleted file mode 100644 index 39b2e742d2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bbd1a775-8267-41fa-9232-20e5582596ac_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment.", "false_positives": ["Custom applications may be allowed by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Teams Custom Application Interaction Allowed", "note": "", "query": "event.dataset:o365.audit and event.provider:MicrosoftTeams and\nevent.category:web and event.action:TeamsTenantSettingChanged and\no365.audit.Name:\"Allow sideloading and interaction of custom apps\" and\no365.audit.NewValue:True and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Name", "type": "keyword"}, {"ecs": false, "name": "o365.audit.NewValue", "type": "keyword"}], "risk_score": 47, "rule_id": "bbd1a775-8267-41fa-9232-20e5582596ac", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "bbd1a775-8267-41fa-9232-20e5582596ac_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json deleted file mode 100644 index b0fa24f1d6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", "false_positives": ["Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", "type": "boolean"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json deleted file mode 100644 index ce568e4c4e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", "false_positives": ["Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", "type": "boolean"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json deleted file mode 100644 index 746caeac74a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", "false_positives": ["Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", "type": "boolean"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json deleted file mode 100644 index c8ff3fb15ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", "false_positives": ["Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", "type": "boolean"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json b/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json deleted file mode 100644 index 2a3e397a980..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA.", "false_positives": ["Some organizations allow login with the root user without MFA, however, this is not considered best practice by AWS and increases the risk of compromised credentials."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Root Login Without MFA", "note": "## Triage and analysis\n\n### Investigating AWS Root Login Without MFA\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password, as well as for an authentication code from their AWS MFA device. Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning the account is not secured properly.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity is not inherently malicious, the root account must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the entire cloud environment.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and\n aws.cloudtrail.user_identity.type:Root and\n aws.cloudtrail.console_login.additional_eventdata.mfa_used:false and\n event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.console_login.additional_eventdata.mfa_used", "type": "boolean"}, {"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "bc0c6f0d-dab0-47a3-b135-0925f0a333bc_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json deleted file mode 100644 index 2e167761557..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", "false_positives": ["Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json b/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json deleted file mode 100644 index d80aa83907f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Google Cloud Platform (GCP) storage bucket is deleted. An adversary may delete a storage bucket in order to disrupt their target's business operations.", "false_positives": ["Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Storage Bucket Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:\"storage.buckets.delete\"\n", "references": ["https://cloud.google.com/storage/docs/key-terms#buckets"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92.json b/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92.json deleted file mode 100644 index 73108438803..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Enlightenment", "query": "sequence by host.id, process.parent.entity_id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name == \"enlightenment_sys\" and process.args in (\"/bin/mount/\", \"-o\",\"noexec\",\"nosuid\",\"nodev\",\"uid=*\") ]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and user.id == \"0\"]\n", "references": ["https://ubuntu.com/security/CVE-2022-37706", "https://www.exploit-db.com/exploits/51180"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0fc359-68db-421e-a435-348ced7a7f92", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "bc0fc359-68db-421e-a435-348ced7a7f92", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_1.json b/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_1.json deleted file mode 100644 index 571e7217e21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc0fc359-68db-421e-a435-348ced7a7f92_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to exploit a local privilege escalation CVE-2022-37706 via a flaw in Linux window manager package Enlightenment. enlightenment_sys in Enlightenment before 0.25.4 allows local users to gain privileges because it is setuid root, and the system library function mishandles pathnames that begin with a /dev/.. substring.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Enlightenment", "query": "sequence by host.id, process.parent.entity_id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name == \"enlightenment_sys\" and process.args in (\"/bin/mount/\", \"-o\",\"noexec\",\"nosuid\",\"nodev\",\"uid=*\") ]\n [process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and user.id == \"0\"]\n", "references": ["https://ubuntu.com/security/CVE-2022-37706", "https://www.exploit-db.com/exploits/51180"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "bc0fc359-68db-421e-a435-348ced7a7f92", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "bc0fc359-68db-421e-a435-348ced7a7f92_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json deleted file mode 100644 index ded7c96ac00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": ["https://ss64.com/osx/security-cert.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "bc1eeacf-2972-434f-b782-3a532b100d67", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json deleted file mode 100644 index 3bf83f9e223..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": ["https://ss64.com/osx/security-cert.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bc1eeacf-2972-434f-b782-3a532b100d67_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json deleted file mode 100644 index 1a7857a0e3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": ["https://ss64.com/osx/security-cert.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bc1eeacf-2972-434f-b782-3a532b100d67_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json deleted file mode 100644 index 8a6951cf1fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": ["https://ss64.com/osx/security-cert.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bc1eeacf-2972-434f-b782-3a532b100d67_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json b/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json deleted file mode 100644 index 7d5ba1f8954..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc1eeacf-2972-434f-b782-3a532b100d67_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.", "false_positives": ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Install Root Certificate", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:security and process.args:\"add-trusted-cert\" and\n not process.parent.executable:(\"/Library/Bitdefender/AVP/product/bin/BDCoreIssues\" or \"/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp\"\n)\n", "references": ["https://ss64.com/osx/security-cert.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "bc1eeacf-2972-434f-b782-3a532b100d67", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.004", "name": "Install Root Certificate", "reference": "https://attack.mitre.org/techniques/T1553/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "bc1eeacf-2972-434f-b782-3a532b100d67_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json deleted file mode 100644 index e5b683279bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Conditional Access Policy Modified", "note": "", "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json b/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json deleted file mode 100644 index ec59e0aa6d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc48bba7-4a23-4232-b551-eca3ca1e3f20_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to weaken their target's security controls.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Conditional Access Policy Modified", "note": "", "query": "event.dataset:(azure.activitylogs or azure.auditlogs) and\nevent.action:\"Update conditional access policy\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}, {"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "bc48bba7-4a23-4232-b551-eca3ca1e3f20_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json deleted file mode 100644 index 81f84228f01..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "false_positives": ["SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port SSH connection", "query": "sequence by process.entity_id with maxspan=1m\n [process where event.action == \"exec\" and process.name:\"ssh\" and not process.parent.name in (\n \"rsync\", \"pyznap\", \"git\", \"ansible-playbook\", \"scp\", \"pgbackrest\", \"git-lfs\", \"expect\", \"Sourcetree\", \"ssh-copy-id\",\n \"run\"\n )\n ]\n [network where process.name:\"ssh\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n destination.port != 22 and destination.ip != \"127.0.0.1\" and network.transport: \"tcp\"\n ]\n", "references": ["https://attack.mitre.org/techniques/T1571/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}]}], "type": "eql", "version": 5}, "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json deleted file mode 100644 index 5bf34e4544a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "false_positives": ["SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port SSH connection", "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", "references": ["https://attack.mitre.org/techniques/T1571/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "macOS"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}]}], "type": "eql", "version": 2}, "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json deleted file mode 100644 index e077eed30be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "false_positives": ["SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port SSH connection", "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", "references": ["https://attack.mitre.org/techniques/T1571/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}]}], "type": "eql", "version": 3}, "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json deleted file mode 100644 index 72376f6da8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "false_positives": ["SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port SSH connection", "query": "sequence by process.entity_id with maxspan=1m\n[process where event.action == \"exec\" and process.name:\"ssh\"]\n[network where process.name:\"ssh\"\n and event.action in (\"connection_attempted\", \"connection_accepted\")\n and destination.port != 22\n and destination.ip != \"127.0.0.1\"\n and network.transport: \"tcp\"\n]\n", "references": ["https://attack.mitre.org/techniques/T1571/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}]}], "type": "eql", "version": 4}, "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json b/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json deleted file mode 100644 index 9db0bea49b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially malicious processes communicating via a port paring typically not associated with SSH. For example, SSH over port 2200 or port 2222 as opposed to the traditional port 22. Adversaries may make changes to the standard port a protocol uses to bypass filtering or muddle analysis/parsing of network data.", "false_positives": ["SSH over ports apart from the traditional port 22 is highly uncommon. This rule alerts the usage of the such uncommon ports by the ssh service. Tuning is needed to have higher confidence. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination whitelisted ports for such legitimate ssh activities."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Non-Standard Port SSH connection", "query": "sequence by process.entity_id with maxspan=1m\n [process where event.action == \"exec\" and process.name:\"ssh\" and not process.parent.name in (\n \"rsync\", \"pyznap\", \"git\", \"ansible-playbook\", \"scp\", \"pgbackrest\", \"git-lfs\", \"expect\", \"Sourcetree\", \"ssh-copy-id\",\n \"run\"\n )\n ]\n [network where process.name:\"ssh\" and event.action in (\"connection_attempted\", \"connection_accepted\") and \n destination.port != 22 and destination.ip != \"127.0.0.1\" and network.transport: \"tcp\"\n ]\n", "references": ["https://attack.mitre.org/techniques/T1571/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1571", "name": "Non-Standard Port", "reference": "https://attack.mitre.org/techniques/T1571/"}]}], "type": "eql", "version": 5}, "id": "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada.json b/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada.json deleted file mode 100644 index 9615830b704..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File and Directory Permissions Modification", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n(\n ((process.name: \"icacls.exe\" or process.pe.original_file_name == \"iCACLS.EXE\") and process.args: (\"*:F\", \"/reset\", \"/setowner\", \"*grant*\")) or\n ((process.name: \"cacls.exe\" or process.pe.original_file_name == \"CACLS.EXE\") and process.args: (\"/g\", \"*:f\")) or\n ((process.name: \"takeown.exe\" or process.pe.original_file_name == \"takeown.exe\") and process.args: (\"/F\")) or\n ((process.name: \"attrib.exe\" or process.pe.original_file_name== \"ATTRIB.EXE\") and process.args: \"-r\")\n) and not user.id : \"S-1-5-18\" and\nnot (\n process.args : (\"C:\\\\ProgramData\\\\Lenovo\\\\*\", \"C:\\\\ProgramData\\\\Adobe\\\\*\", \"C:\\\\ProgramData\\\\ASUS\\\\ASUS*\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "bc9e4f5a-e263-4213-a2ac-1edf9b417ada", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "bc9e4f5a-e263-4213-a2ac-1edf9b417ada", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json b/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json deleted file mode 100644 index 5176cd68f35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may require permission modification of files/folders to change, modify or delete them.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "File and Directory Permissions Modification", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n(\n ((process.name: \"icacls.exe\" or process.pe.original_file_name == \"iCACLS.EXE\") and process.args: (\"*:F\", \"/reset\", \"/setowner\", \"*grant*\")) or\n ((process.name: \"cacls.exe\" or process.pe.original_file_name == \"CACLS.EXE\") and process.args: (\"/g\", \"*:f\")) or\n ((process.name: \"takeown.exe\" or process.pe.original_file_name == \"takeown.exe\") and process.args: (\"/F\")) or\n ((process.name: \"attrib.exe\" or process.pe.original_file_name== \"ATTRIB.EXE\") and process.args: \"-r\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "bc9e4f5a-e263-4213-a2ac-1edf9b417ada", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "bc9e4f5a-e263-4213-a2ac-1edf9b417ada_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json deleted file mode 100644 index 279321061ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", "false_positives": ["Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Disabled", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json b/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json deleted file mode 100644 index 5a270562c52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bca7d28e-4a48-47b1-adb7-5074310e9a61_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a service account is disabled in Google Cloud Platform (GCP). A service account is a special type of account used by an application or a virtual machine (VM) instance, not a person. Applications use service accounts to make authorized API calls, authorized as either the service account itself, or as G Suite or Cloud Identity users through domain-wide delegation. An adversary may disable a service account in order to disrupt to disrupt their target's business operations.", "false_positives": ["Service accounts may be disabled by system administrators. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Service Account Disabled", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DisableServiceAccount and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/service-accounts"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "bca7d28e-4a48-47b1-adb7-5074310e9a61", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bca7d28e-4a48-47b1-adb7-5074310e9a61_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766.json deleted file mode 100644 index fd2c52fa673..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 99, "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "critical", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json deleted file mode 100644 index 3f24444d7f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "note": "", "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 99, "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "setup": "The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "critical", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_2.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_2.json deleted file mode 100644 index a7c725ac58f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 99, "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "setup": "The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n``` \n", "severity": "critical", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json deleted file mode 100644 index 340c03d8c58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 99, "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n``` \n", "severity": "critical", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_4.json b/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_4.json deleted file mode 100644 index 7ae77c6469e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bcaa15ce-2d41-44d7-a322-918f9db77766_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that used by the SUNBURST malware and is predicted to be the result of a Domain Generation Algorithm.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected DGA activity using a known SUNBURST DNS domain", "query": "ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 99, "rule_id": "bcaa15ce-2d41-44d7-a322-918f9db77766", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n``` \n", "severity": "critical", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "bcaa15ce-2d41-44d7-a322-918f9db77766_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json deleted file mode 100644 index 3f5525a8f74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 113}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json deleted file mode 100644 index 1ac173c0d35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json deleted file mode 100644 index b12d5d0b974..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and \npowershell.file.script_block_text : ( \n Get-Keystrokes or GetAsyncKeyState or GetKeyboardState or NtUserGetAsyncKeyState or \n (\n NtUserSetWindowsHookEx or \n SetWindowsHookA or \n SetWindowsHookEx or \n SetWindowsHookExA or \n SetWindowsHookW\n ) and \n (\n GetForegroundWindow or \n GetWindowTextA or \n GetWindowTextW or \n WM_KEYBOARD_LL)\n ) \nand not user.id:S-1-5-18\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json deleted file mode 100644 index 28b3bfa7f89..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json deleted file mode 100644 index 00c8b0b4fbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json deleted file mode 100644 index 7eadb4c9c23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json deleted file mode 100644 index 73b32dc916f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json deleted file mode 100644 index 0bd98bf27d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json deleted file mode 100644 index fdb8ab8bf4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_113.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_113.json deleted file mode 100644 index 664dc4b6929..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 113}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_114.json b/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_114.json deleted file mode 100644 index cc84e220b64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd2c86a0-8b61-4457-ab38-96943984e889_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Win32 API Functions that can be used to capture user keystrokes in PowerShell scripts. Attackers use this technique to capture user input, looking for credentials and/or other valuable data.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Keylogging Script", "note": "## Triage and analysis\n\n### Investigating PowerShell Keylogging Script\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can abuse PowerShell capabilities to capture user keystrokes with the goal of stealing credentials and other valuable information as credit card data and confidential conversations.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Determine whether the script stores the captured data locally.\n- Investigate whether the script contains exfiltration capabilities and identify the exfiltration server.\n- Assess network data to determine if the host communicated with the exfiltration server.\n\n### False positive analysis\n\n- Regular users do not have a business justification for using scripting utilities to capture keystrokes, making false positives unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Prioritize the response if this alert involves key executives or potentially valuable targets for espionage.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n (\n powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or \"Get-Keystrokes\") or\n powershell.file.script_block_text : (\n (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and\n (GetForegroundWindow or GetWindowTextA or GetWindowTextW or \"WM_KEYBOARD_LL\" or \"WH_MOUSE_LL\")\n )\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/data/module_source/collection/Get-Keystrokes.ps1", "https://github.com/MojtabaTajik/FunnyKeylogger/blob/master/FunnyLogger.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "bd2c86a0-8b61-4457-ab38-96943984e889", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1056", "name": "Input Capture", "reference": "https://attack.mitre.org/techniques/T1056/", "subtechnique": [{"id": "T1056.001", "name": "Keylogging", "reference": "https://attack.mitre.org/techniques/T1056/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}, {"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 114}, "id": "bd2c86a0-8b61-4457-ab38-96943984e889_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2.json deleted file mode 100644 index 46eedf79b44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via CMSTP.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmstp.exe\" and process.args == \"/s\"\n", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bd3d058d-5405-4cee-b890-337f09366ba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "bd3d058d-5405-4cee-b890-337f09366ba2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json deleted file mode 100644 index bf8a698685d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via CMSTP.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmstp.exe\" and process.args == \"/s\"\n", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bd3d058d-5405-4cee-b890-337f09366ba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "bd3d058d-5405-4cee-b890-337f09366ba2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_2.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_2.json deleted file mode 100644 index 5fe84477d54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via CMSTP.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmstp.exe\" and process.args == \"/s\"\n", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bd3d058d-5405-4cee-b890-337f09366ba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "bd3d058d-5405-4cee-b890-337f09366ba2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_3.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_3.json deleted file mode 100644 index 61e42d3298f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via CMSTP.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmstp.exe\" and process.args == \"/s\"\n", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bd3d058d-5405-4cee-b890-337f09366ba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "bd3d058d-5405-4cee-b890-337f09366ba2_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_4.json b/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_4.json deleted file mode 100644 index d7c4795f580..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd3d058d-5405-4cee-b890-337f09366ba2_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the execution of malicious code by supplying INF files that contain malicious commands.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Potential Defense Evasion via CMSTP.exe", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmstp.exe\" and process.args == \"/s\"\n", "references": ["https://attack.mitre.org/techniques/T1218/003/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bd3d058d-5405-4cee-b890-337f09366ba2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "bd3d058d-5405-4cee-b890-337f09366ba2_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json deleted file mode 100644 index 240dac19ad6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 107}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json deleted file mode 100644 index 34e2199c2e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 102}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json deleted file mode 100644 index af8ec55503b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 103}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json deleted file mode 100644 index 57ee1371853..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 104}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json deleted file mode 100644 index 2216d3a2184..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 105}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json deleted file mode 100644 index 0d804f7e9b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 106}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_107.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_107.json deleted file mode 100644 index 7a1127e79d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 107}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_207.json b/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_207.json deleted file mode 100644 index 9f7935b7029..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bd7eefee-f671-494e-98df-f01daf9e5f17_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit a privilege escalation vulnerability (CVE-2020-1030) related to the print spooler service. Exploitation involves chaining multiple primitives to load an arbitrary DLL into the print spooler process running as SYSTEM.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler Point and Print DLL", "query": "sequence by host.id with maxspan=30s\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\SpoolDirectory\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\"]\n[registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\\\\*\\\\CopyFiles\\\\Payload\\\\Module\"\n ) and\n registry.data.strings : \"C:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\4\\\\*\"]\n", "references": ["https://www.accenture.com/us-en/blogs/cyber-defense/discovering-exploiting-shutting-down-dangerous-windows-print-spooler-vulnerability", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Privilege%20Escalation/privesc_sysmon_cve_20201030_spooler.evtx", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1030"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "bd7eefee-f671-494e-98df-f01daf9e5f17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 207}, "id": "bd7eefee-f671-494e-98df-f01daf9e5f17_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc.json deleted file mode 100644 index 8e2778a664b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"openat\" and file.path == \"/proc\" and\n auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 7}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json deleted file mode 100644 index c9c9bcbc171..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "note": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system. \n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from. \n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "This rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /proc/ -p r -k audit_proc\n```\n\nAdd the newly installed `auditd manager` to an agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 1}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json deleted file mode 100644 index fa16e384a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "note": "### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "This rule requires data coming in from Auditd Manager integration.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 2}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json deleted file mode 100644 index b3ae7c330a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "\nThis rule requires data coming in from Auditd Manager integration.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Auditd Manager and select the integration to see more details about it.\n- Click Add Auditd Manager.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click Save and Continue.\n- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 3}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json deleted file mode 100644 index 64dded6845d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 4}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json deleted file mode 100644 index 55671e0749a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n[ file where host.os.type == \"linux\" and event.dataset == \"auditd_manager.auditd\" and \n auditd.data.syscall == \"openat\" and file.path == \"/proc\" and auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and \n auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 5}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json deleted file mode 100644 index 7ad83a83e8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"openat\" and file.path == \"/proc\" and\n auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 6}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json b/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json deleted file mode 100644 index 33f86ba7e22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages auditd to monitor for processes scanning different processes within the /proc directory using the openat syscall. This is a strong indication for the usage of the pspy utility. Attackers may leverage the pspy process monitoring utility to monitor system processes without requiring root permissions, in order to find potential privilege escalation vectors.", "from": "now-9m", "index": ["logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Pspy Process Monitoring Detected", "query": "sequence by process.pid, host.id with maxspan=5s\n [file where host.os.type == \"linux\" and auditd.data.syscall == \"openat\" and file.path == \"/proc\" and\n auditd.data.a0 : (\"ffffffffffffff9c\", \"ffffff9c\") and auditd.data.a2 : (\"80000\", \"88000\") ] with runs=10\n", "references": ["https://github.com/DominicBreuker/pspy"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.data.a0", "type": "unknown"}, {"ecs": false, "name": "auditd.data.a2", "type": "unknown"}, {"ecs": false, "name": "auditd.data.syscall", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc", "setup": "## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /proc/ -p r -k audit_proc\"\n", "severity": "low", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "eql", "version": 7}, "id": "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json deleted file mode 100644 index ba33e150d6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json deleted file mode 100644 index 640dd60217b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "note": "", "query": "iam where host.os.type == \"windows\" and event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json deleted file mode 100644 index 1b304372947..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "note": "", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json deleted file mode 100644 index b29068c1055..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "note": "", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json deleted file mode 100644 index ffe07555f95..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "note": "", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json deleted file mode 100644 index 89b911c49e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json deleted file mode 100644 index bdec01c9340..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_109.json b/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_109.json deleted file mode 100644 index e5df126180b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdcf646b-08d4-492c-870a-6c04e3700034_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious computer account name rename event, which may indicate an attempt to exploit CVE-2021-42278 to elevate privileges from a standard domain user to a user with domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller via samAccountName attribute spoofing.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privileged Escalation via SamAccountName Spoofing", "query": "iam where event.action == \"renamed-user-account\" and\n /* machine account name renamed to user like account name */\n winlog.event_data.OldTargetUserName : \"*$\" and not winlog.event_data.NewTargetUserName : \"*$\"\n", "references": ["https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e", "https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/", "https://github.com/cube0x0/noPac", "https://twitter.com/exploitph/status/1469157138928914432", "https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.NewTargetUserName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.OldTargetUserName", "type": "unknown"}], "risk_score": 73, "rule_id": "bdcf646b-08d4-492c-870a-6c04e3700034", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}, {"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "bdcf646b-08d4-492c-870a-6c04e3700034_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_1.json b/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_1.json deleted file mode 100644 index 4939d84a79f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Command Debugging Utility", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"CDB.Exe\" or process.name : \"cdb.exe\") and\n process.args : (\"-cf\", \"-c\", \"-pd\") and\n not process.executable : (\"?:\\\\Program Files (x86)\\\\*\\\\cdb.exe\", \"?:\\\\Program Files\\\\*\\\\cdb.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "bdfaddc4-4438-48b4-bc43-9f5cf8151c46", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "bdfaddc4-4438-48b4-bc43-9f5cf8151c46_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_101.json b/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_101.json deleted file mode 100644 index 60c91d5275f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfaddc4-4438-48b4-bc43-9f5cf8151c46_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Windows command line debugging utility cdb.exe to execute commands or shellcode. This rule looks for those instances and where the cdb.exe binary is outside of the normal WindowsKit installation paths.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Command Debugging Utility", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"CDB.Exe\" or process.name : \"cdb.exe\") and\n process.args : (\"-cf\", \"-c\", \"-pd\") and\n not process.executable : (\"?:\\\\Program Files (x86)\\\\*\\\\cdb.exe\", \"?:\\\\Program Files\\\\*\\\\cdb.exe\")\n", "references": ["https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "bdfaddc4-4438-48b4-bc43-9f5cf8151c46", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "bdfaddc4-4438-48b4-bc43-9f5cf8151c46_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3.json deleted file mode 100644 index 72f8efc960f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json deleted file mode 100644 index b3718ec3789..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 1}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_2.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_2.json deleted file mode 100644 index b49646d66ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 2}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json deleted file mode 100644 index 8e71fb0f65a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 3}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json deleted file mode 100644 index d2215dd2074..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 4}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_5.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_5.json deleted file mode 100644 index d52a72b0e42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_6.json b/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_6.json deleted file mode 100644 index 6447c6968a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bdfebe11-e169-42e3-b344-c5d2015533d3_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_host", "name": "Suspicious Windows Process Cluster Spawned by a Host", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "bdfebe11-e169-42e3-b344-c5d2015533d3", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 6}, "id": "bdfebe11-e169-42e3-b344-c5d2015533d3_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751.json deleted file mode 100644 index bc0db79b1c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_path_remote_transfer", "name": "Unusual Remote File Directory", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json deleted file mode 100644 index c4b08762aea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_path_remote_transfer", "name": "Unusual Remote File Directory", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_2.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_2.json deleted file mode 100644 index e26006e0518..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_path_remote_transfer", "name": "Unusual Remote File Directory", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json b/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json deleted file mode 100644 index 650e830eb07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be4c5aed-90f5-4221-8bd5-7ab3a4334751_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_rare_file_path_remote_transfer", "name": "Unusual Remote File Directory", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "be4c5aed-90f5-4221-8bd5-7ab3a4334751_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json deleted file mode 100644 index 073dbb392c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json deleted file mode 100644 index 42b6671da4a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json deleted file mode 100644 index b363cf2aa75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json deleted file mode 100644 index 1bb908ae52c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json deleted file mode 100644 index f8ab02b2f6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json deleted file mode 100644 index ca404e34992..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json deleted file mode 100644 index feda0229c27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_110.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_110.json deleted file mode 100644 index a8ac792d8cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_310.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_310.json deleted file mode 100644 index d99dc8852f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_311.json b/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_311.json deleted file mode 100644 index ab2d477773d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/be8afaed-4bcd-4e0a-b5f9-5562003dde81_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Windows Credential Manager allows you to create, view, or delete saved credentials for signing into websites, connected applications, and networks. An adversary may abuse this to list or dump credentials stored in the Credential Manager for saved usernames and passwords. This may also be performed in preparation of lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Searching for Saved Credentials via VaultCmd", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name:\"vaultcmd.exe\" or process.name:\"vaultcmd.exe\") and\n process.args:\"/list*\"\n", "references": ["https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.004", "name": "Windows Credential Manager", "reference": "https://attack.mitre.org/techniques/T1555/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "be8afaed-4bcd-4e0a-b5f9-5562003dde81_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json deleted file mode 100644 index cb29c64cd97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer", "Elastic"], "description": "An adversary with a set of compromised credentials may attempt to make copies of running or deleted RDS databases in order to evade defense mechanisms or access data. This rule identifies successful attempts to restore a DB instance using the RDS `RestoreDBInstanceFromDBSnapshot` or `RestoreDBInstanceFromS3` API operations.", "false_positives": ["Restoring DB instances may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instance restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance Restored", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.provider == \"rds.amazonaws.com\" \n and event.action in (\"RestoreDBInstanceFromDBSnapshot\", \"RestoreDBInstanceFromS3\") \n and event.outcome == \"success\"\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromS3.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation#rds-createdbsnapshot-rds-restoredbinstancefromdbsnapshot-rds-modifydbinstance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.002", "name": "Create Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/002/"}, {"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json deleted file mode 100644 index 9db616461d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": ["Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json deleted file mode 100644 index 18f270dcce3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": ["Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json deleted file mode 100644 index d6cf8d7575e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": ["Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json deleted file mode 100644 index 7d4d8009f61..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": ["Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_206.json b/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_206.json deleted file mode 100644 index acbc96c2f2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf1073bf-ce26-4607-b405-ba1ed8e9e204_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account.", "false_positives": ["Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Snapshot Restored", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:RestoreDBInstanceFromDBSnapshot and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_RestoreDBInstanceFromDBSnapshot.html", "https://github.com/RhinoSecurityLabs/pacu/blob/master/pacu/modules/rds__explore_snapshots/main.py"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1578", "name": "Modify Cloud Compute Infrastructure", "reference": "https://attack.mitre.org/techniques/T1578/", "subtechnique": [{"id": "T1578.004", "name": "Revert Cloud Instance", "reference": "https://attack.mitre.org/techniques/T1578/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "bf1073bf-ce26-4607-b405-ba1ed8e9e204_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205.json deleted file mode 100644 index 1926453e126..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Owner/User Discovery Linux", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and \nprocess.name : (\"whoami\", \"w\", \"who\", \"users\", \"id\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json deleted file mode 100644 index 6c8f5baf3a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Owner/User Discovery Linux", "query": "process where event.type == \"start\" and\n process.name : (\"whoami\", \"w\", \"who\", \"users\", \"id\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "bf8c007c-7dee-4842-8e9a-ee534c09d205_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json b/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json deleted file mode 100644 index fa75e27dce6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bf8c007c-7dee-4842-8e9a-ee534c09d205_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools which adversaries may use to enumerate the system owner/user of a compromised system.", "from": "now-119m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Owner/User Discovery Linux", "query": "process where event.type == \"start\" and\n process.name : (\"whoami\", \"w\", \"who\", \"users\", \"id\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "bf8c007c-7dee-4842-8e9a-ee534c09d205", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "bf8c007c-7dee-4842-8e9a-ee534c09d205_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341.json deleted file mode 100644 index 7c6bc331622..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_region_name", "name": "Potential Data Exfiltration Activity to an Unusual Region", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "bfba5158-1fd6-4937-a205-77d96213b341", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 4}, "id": "bfba5158-1fd6-4937-a205-77d96213b341", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json deleted file mode 100644 index 881529a5dde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_region_name", "name": "Potential Data Exfiltration Activity to an Unusual Region", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "bfba5158-1fd6-4937-a205-77d96213b341", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 1}, "id": "bfba5158-1fd6-4937-a205-77d96213b341_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_2.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_2.json deleted file mode 100644 index 41e703cff35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_region_name", "name": "Potential Data Exfiltration Activity to an Unusual Region", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "bfba5158-1fd6-4937-a205-77d96213b341", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 2}, "id": "bfba5158-1fd6-4937-a205-77d96213b341_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json b/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json deleted file mode 100644 index 45144a9a0cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfba5158-1fd6-4937-a205-77d96213b341_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_region_name", "name": "Potential Data Exfiltration Activity to an Unusual Region", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "bfba5158-1fd6-4937-a205-77d96213b341", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 3}, "id": "bfba5158-1fd6-4937-a205-77d96213b341_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json deleted file mode 100644 index b496af7e43e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n(event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n(\n /* compatible with Elastic Endpoint Library Events */\n (\n ?dll.name : (\n \"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\"\n )\n and (\n ?dll.code_signature.trusted != true or\n ?dll.code_signature.exists != true or\n (\n dll.code_signature.trusted == true and\n not dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\", \"Microsoft Windows Publisher\")\n )\n ) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n ) and\n not\n (\n ?dll.path : (\n \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\"\n ) or\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\"\n )\n )\n)\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json deleted file mode 100644 index ea338622470..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json deleted file mode 100644 index e6cf63ca102..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json deleted file mode 100644 index 8b2653af54b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json deleted file mode 100644 index e94f6c1594c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json deleted file mode 100644 index bc49a16b050..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json deleted file mode 100644 index 04d2cebfaef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (dll.code_signature.trusted != true or dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json deleted file mode 100644 index ef7278bec4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (?dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json deleted file mode 100644 index 5159e4eac72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n (event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n (\n /* compatible with Elastic Endpoint Library Events */\n (?dll.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\")\n and (?dll.code_signature.trusted != true or ?dll.code_signature.exists != true)) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.path : (\"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n )\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_112.json b/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_112.json deleted file mode 100644 index 2889456dd1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/bfeaf89b-a2a7-48a3-817f-e41829dc61ee_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the loading of a non Microsoft signed DLL that is missing on a default Windows install (phantom DLL) or one that can be loaded from a different location by a native Windows process. This may be abused to persist or elevate privileges via privileged file write vulnerabilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious DLL Loaded for Persistence or Privilege Escalation", "note": "## Triage and analysis\n\n### Investigating Suspicious DLL Loaded for Persistence or Privilege Escalation\n\nAttackers can execute malicious code by abusing missing modules that processes try to load, enabling them to escalate privileges or gain persistence. This rule identifies the loading of a non-Microsoft-signed DLL that is missing on a default Windows installation or one that can be loaded from a different location by a native Windows process.\n\n#### Possible investigation steps\n\n- Examine the DLL signature and identify the process that created it.\n - Investigate any abnormal behaviors by the process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve the DLL and determine if it is malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where host.os.type == \"windows\" and\n(event.category : (\"driver\", \"library\") or (event.category == \"process\" and event.action : \"Image loaded*\")) and\n(\n /* compatible with Elastic Endpoint Library Events */\n (\n ?dll.name : (\n \"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\"\n )\n and (\n ?dll.code_signature.trusted != true or\n ?dll.code_signature.exists != true or\n (\n dll.code_signature.trusted == true and\n not dll.code_signature.subject_name : (\"Microsoft Windows\", \"Microsoft Corporation\", \"Microsoft Windows Publisher\")\n )\n ) or\n\n /* compatible with Sysmon EventID 7 - Image Load */\n (file.name : (\"wlbsctrl.dll\", \"wbemcomn.dll\", \"WptsExtensions.dll\", \"Tsmsisrv.dll\", \"TSVIPSrv.dll\", \"Msfte.dll\",\n \"wow64log.dll\", \"WindowsCoreDeviceInfo.dll\", \"Ualapi.dll\", \"wlanhlp.dll\", \"phoneinfo.dll\", \"EdgeGdi.dll\",\n \"cdpsgshims.dll\", \"windowsperformancerecordercontrol.dll\", \"diagtrack_win.dll\", \"oci.dll\", \"TPPCOIPW32.dll\", \n \"tpgenlic.dll\", \"thinmon.dll\", \"fxsst.dll\", \"msTracer.dll\") and \n not file.hash.sha256 : \n (\"6e837794fc282446906c36d681958f2f6212043fc117c716936920be166a700f\", \n \"b14e4954e8cca060ffeb57f2458b6a3a39c7d2f27e94391cbcea5387652f21a4\", \n \"c258d90acd006fa109dc6b748008edbb196d6168bc75ace0de0de54a4db46662\") and \n not file.code_signature.status == \"Valid\")\n ) and\n not\n (\n ?dll.path : (\n \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\"\n ) or\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbemcomn.dll\",\n \"?:\\\\Windows\\\\System32\\\\windowsperformancerecordercontrol.dll\",\n \"?:\\\\Windows\\\\System32\\\\wlanhlp.dll\"\n )\n )\n)\n", "references": ["https://itm4n.github.io/windows-dll-hijacking-clarified/", "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html", "https://shellz.club/2020/10/16/edgegdi-dll-for-persistence-and-lateral-movement.html", "https://windows-internals.com/faxing-your-way-to-system/", "http://waleedassar.blogspot.com/2013/01/wow64logdll.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "file.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "bfeaf89b-a2a7-48a3-817f-e41829dc61ee_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json deleted file mode 100644 index 18166555f31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json deleted file mode 100644 index 5a9713e9318..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json deleted file mode 100644 index d2db44668da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json deleted file mode 100644 index 400dd5c5a5d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json deleted file mode 100644 index 74f7fae0f9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json b/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json deleted file mode 100644 index 631795c7509..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via Localhost Secure Copy", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name:\"scp\" and\n process.args:\"StrictHostKeyChecking=no\" and\n process.command_line:(\"scp *localhost:/*\", \"scp *127.0.0.1:/*\") and\n not process.args:\"vagrant@*127.0.0.1*\"\n", "references": ["https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json deleted file mode 100644 index 62a7f7fbbca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json deleted file mode 100644 index b07e1e7e6f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json deleted file mode 100644 index fc21c2fe5c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json deleted file mode 100644 index cb42a2891ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json deleted file mode 100644 index 70d99683d34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json deleted file mode 100644 index defdfbe5ae7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json deleted file mode 100644 index 006cae881ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json deleted file mode 100644 index 7bb8b8fe5c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json b/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json deleted file mode 100644 index 023771b1781..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0429aa8-9974-42da-bfb6-53a0a515a145_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all or a subset of the domain joined machines.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of a new GPO Scheduled Task or Service", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.path : (\"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\ScheduledTasks\\\\ScheduledTasks.xml\",\n \"?:\\\\Windows\\\\SYSVOL\\\\domain\\\\Policies\\\\*\\\\MACHINE\\\\Preferences\\\\Services\\\\Services.xml\") and\n not process.name : \"dfsrs.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0429aa8-9974-42da-bfb6-53a0a515a145", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1484", "name": "Domain or Tenant Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/", "subtechnique": [{"id": "T1484.001", "name": "Group Policy Modification", "reference": "https://attack.mitre.org/techniques/T1484/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.005", "name": "Scheduled Task", "reference": "https://attack.mitre.org/techniques/T1053/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c0429aa8-9974-42da-bfb6-53a0a515a145_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778.json b/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778.json deleted file mode 100644 index 353e471f74e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Memory Dump File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and\n not file.extension : (\"dmp\", \"mdmp\", \"hdmp\", \"edmp\", \"full\", \"tdref\", \"cg\", \"tmp\", \"dat\") and\n not \n (\n process.executable : \"?:\\\\Program Files\\\\Endgame\\\\esensor.exe\" and\n process.code_signature.trusted == true and length(file.extension) == 0\n ) and\n not\n (\n process.name : \"System\" and file.extension : \"tmpscan\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c0b9dc99-c696-4779-b086-0d37dc2b3778", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c0b9dc99-c696-4779-b086-0d37dc2b3778", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json b/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json deleted file mode 100644 index 57328a6ed73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0b9dc99-c696-4779-b086-0d37dc2b3778_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of a memory dump file with an unusual extension, which can indicate an attempt to disguise a memory dump as another file type to bypass security defenses.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Memory Dump File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and\n not file.extension : (\"dmp\", \"mdmp\", \"hdmp\", \"edmp\", \"full\", \"tdref\", \"cg\", \"tmp\", \"dat\") and\n not \n (\n process.executable : \"?:\\\\Program Files\\\\Endgame\\\\esensor.exe\" and\n process.code_signature.trusted == true and length(file.extension) == 0\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c0b9dc99-c696-4779-b086-0d37dc2b3778", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c0b9dc99-c696-4779-b086-0d37dc2b3778_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json deleted file mode 100644 index dd6e54756c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c0be5f31-e180-48ed-aa08-96b36899d48f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json deleted file mode 100644 index cabadd5423f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", "severity": "high", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 100}, "id": "c0be5f31-e180-48ed-aa08-96b36899d48f_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json deleted file mode 100644 index 929f87b65e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 101}, "id": "c0be5f31-e180-48ed-aa08-96b36899d48f_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_102.json b/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_102.json deleted file mode 100644 index 4f7b96f530a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c0be5f31-e180-48ed-aa08-96b36899d48f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c0be5f31-e180-48ed-aa08-96b36899d48f", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c0be5f31-e180-48ed-aa08-96b36899d48f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1.json b/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1.json deleted file mode 100644 index 26f620da347..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Windows Defender Tampering Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: \"Set-MpPreference\" and\n powershell.file.script_block_text: (\n DisableArchiveScanning or DisableBehaviorMonitoring or\n DisableIntrusionPreventionSystem or DisableIOAVProtection or\n DisableRemovableDriveScanning or DisableBlockAtFirstSeen or\n DisableScanningMappedNetworkDrivesForFullScan or\n DisableScanningNetworkFiles or DisableScriptScanning or\n DisableRealtimeMonitoring or LowThreatDefaultAction or\n ModerateThreatDefaultAction or HighThreatDefaultAction\n )\n)\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2.json b/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2.json deleted file mode 100644 index 1621a6cff29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies PowerShell scripts containing cmdlets and parameters that attackers can abuse to disable Windows Defender features. Attackers can tamper with antivirus to reduce the risk of detection when executing their payloads.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Windows Defender Tampering Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: \"Set-MpPreference\" and\n powershell.file.script_block_text: (\n DisableArchiveScanning or DisableBehaviorMonitoring or\n DisableIntrusionPreventionSystem or DisableIOAVProtection or\n DisableRemovableDriveScanning or DisableBlockAtFirstSeen or\n DisableScanningMappedNetworkDrivesForFullScan or\n DisableScanningNetworkFiles or DisableScriptScanning or\n DisableRealtimeMonitoring or LowThreatDefaultAction or\n ModerateThreatDefaultAction or HighThreatDefaultAction\n )\n)\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "c124dc1b-cef2-4d01-8d74-ff6b0d5096b6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json deleted file mode 100644 index 1f3e67baa46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json deleted file mode 100644 index 31cf5318035..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json deleted file mode 100644 index dfa270bdb02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json deleted file mode 100644 index 9c6974e92fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json deleted file mode 100644 index a948efed36e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json b/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json deleted file mode 100644 index 4435cdd4267..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c125e48f-6783-41f0-b100-c3bf1b114d16_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where the \"index.html\" file within the \"/usr/lib/vmware/*\" directory is renamed on a Linux system. The rule monitors for the \"rename\" event action associated with this specific file and path, which could indicate malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Renaming of ESXI index.html File", "query": "file where host.os.type == \"linux\" and event.action == \"rename\" and file.name : \"index.html\" and\nfile.Ext.original.path : \"/usr/lib/vmware/*\"\n", "references": ["https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "c125e48f-6783-41f0-b100-c3bf1b114d16", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c125e48f-6783-41f0-b100-c3bf1b114d16_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json deleted file mode 100644 index 3f3f03fe13e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", "false_positives": ["Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1020", "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "c1812764-0788-470f-8e74-eb4a14d47573", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json deleted file mode 100644 index d97e99faaa7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", "false_positives": ["Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1020", "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c1812764-0788-470f-8e74-eb4a14d47573_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json deleted file mode 100644 index 79138d9cdc5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", "false_positives": ["Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1020", "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c1812764-0788-470f-8e74-eb4a14d47573_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json deleted file mode 100644 index 7cd14084ff1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", "false_positives": ["Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1020", "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "c1812764-0788-470f-8e74-eb4a14d47573_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json b/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json deleted file mode 100644 index f39a2f50974..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1812764-0788-470f-8e74-eb4a14d47573_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic.", "false_positives": ["Traffic Mirroring may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 Full Network Packet Capture Detected", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and\nevent.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_TrafficMirrorFilter.html", "https://github.com/easttimor/aws-incident-response"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "c1812764-0788-470f-8e74-eb4a14d47573", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1020", "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1074", "name": "Data Staged", "reference": "https://attack.mitre.org/techniques/T1074/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "c1812764-0788-470f-8e74-eb4a14d47573_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce.json deleted file mode 100644 index 087d13469ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that does not generate an alert on its own, but serves as a signal for anomalous activity.", "from": "now-119m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Retrieve User Data from AWS EC2 Instance", "query": "event.dataset:aws.cloudtrail\n and event.action:DescribeInstanceAttribute\n and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html", "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon EC2", "Use Case: Log Auditing", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1.json deleted file mode 100644 index 504cf797b82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies discovery request `DescribeInstanceAttribute` with the attribute userData and instanceId in AWS CloudTrail logs. This may indicate an attempt to retrieve user data from an EC2 instance. Adversaries may use this information to gather sensitive data from the instance or to identify potential vulnerabilities. This is a building block rule that does not generate an alert on its own, but serves as a signal for anomalous activity.", "from": "now-119m", "index": ["filebeat-*", "logs.aws.cloudtrail-*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Retrieve User Data from AWS EC2 Instance", "query": "event.dataset:aws.cloudtrail\n and event.action:DescribeInstanceAttribute\n and aws.cloudtrail.request_parameters:(*attribute=userData* and *instanceId*)\n", "references": ["https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstanceAttribute.html", "https://hackingthe.cloud/aws/exploitation/local_ec2_priv_esc_through_user_data"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon EC2", "Use Case: Log Auditing", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8.json b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8.json deleted file mode 100644 index 9b252cdad71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.", "from": "now-119m", "index": ["logs-endpoint.events.library-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by a Trusted Process", "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time <= 500 or\n dll.Ext.relative_file_name_modify_time <= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\" and\n not dll.hash.sha256 : (\n \"19588e6a318894abe8094374bee233e666f319de909c69f12a6047b14473e299\",\n \"6e8bee250c8cc1b65150522f33794759f5c65f58fff17c5cbf6422ad68b421d2\",\n \"55de11531dc0e566cb91f26e48d1301a161a4b8b24abed42304d711412368760\",\n \"56a5148d00c2d9e58415be2d64eca922a58063fe26d9af1c87084aa383c9058e\",\n \"83ee0ff920144edb2c2f4ea10130f55443493290886985a63233fa2431e450f9\",\n \"0d0d8f2eaff6b5f75e63d9721d5a0480b30e70792fe0d3a24d76fd3e61b05982\",\n \"8b6ce3a640e2d6f36b0001be2a1abb765ae51e62c314a15911e75138cbb544bb\",\n \"ea02a19dd824cb7d611b8821d1b9e6a076714a195d027d1ff918128a64ac5220\",\n \"02a6d001e6dd944738e09b720e49dcb1272cb782b870e5ae319d4600bc192225\",\n \"e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9\",\n \"17f0f709fb7f6190c03b19b6198fd863b6f0d79f46ccfebac6064be747a4cb3e\",\n \"cb7ab3788d10940df874acd97b1821bbb5ee4a91f3eec11982bb5bf7a3c96443\",\n \"c944ee510721a1d30d42227cc3061dfdcbc144c952381afcfe4f6e82c5435ffc\",\n \"967189adfbc889fde89aafc867f7a1f02731f8592cf6fd5a4ace1929213e2e13\",\n \"4a824526749790603eb66777f79787128dd282162a3904a4c1135de43b14d029\",\n \"620a7e658af05cc848091b8a639854b9b15700a9061b4a3d078523653133a4af\",\n \"cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327\",\n \"0da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed\",\n \"e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62\",\n \"e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef\",\n \"c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225\",\n \"3668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57\",\n \"7705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba\",\n \"b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60\",\n \"394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716\",\n \"e958d03db79e9f1d2770c70a5bc24904aa3e2d27a8d5637684cf8166b38908f2\",\n \"284701380f33a30b25e8eb9822e7f47179238e91d08bd3fb5a117145de7e0d8d\",\n \"497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628\",\n \"739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e\",\n \"8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42\",\n \"1ac4753056179b358132c55ca3086d550849ae30259ba94f334826c2fbf6c57e\",\n \"53e8fecd7d4b1b74064eba9bfa6a361d52929f440954931b4ba65615148bf0ea\",\n \"e9088afd8871dbad5eda47a9d8abf3b08dd2e17c423ba8a05f9b6ad6751f9b7c\",\n \"ab27eb05130db2f92499234b69ff97ee6429c7824efcb7324ae3e404e2b405bf\",\n \"553451008520a5f0110d84192cba40208fb001c27454f946e85e6fb2e6553292\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.device.product_id", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c20cd758-07b1-46a1-b03f-fa66158258b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "c20cd758-07b1-46a1-b03f-fa66158258b8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json deleted file mode 100644 index 68dbdcab49d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by a Trusted Process", "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time <= 500 or\n dll.Ext.relative_file_name_modify_time <= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.device.product_id", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c20cd758-07b1-46a1-b03f-fa66158258b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c20cd758-07b1-46a1-b03f-fa66158258b8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json b/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json deleted file mode 100644 index ca5acc6256a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c20cd758-07b1-46a1-b03f-fa66158258b8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the application folder and invoke the legitimate application to execute the payload, masking actions they perform under a legitimate, trusted, and potentially elevated system or software process.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Loaded by a Trusted Process", "query": "library where host.os.type == \"windows\" and\n (dll.Ext.relative_file_creation_time <= 500 or\n dll.Ext.relative_file_name_modify_time <= 500 or\n dll.Ext.device.product_id : (\"Virtual DVD-ROM\", \"Virtual Disk\")) and dll.hash.sha256 != null and\n process.code_signature.status :\"trusted\" and not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\") and\n /* DLL loaded from the process.executable current directory */\n endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.device.product_id", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.hash.sha256", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c20cd758-07b1-46a1-b03f-fa66158258b8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "c20cd758-07b1-46a1-b03f-fa66158258b8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c.json b/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c.json deleted file mode 100644 index 85bf92afd1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "query": "sequence with maxspan=15s\n[network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.port == 445] by host.ip\n[file where host.os.type == \"windows\" and event.code == \"5145\" and file.name : (\"Spoolss\", \"netdfs\", \"lsarpc\", \"lsass\", \"netlogon\", \"samr\", \"efsrpc\", \"FssagentRpc\")] by source.ip\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c", "setup": "## Setup\n\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_1.json b/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_1.json deleted file mode 100644 index 10339900cf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-system.security-*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "query": "sequence with maxspan=15s\n[network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.port == 445] by host.ip\n[file where host.os.type == \"windows\" and event.code == \"5145\" and file.name : (\"Spoolss\", \"netdfs\", \"lsarpc\", \"lsass\", \"netlogon\", \"samr\", \"efsrpc\", \"FssagentRpc\")] by source.ip\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c", "setup": "## Setup\n\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_2.json b/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_2.json deleted file mode 100644 index 972aa1ce62f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c24e9a43-f67e-431d-991b-09cdb83b3c0c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential forced authentication using related SMB named pipes. Attackers may attempt to force targets to authenticate to a host controlled by them to capture hashes or enable relay attacks.", "from": "now-9m", "index": ["logs-endpoint.events.network-*", "logs-system.security-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Active Directory Forced Authentication from Linux Host - SMB Named Pipes", "query": "sequence with maxspan=15s\n[network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.port == 445] by host.ip\n[file where host.os.type == \"windows\" and event.code == \"5145\" and file.name : (\"Spoolss\", \"netdfs\", \"lsarpc\", \"lsass\", \"netlogon\", \"samr\", \"efsrpc\", \"FssagentRpc\")] by source.ip\n", "references": ["https://github.com/p0dalirius/windows-coerced-authentication-methods", "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications", "https://attack.mitre.org/techniques/T1187/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.ip", "type": "ip"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c", "setup": "## Setup\n\nThis rule uses Elastic Endpoint network events from Linux hosts and system integration events from Domain controllers\nfor correlation. Both data sources should be collected from the hosts for this detection to work.\n\nThe 'Audit Detailed File Share' audit policy must be configured (Success Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nObject Access >\nAudit Detailed File Share (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1187", "name": "Forced Authentication", "reference": "https://attack.mitre.org/techniques/T1187/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c24e9a43-f67e-431d-991b-09cdb83b3c0c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json deleted file mode 100644 index 1615c642ea5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json deleted file mode 100644 index 5953a905629..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json deleted file mode 100644 index d3f21864008..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json deleted file mode 100644 index 63d553ad459..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json deleted file mode 100644 index a47e535d286..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_108.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_108.json deleted file mode 100644 index 3dfc7a4a2d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json deleted file mode 100644 index d117ee4e2f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json deleted file mode 100644 index 289be07e066..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_111.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_111.json deleted file mode 100644 index 00dbabae810..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_311.json b/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_311.json deleted file mode 100644 index 21b4ab805bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c25e9c87-95e1-4368-bfab-9fd34cf867ec_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "Microsoft IIS Connection Strings Decryption", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"aspnet_regiis.exe\" or ?process.pe.original_file_name == \"aspnet_regiis.exe\") and\n process.args : \"connectionStrings\" and process.args : \"-pdf\"\n", "references": ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "c25e9c87-95e1-4368-bfab-9fd34cf867ec_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json deleted file mode 100644 index c74b46d9205..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_connection_discovery"], "name": "Unusual Linux Network Connection Discovery", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "type": "machine_learning", "version": 104}, "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json deleted file mode 100644 index a634f932920..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_connection_discovery"], "name": "Unusual Linux Network Connection Discovery", "risk_score": 21, "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "type": "machine_learning", "version": 101}, "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json deleted file mode 100644 index f136cacaf3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_connection_discovery"], "name": "Unusual Linux Network Connection Discovery", "risk_score": 21, "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "type": "machine_learning", "version": 102}, "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json b/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json deleted file mode 100644 index ab17397175b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c28c4d8c-f014-40ef-88b6-79a1d67cd499_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network connection discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network connection discovery in order to increase their understanding of connected services and systems. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_connection_discovery"], "name": "Unusual Linux Network Connection Discovery", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "type": "machine_learning", "version": 103}, "id": "c28c4d8c-f014-40ef-88b6-79a1d67cd499_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json deleted file mode 100644 index 6c27cdf7116..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "process where host.os.type == \"macos\" and event.type : \"start\" and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n process.parent.name == \"com.apple.foundation.UserScriptService\" and not process.args : (\"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\", \"/Users/*/Library/Application Scripts/com.microsoft.*/FoxitUtils.applescript\")\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json deleted file mode 100644 index a65f7a58579..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 102}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json deleted file mode 100644 index c512ba8aeef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 103}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json deleted file mode 100644 index d4f004c9957..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 104}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json deleted file mode 100644 index 70d1912dfc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 105}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json b/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json deleted file mode 100644 index a42e647f544..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c292fa52-4115-408a-b897-e14f684b3cb7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Folder Action Script", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"com.apple.foundation.UserScriptService\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name in (\"osascript\", \"python\", \"tcl\", \"node\", \"perl\", \"ruby\", \"php\", \"bash\", \"csh\", \"zsh\", \"sh\") and\n not process.args : \"/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt\"\n ] by process.parent.pid\n", "references": ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c292fa52-4115-408a-b897-e14f684b3cb7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1037", "name": "Boot or Logon Initialization Scripts", "reference": "https://attack.mitre.org/techniques/T1037/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 106}, "id": "c292fa52-4115-408a-b897-e14f684b3cb7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f.json b/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f.json deleted file mode 100644 index b345bde3aba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name != null and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c296f888-eac6-4543-8da5-b6abb0d3304f", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "c296f888-eac6-4543-8da5-b6abb0d3304f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_1.json b/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_1.json deleted file mode 100644 index d02fff0ec9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c296f888-eac6-4543-8da5-b6abb0d3304f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where GDB (granted the CAP_SYS_PTRACE capability) is executed, after which the user's access is elevated to UID/GID 0 (root). In Linux, the CAP_SYS_PTRACE capability grants a process the ability to use the ptrace system call, which is typically used for debugging and allows the process to trace and control other processes. Attackers may leverage this capability to hook and inject into a process that is running with root permissions in order to escalate their privileges to root.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via GDB CAP_SYS_PTRACE", "query": "sequence by host.id, process.entry_leader.entity_id with maxspan=1m\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"gdb\" and\n (process.thread.capabilities.effective : \"CAP_SYS_PTRACE\" or process.thread.capabilities.permitted : \"CAP_SYS_PTRACE\") and \n user.id != \"0\"]\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name != null and user.id == \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c296f888-eac6-4543-8da5-b6abb0d3304f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "c296f888-eac6-4543-8da5-b6abb0d3304f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json deleted file mode 100644 index 1688c502cb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 107}, "id": "c2d90150-0133-451c-a783-533e736c12d7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json deleted file mode 100644 index 76ba68aea1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 103}, "id": "c2d90150-0133-451c-a783-533e736c12d7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json deleted file mode 100644 index 816173719a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 104}, "id": "c2d90150-0133-451c-a783-533e736c12d7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json deleted file mode 100644 index ef7bb94ce5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 105}, "id": "c2d90150-0133-451c-a783-533e736c12d7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json deleted file mode 100644 index bf1d658f2b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 106}, "id": "c2d90150-0133-451c-a783-533e736c12d7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_107.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_107.json deleted file mode 100644 index 451f288bb7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 107}, "id": "c2d90150-0133-451c-a783-533e736c12d7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_108.json b/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_108.json deleted file mode 100644 index b27327c11e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c2d90150-0133-451c-a783-533e736c12d7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.", "from": "now-20m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Mshta Making Network Connections", "query": "sequence by process.entity_id with maxspan=10m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"mshta.exe\" and\n not process.parent.name : \"Microsoft.ConfigurationManagement.exe\" and\n not (process.parent.executable : \"C:\\\\Amazon\\\\Amazon Assistant\\\\amazonAssistantService.exe\" or\n process.parent.executable : \"C:\\\\TeamViewer\\\\TeamViewer.exe\") and\n not process.args : \"ADSelfService_Enroll.hta\"]\n [network where host.os.type == \"windows\" and process.name : \"mshta.exe\"]\n", "references": ["https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c2d90150-0133-451c-a783-533e736c12d7", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}]}]}], "type": "eql", "version": 108}, "id": "c2d90150-0133-451c-a783-533e736c12d7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json deleted file mode 100644 index 2ed5b1ff72f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json deleted file mode 100644 index 91cf6fd15be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "severity": "high", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 100}, "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json deleted file mode 100644 index 78b476602ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 101}, "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_102.json b/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_102.json deleted file mode 100644 index 6c9bf64c273..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3167e1b-f73c-41be-b60b-87f4df707fe3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Permission Theft - Detected - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "severity": "high", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c3167e1b-f73c-41be-b60b-87f4df707fe3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1.json deleted file mode 100644 index 1557b9dfa17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the AWS Systems Manager (SSM) `SendCommand` API with the either `AWS-RunShellScript` or `AWS-RunPowerShellScript` parameters. The `SendCommand` API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 7 days.", "false_positives": ["Legitimate use of the `SendCommand` API call to execute commands on EC2 instances using the SSM service may be done by system administrators or DevOps engineers for legitimate purposes."], "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SSM `SendCommand` with Run Shell Command Parameters", "new_terms_fields": ["host.id"], "query": "event.category: \"process\" and event.type: \"start\" and process.name: \"aws\"\nand (\n host.os.type: (\"windows\" or \"macos\")\n or (\n host.os.type: \"linux\"\n and event.action: (\"exec\" or \"exec_event\" or \"executed\" or \"process_started\")\n )\n)\nand process.args: (\n \"send-command\" and \"--parameters\" and commands=*\n and (\"AWS-RunShellScript\" or \"AWS-RunPowerShellScript\")\n)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc", "https://securitycafe.ro/2023/01/17/aws-post-explitation-with-ssm-sendcommand/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "Domain: Cloud", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1651", "name": "Cloud Administration Command", "reference": "https://attack.mitre.org/techniques/T1651/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2.json deleted file mode 100644 index 3314fbc8f4e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the AWS Systems Manager (SSM) `SendCommand` API with the either `AWS-RunShellScript` or `AWS-RunPowerShellScript` parameters. The `SendCommand` API call allows users to execute commands on EC2 instances using the SSM service. Adversaries may use this technique to execute commands on EC2 instances without the need for SSH or RDP access. This behavior may indicate an adversary attempting to execute commands on an EC2 instance for malicious purposes. This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that only flags when this behavior is observed for the first time on a host in the last 7 days.", "false_positives": ["Legitimate use of the `SendCommand` API call to execute commands on EC2 instances using the SSM service may be done by system administrators or DevOps engineers for legitimate purposes."], "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS SSM `SendCommand` with Run Shell Command Parameters", "new_terms_fields": ["host.id"], "query": "event.category: \"process\" and event.type: \"start\" and process.name: \"aws\"\nand (\n host.os.type: (\"windows\" or \"macos\")\n or (\n host.os.type: \"linux\"\n and event.action: (\"exec\" or \"exec_event\" or \"executed\" or \"process_started\")\n )\n)\nand process.args: (\n \"send-command\" and \"--parameters\" and commands=*\n and (\"AWS-RunShellScript\" or \"AWS-RunPowerShellScript\")\n)\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ssm-privesc", "https://securitycafe.ro/2023/01/17/aws-post-explitation-with-ssm-sendcommand/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "Domain: Cloud", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1651", "name": "Cloud Administration Command", "reference": "https://attack.mitre.org/techniques/T1651/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "c371e9fc-6a10-11ef-a0ac-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json deleted file mode 100644 index e9627a399d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json deleted file mode 100644 index 6b94bbc0724..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json deleted file mode 100644 index 851a439a8f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json deleted file mode 100644 index a751e041bcc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json deleted file mode 100644 index 2b734cefa97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json deleted file mode 100644 index 681a33834cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json deleted file mode 100644 index b0e32ad3e03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_208.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_208.json deleted file mode 100644 index ee655e8fc7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json b/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json deleted file mode 100644 index b66507d7122..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3b915e0-22f3-4bf7-991d-b643513c722f_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can use the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program that runs after a job finishes transferring data or after a job enters a specified state in order to persist on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via BITS Job Notify Cmdline", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"svchost.exe\" and process.parent.args : \"BITS\" and\n not process.executable :\n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\WINDOWS\\\\system32\\\\directxdatabaseupdater.exe\")\n", "references": ["https://pentestlab.blog/2019/10/30/persistence-bits-jobs/", "https://docs.microsoft.com/en-us/windows/win32/api/bits1_5/nf-bits1_5-ibackgroundcopyjob2-setnotifycmdline", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bitsadmin-setnotifycmdline", "https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-2"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c3b915e0-22f3-4bf7-991d-b643513c722f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "c3b915e0-22f3-4bf7-991d-b643513c722f_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json deleted file mode 100644 index d154f34f362..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential JAVA/JNDI Exploitation Attempt", "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}, {"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "type": "eql", "version": 104}, "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json deleted file mode 100644 index cebb6b2a6eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential JAVA/JNDI Exploitation Attempt", "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "severity": "high", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}, {"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "type": "eql", "version": 102}, "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json b/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json deleted file mode 100644 index 067f3af0c5e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c3f5e1d8-910e-43b4-8d44-d748e498ca86_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/NDI (Java Naming and Directory Interface) injection vulnerability.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential JAVA/JNDI Exploitation Attempt", "query": "sequence by host.id with maxspan=1m\n [network where event.action == \"connection_attempted\" and\n process.name : \"java\" and\n /*\n outbound connection attempt to\n LDAP, RMI or DNS standard ports\n by JAVA process\n */\n destination.port in (1389, 389, 1099, 53, 5353)] by process.pid\n [process where event.type == \"start\" and\n\n /* Suspicious JAVA child process */\n process.parent.name : \"java\" and\n process.name : (\"sh\",\n \"bash\",\n \"dash\",\n \"ksh\",\n \"tcsh\",\n \"zsh\",\n \"curl\",\n \"perl*\",\n \"python*\",\n \"ruby*\",\n \"php*\",\n \"wget\")] by process.parent.pid\n", "references": ["https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.007", "name": "JavaScript", "reference": "https://attack.mitre.org/techniques/T1059/007/"}]}, {"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "type": "eql", "version": 103}, "id": "c3f5e1d8-910e-43b4-8d44-d748e498ca86_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json deleted file mode 100644 index fb0175d1846..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json deleted file mode 100644 index 8ccf696e336..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json deleted file mode 100644 index 7f10665c41e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json deleted file mode 100644 index 4955e63a8f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json deleted file mode 100644 index afddca5ce8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json deleted file mode 100644 index dd7bce7141f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json deleted file mode 100644 index 4534e1f8821..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_110.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_110.json deleted file mode 100644 index 8a2eed0757b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_310.json b/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_310.json deleted file mode 100644 index f0a9fae3519..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of net.exe to mount a WebDav or hidden remote share. This may indicate lateral movement or preparation for data exfiltration.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Mounting Hidden or WebDav Remote Shares", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n ((process.name : \"net.exe\" or ?process.pe.original_file_name == \"net.exe\") or ((process.name : \"net1.exe\" or ?process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\")) and\n process.args : \"use\" and\n /* including hidden and webdav based online shares such as onedrive */\n process.args : (\"\\\\\\\\*\\\\*$*\", \"\\\\\\\\*@SSL\\\\*\", \"http*\") and\n /* excluding shares deletion operation */\n not process.args : \"/d*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json deleted file mode 100644 index 2c5710917fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json deleted file mode 100644 index 15cfeca5f34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json deleted file mode 100644 index be953a6f5c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json deleted file mode 100644 index 052ce707685..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "note": "", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json deleted file mode 100644 index 6592f2be984..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json deleted file mode 100644 index bb6567035c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json b/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json deleted file mode 100644 index 4efa04f398f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4818812-d44f-47be-aaef-4cfb2f9cc799_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of print driver files by an unusual process. This may indicate a clean up attempt post successful privilege escalation via Print Spooler service related vulnerabilities.", "false_positives": ["Uninstall or manual deletion of a legitimate printing driver files. Verify the printer file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Print Spooler File Deletion", "query": "file where host.os.type == \"windows\" and event.type : \"deletion\" and\n not process.name : (\"spoolsv.exe\", \"dllhost.exe\", \"explorer.exe\") and\n file.path : \"?:\\\\Windows\\\\System32\\\\spool\\\\drivers\\\\x64\\\\3\\\\*.dll\"\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c4818812-d44f-47be-aaef-4cfb2f9cc799", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c4818812-d44f-47be-aaef-4cfb2f9cc799_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a.json deleted file mode 100644 index 0ced3d9bca8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Network Connections Discovery", "query": "process where event.type == \"start\" and\n(\n process.name : \"netstat.exe\" or\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"use\", \"user\", \"session\", \"config\") and not process.args: (\"/persistent:*\", \"/delete\", \"\\\\\\\\*\")\n ) or\n (process.name : \"nbtstat.exe\" and process.args : \"-s*\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json deleted file mode 100644 index 3474283b326..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows System Network Connections Discovery", "query": "process where event.type == \"start\" and\n(\n process.name : \"netstat.exe\" or\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"use\", \"user\", \"session\", \"config\") and not process.args: (\"/persistent:*\", \"/delete\", \"\\\\\\\\*\")\n ) or\n (process.name : \"nbtstat.exe\" and process.args : \"-s*\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json deleted file mode 100644 index c3a9f6012f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Windows System Network Connections Discovery", "query": "process where event.type == \"start\" and\n(\n process.name : \"netstat.exe\" or\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"use\", \"user\", \"session\", \"config\") and not process.args: (\"/persistent:*\", \"/delete\", \"\\\\\\\\*\")\n ) or\n (process.name : \"nbtstat.exe\" and process.args : \"-s*\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json b/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json deleted file mode 100644 index 9da95652568..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows System Network Connections Discovery", "query": "process where event.type == \"start\" and\n(\n process.name : \"netstat.exe\" or\n (\n (\n (process.name : \"net.exe\" or process.pe.original_file_name == \"net.exe\") or\n (\n (process.name : \"net1.exe\" or process.pe.original_file_name == \"net1.exe\") and\n not process.parent.name : \"net.exe\"\n )\n ) and process.args : (\"use\", \"user\", \"session\", \"config\") and not process.args: (\"/persistent:*\", \"/delete\", \"\\\\\\\\*\")\n ) or\n (process.name : \"nbtstat.exe\" and process.args : \"-s*\")\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}, {"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "c4e9ed3e-55a2-4309-a012-bc3c78dad10a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601.json deleted file mode 100644 index e0257a4bc22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c55badd3-3e61-4292-836f-56209dc8a601", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json deleted file mode 100644 index a54afdd764d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.args : (\"*.pem*\", \"*.id_rsa*\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c55badd3-3e61-4292-836f-56209dc8a601_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json deleted file mode 100644 index 8e4d9278e28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c55badd3-3e61-4292-836f-56209dc8a601_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_3.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_3.json deleted file mode 100644 index da421572b1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "c55badd3-3e61-4292-836f-56209dc8a601_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_4.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_4.json deleted file mode 100644 index 52d4c9df236..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "c55badd3-3e61-4292-836f-56209dc8a601_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_5.json b/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_5.json deleted file mode 100644 index 8c7e6dbc37d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c55badd3-3e61-4292-836f-56209dc8a601_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Attackers may try to access private keys, e.g. ssh, in order to gain further authenticated access to the environment.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Attempted Private Key Access", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.args : (\"*.pem *\", \"*.pem\", \"*.id_rsa*\") and\n not process.args: (\"--tls-cert\", \"--ssl-cert\") and\n not process.executable : (\n \"?:\\\\ProgramData\\\\Logishrd\\\\LogiOptions\\\\Software\\\\*\\\\LogiLuUpdater.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\*\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-controller.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-deception-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-detection-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-enforcement-agent.exe\",\n \"?:\\\\Program Files\\\\Guardicore\\\\gc-guest-agent.exe\",\n \"?:\\\\Program Files\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Program Files (x86)\\\\Schneider Electric EcoStruxure\\\\Building Operation 5.0\\\\Device Administrator\\\\Python\\\\python.exe\",\n \"?:\\\\Program Files\\\\Splunk\\\\bin\\\\openssl.exe\",\n \"?:\\\\Program Files\\\\SplunkUniversalForwarder\\\\bin\\\\openssl.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Logi\\\\LogiBolt\\\\LogiBoltUpdater.exe\",\n \"?:\\\\Windows\\\\system32\\\\icacls.exe\",\n \"?:\\\\Windows\\\\System32\\\\OpenSSH\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "c55badd3-3e61-4292-836f-56209dc8a601", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.004", "name": "Private Keys", "reference": "https://attack.mitre.org/techniques/T1552/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c55badd3-3e61-4292-836f-56209dc8a601_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096.json deleted file mode 100644 index a743676f494..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c5677997-f75b-4cda-b830-a75920514096", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json deleted file mode 100644 index 7d1a9d72c2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and\n process.name : \"sc.exe\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c5677997-f75b-4cda-b830-a75920514096_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json deleted file mode 100644 index ed8f493ac50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c5677997-f75b-4cda-b830-a75920514096_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_3.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_3.json deleted file mode 100644 index 86cf968819c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "c5677997-f75b-4cda-b830-a75920514096_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_4.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_4.json deleted file mode 100644 index f25030c2a2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "c5677997-f75b-4cda-b830-a75920514096_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_5.json b/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_5.json deleted file mode 100644 index d5b2d4c6dcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5677997-f75b-4cda-b830-a75920514096_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path setting using sc.exe. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification via sc.exe", "query": "process where event.type == \"start\" and process.name : \"sc.exe\" and\n process.args : \"*config*\" and process.args : \"*binPath*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c5677997-f75b-4cda-b830-a75920514096", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c5677997-f75b-4cda-b830-a75920514096_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json deleted file mode 100644 index 5aca51002a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json deleted file mode 100644 index 02f462f89c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "note": "", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json deleted file mode 100644 index 8cb297882bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "note": "", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json deleted file mode 100644 index 272c2260b4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "note": "", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json deleted file mode 100644 index e1a345533c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "note": "", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json deleted file mode 100644 index a71927268ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json deleted file mode 100644 index 4a997a52bd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_109.json b/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_109.json deleted file mode 100644 index 5fae20cfcd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c57f8579-e2a5-4804-847f-f2732edc5156_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control other users active RDP sessions.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Desktop Shadowing Activity", "query": "/* Identifies the modification of RDP Shadow registry or\n the execution of processes indicative of active shadow RDP session */\n\nany where host.os.type == \"windows\" and\n(\n (event.category == \"registry\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Terminal Services\\\\Shadow\"\n )\n ) or\n (event.category == \"process\" and event.type == \"start\" and\n (process.name : (\"RdpSaUacHelper.exe\", \"RdpSaProxy.exe\") and process.parent.name : \"svchost.exe\") or\n (process.pe.original_file_name : \"mstsc.exe\" and process.args : \"/shadow:*\")\n )\n)\n", "references": ["https://bitsadm.in/blog/spying-on-users-using-rdp-shadowing", "https://swarm.ptsecurity.com/remote-desktop-services-shadowing/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c57f8579-e2a5-4804-847f-f2732edc5156", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.001", "name": "Remote Desktop Protocol", "reference": "https://attack.mitre.org/techniques/T1021/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c57f8579-e2a5-4804-847f-f2732edc5156_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json deleted file mode 100644 index ffcbdb768ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", "false_positives": ["Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Network Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", "references": ["https://cloud.google.com/vpc/docs/vpc"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json b/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json deleted file mode 100644 index c8651ea9549..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c58c3081-2e1d-4497-8491-e73a45d1a6d6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a Virtual Private Cloud (VPC) network is deleted in Google Cloud Platform (GCP). A VPC network is a virtual version of a physical network within a GCP project. Each VPC network has its own subnets, routes, and firewall, as well as other elements. An adversary may delete a VPC network in order to disrupt their target's network and business operations.", "false_positives": ["Virtual Private Cloud networks may be deleted by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Virtual Private Cloud Network Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:v*.compute.networks.delete and event.outcome:success\n", "references": ["https://cloud.google.com/vpc/docs/vpc"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c58c3081-2e1d-4497-8491-e73a45d1a6d6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json deleted file mode 100644 index 79ad8abcb92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\n\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\n\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Identify the process that created the DLL using file creation events.\n - Inspect the file for useful metadata, such as file size and creation or modification time.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and DLL using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\n\n### Related Rules\n\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "## Setup\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 108}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json deleted file mode 100644 index df6fbd5509e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "eql", "version": 103}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json deleted file mode 100644 index 704a351ac2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "eql", "version": 104}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json deleted file mode 100644 index 7a256592a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 105}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json deleted file mode 100644 index 578dbdc0518..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 106}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_107.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_107.json deleted file mode 100644 index 284907ba96a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\n\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\n\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Identify the process that created the DLL using file creation events.\n - Inspect the file for useful metadata, such as file size and creation or modification time.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and DLL using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\n\n### Related Rules\n\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 107}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json b/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json deleted file mode 100644 index 100d6e8adfe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5c9f591-d111-4cf8-baec-c26a39bc31ef_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious renamed COMSVCS.DLL Image Load, which exports the MiniDump function that can be used to dump a process memory. This may indicate an attempt to dump LSASS memory while bypassing command-line based detection in preparation for credential access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Renamed COM+ Services DLL", "note": "## Triage and analysis\n\n### Investigating Potential Credential Access via Renamed COM+ Services DLL\n\nCOMSVCS.DLL is a Windows library that exports the MiniDump function, which can be used to dump a process memory. Adversaries may attempt to dump LSASS memory using a renamed COMSVCS.DLL to bypass command-line based detection and gain unauthorized access to credentials.\n\nThis rule identifies suspicious instances of rundll32.exe loading a renamed COMSVCS.DLL image, which can indicate potential abuse of the MiniDump function for credential theft.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Identify the process that created the DLL using file creation events.\n - Inspect the file for useful metadata, such as file size and creation or modification time.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and DLL using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Look for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n\n### False positive analysis\n\n- False positives may include legitimate instances of rundll32.exe loading a renamed COMSVCS.DLL image for non-malicious purposes, such as during software development, testing, or troubleshooting.\n\n### Related Rules\n\n- Potential Credential Access via LSASS Memory Dump - 9960432d-9b26-409f-972b-839a959e79e2\n- Suspicious Module Loaded by LSASS - 3a6001a0-0939-4bbe-86f4-47d8faeb7b97\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- LSASS Process Access via Windows API - ff4599cb-409f-4910-a239-52e4e6f532ff\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Implement Elastic Endpoint Security to detect and prevent further post exploitation activities in the environment.\n - Contain the affected system by isolating it from the network to prevent further spread of the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.category == \"process\" and\n process.name : \"rundll32.exe\"]\n [process where host.os.type == \"windows\" and event.category == \"process\" and event.dataset : \"windows.sysmon_operational\" and event.code == \"7\" and\n (file.pe.original_file_name : \"COMSVCS.DLL\" or file.pe.imphash : \"EADBCCBB324829ACB5F2BBE87E5549A8\") and\n /* renamed COMSVCS */\n not file.name : \"COMSVCS.DLL\"]\n", "references": ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.pe.imphash", "type": "keyword"}, {"ecs": true, "name": "file.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef", "setup": "## Setup\n\nYou will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original\nFile Name.\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 108}, "id": "c5c9f591-d111-4cf8-baec-c26a39bc31ef_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json deleted file mode 100644 index 6fcf86ecc73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json deleted file mode 100644 index 2d94a700c22..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "type": "eql", "version": 103}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json deleted file mode 100644 index 8c610c5e78b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "type": "eql", "version": 104}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json deleted file mode 100644 index 0d411a18c78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "sequence by process.entity_id with maxspan = 5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n not (process.name : \"sdbinst.exe\" and process.parent.name : \"msiexec.exe\")]\n [registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "type": "eql", "version": 105}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_106.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_106.json deleted file mode 100644 index 7435c4b96a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json deleted file mode 100644 index 453b908315e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json deleted file mode 100644 index d73bbd3e21e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_109.json b/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_109.json deleted file mode 100644 index ecfce185a5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5ce48a6-7f57-4ee8-9313-3d0024caee10_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the installation of custom Application Compatibility Shim databases. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Custom Shim Databases", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*.sdb\" and \n not process.executable : \n (\"?:\\\\Program Files (x86)\\\\DesktopCentral_Agent\\\\swrepository\\\\1\\\\swuploads\\\\SAP-SLC\\\\SAPSetupSLC02_14-80001954\\\\Setup\\\\NwSapSetup.exe\", \n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\SetupPlatform.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SAPsetup\\\\setup\\\\NwSapSetup.exe\", \n \"?:\\\\Program Files (x86)\\\\SAP\\\\SapSetup\\\\OnRebootSvc\\\\NWSAPSetupOnRebootInstSvc.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\Kaspersky Security for Windows Server\\\\kavfs.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c5ce48a6-7f57-4ee8-9313-3d0024caee10_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json deleted file mode 100644 index aa893d80eb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json deleted file mode 100644 index 6d02f0208e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json deleted file mode 100644 index 1653f4f85f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json deleted file mode 100644 index fb68813f2bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json deleted file mode 100644 index c1a1de40669..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json deleted file mode 100644 index 2f9109b7451..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json deleted file mode 100644 index b95b48dc539..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json deleted file mode 100644 index ef11a5a2a6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_111.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_111.json deleted file mode 100644 index 4f1a6ba87fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_311.json b/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_311.json deleted file mode 100644 index 583ecc8cbef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5dc3223-13a2-44a2-946c-e9dc0aa0449c_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An instance of MSBuild, the Microsoft Build Engine, was started by Excel or Word. This is unusual behavior for the Build Engine and could have been caused by an Excel or Word document executing a malicious script payload.", "false_positives": ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual. It is quite unusual for this program to be started by an Office application like Word or Excel."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Build Engine Started by an Office Application", "note": "## Triage and analysis\n\n### Investigating Microsoft Build Engine Started by an Office Application\n\nMicrosoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.\n\nThe Microsoft Build Engine is a platform for building applications. This engine, also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software, and can be abused to proxy execution of code.\n\nThis rule looks for the `Msbuild.exe` utility spawned by MS Office programs. This is generally the result of the execution of malicious documents.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.\n- Determine if the collected files are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n - If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"MSBuild.exe\" and\n process.parent.name : (\"eqnedt32.exe\",\n \"excel.exe\",\n \"fltldr.exe\",\n \"msaccess.exe\",\n \"mspub.exe\",\n \"outlook.exe\",\n \"powerpnt.exe\",\n \"winword.exe\" )\n", "references": ["https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "c5dc3223-13a2-44a2-946c-e9dc0aa0449c_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json deleted file mode 100644 index fd0733fcd04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.", "false_positives": ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."], "from": "now-30m", "index": ["filebeat-*", "logs-cyberarkpas.audit*"], "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Recommended Monitor", "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", "references": ["https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"], "related_integrations": [{"package": "cyberarkpas", "version": "^2.2.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", "rule_name_override": "event.action", "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json b/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json deleted file mode 100644 index c4db2f6d012..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.", "false_positives": ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."], "from": "now-30m", "index": ["filebeat-*", "logs-cyberarkpas.audit*"], "language": "kuery", "license": "Elastic License v2", "name": "CyberArk Privileged Access Security Recommended Monitor", "note": "## Triage and analysis\n\nThis is a promotion rule for CyberArk events, which the vendor recommends should be monitored.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset:cyberarkpas.audit and\n event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or\n 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and\n not event.type:error\n", "references": ["https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring"], "related_integrations": [{"package": "cyberarkpas", "version": "^2.2.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}], "risk_score": 73, "rule_id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57", "rule_name_override": "event.action", "setup": "The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "cyberarkpas", "SecOps", "Log Auditing", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "c5f81243-56e0-47f9-b5bb-55a5ed89ba57_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json deleted file mode 100644 index f2a9716b730..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json deleted file mode 100644 index 667be55e172..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json deleted file mode 100644 index 4eb1b139f31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json deleted file mode 100644 index ba1094b188f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json deleted file mode 100644 index 75e9217442e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json deleted file mode 100644 index 741b5a58754..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json deleted file mode 100644 index bba76b7d57b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_110.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_110.json deleted file mode 100644 index 50792a8000c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json deleted file mode 100644 index 47e79e37675..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json deleted file mode 100644 index 9db8a48fdd6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_113.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_113.json deleted file mode 100644 index 3ba93fa9ed8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_313.json b/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_313.json deleted file mode 100644 index 0a2826376a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6453e73-90eb-4fe7-a98c-cde7bbfc504a_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Download via MpCmdRun", "note": "## Triage and analysis\n\n### Investigating Remote File Download via MpCmdRun\n\nAttackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse signed utilities to drop these files.\n\nThe `MpCmdRun.exe` is a command-line tool part of Windows Defender and is used to manage various Microsoft Windows Defender Antivirus settings and perform certain tasks. It can also be abused by attackers to download remote files, including malware and offensive tooling. This rule looks for the patterns used to perform downloads using the utility.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - !{investigate{\"label\":\"Alerts associated with the user in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"user.id\",\"queryType\":\"phrase\",\"value\":\"{{user.id}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n - !{investigate{\"label\":\"Alerts associated with the host in the last 48h\",\"providers\":[[{\"excluded\":false,\"field\":\"event.kind\",\"queryType\":\"phrase\",\"value\":\"signal\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"host.name\",\"queryType\":\"phrase\",\"value\":\"{{host.name}}\",\"valueType\":\"string\"}]],\"relativeFrom\":\"now-48h/h\",\"relativeTo\":\"now\"}}\n- Check the reputation of the domain or IP address used to host the downloaded file.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - !{investigate{\"label\":\"Investigate the Subject Process Network Events\",\"providers\":[[{\"excluded\":false,\"field\":\"process.entity_id\",\"queryType\":\"phrase\",\"value\":\"{{process.entity_id}}\",\"valueType\":\"string\"},{\"excluded\":false,\"field\":\"event.category\",\"queryType\":\"phrase\",\"value\":\"network\",\"valueType\":\"string\"}]]}}\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"MpCmdRun.exe\" or ?process.pe.original_file_name == \"MpCmdRun.exe\") and\n process.args : \"-DownloadFile\" and process.args : \"-url\" and process.args : \"-path\"\n", "references": ["https://twitter.com/mohammadaskar2/status/1301263551638761477", "https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "c6453e73-90eb-4fe7-a98c-cde7bbfc504a_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c6655282-6c79-11ef-bbb5-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/c6655282-6c79-11ef-bbb5-f661ea17fbcc_1.json deleted file mode 100644 index 4d90b378fdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c6655282-6c79-11ef-bbb5-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.", "false_positives": ["Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication settings may lead to false positives."], "from": "now-30m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source", "note": "This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.", "query": "from logs-azure.signinlogs*\n| WHERE\n event.dataset == \"azure.signinlogs\"\n and event.category == \"authentication\"\n and to_lower(azure.signinlogs.properties.resource_display_name) rlike \"(.*)365(.*)\"\n and azure.signinlogs.category in (\"NonInteractiveUserSignInLogs\", \"SignInLogs\")\n and event.outcome != \"success\"\n\n // For tuning, review azure.signinlogs.properties.status.error_code\n // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes\n\n// Count the number of unique targets per source IP\n| stats\n target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip\n\n// Filter for at least 10 distinct failed login attempts from a single source\n| where target_count >= 10\n", "references": ["https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying", "https://github.com/0xZDH/o365spray"], "risk_score": 47, "rule_id": "c6655282-6c79-11ef-bbb5-f661ea17fbcc", "severity": "medium", "tags": ["Domain: Cloud", "Domain: SaaS", "Data Source: Azure", "Data Source: Entra ID", "Data Source: Entra ID Sign-in", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "c6655282-6c79-11ef-bbb5-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json deleted file mode 100644 index 910ae5c2758..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json deleted file mode 100644 index fedecf1ed71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json deleted file mode 100644 index d8310029e19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json deleted file mode 100644 index 1f1e688871a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json deleted file mode 100644 index 053b01716b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json deleted file mode 100644 index 61248b4e0c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_207.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_207.json deleted file mode 100644 index 8a9eb494cee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_209.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_209.json deleted file mode 100644 index 1f9ed189793..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", "query": "event.dataset:okta.system and event.action:zone.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "c749e367-a069-4a73-b1f2-43a3798153ad_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_309.json b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_309.json new file mode 100644 index 00000000000..55519c0482d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c749e367-a069-4a73-b1f2-43a3798153ad_309.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly deleted." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Network Zone", + "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Network Zone\n\nOkta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. Deleting a network zone in Okta might remove or weaken the security controls of an organization, which might be an indicator of an adversary's attempt to evade defenses.\n\n#### Possible investigation steps:\n\n- Identify the actor associated with the alert by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Examine the `event.action` field to confirm the deletion of a network zone.\n- Investigate the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` fields to identify the network zone that was deleted.\n- Review the `event.time` field to understand when the event happened.\n- Check the actor's activities before and after the event to understand the context of this event.\n\n### False positive analysis:\n\n- Verify the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor. If these match the actor's typical behavior, it might be a false positive.\n- Check if the actor is a known administrator or a member of the IT team who might have a legitimate reason to delete a network zone.\n- Cross-verify the actor's actions with any known planned changes or maintenance activities.\n\n### Response and remediation:\n\n- If unauthorized access or actions are confirmed, immediately lock the affected actor's account and require a password change.\n- If a network zone was deleted without authorization, create a new network zone with similar settings as the deleted one.\n- Review and update the privileges of the actor who initiated the deletion.\n- Identify any gaps in the security policies and procedures and update them as necessary.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.\n- Communicate and train the employees about the importance of following proper procedures for modifying network zone settings.", + "query": "event.dataset:okta.system and event.action:zone.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "c749e367-a069-4a73-b1f2-43a3798153ad", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "c749e367-a069-4a73-b1f2-43a3798153ad_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json deleted file mode 100644 index d250f01aa36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json deleted file mode 100644 index d7d7ff248c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json deleted file mode 100644 index ef50a965c77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json deleted file mode 100644 index e9e6153cc3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json deleted file mode 100644 index d4cff721540..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_206.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_206.json deleted file mode 100644 index 590283245d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_208.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_208.json deleted file mode 100644 index cd1399c4b12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_308.json b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_308.json new file mode 100644 index 00000000000..87d04878dd3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/c74fd275-ab2c-4d49-8890-e2943fa65c09_308.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly modified and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.update\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "c74fd275-ab2c-4d49-8890-e2943fa65c09", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "c74fd275-ab2c-4d49-8890-e2943fa65c09_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c75d0c86-38d6-4821-98a1-465cff8ff4c8.json b/packages/security_detection_engine/kibana/security_rule/c75d0c86-38d6-4821-98a1-465cff8ff4c8.json deleted file mode 100644 index 61dae730c28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c75d0c86-38d6-4821-98a1-465cff8ff4c8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of events where a process named `entrypoint.sh` is started in a container, followed by a network connection attempt. This sequence indicates a potential egress connection from an entrypoint in a container. An entrypoint is a command or script specified in the Dockerfile and executed when the container starts. Attackers can use this technique to establish a foothold in the environment, escape from a container to the host, or establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Egress Connection from Entrypoint in Container", "query": "sequence by host.id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.entry_leader.entry_meta.type == \"container\" and process.name == \"entrypoint.sh\"] by process.entity_id\n [network where event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n )] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 47, "rule_id": "c75d0c86-38d6-4821-98a1-465cff8ff4c8", "severity": "medium", "tags": ["Domain: Endpoint", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c75d0c86-38d6-4821-98a1-465cff8ff4c8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json deleted file mode 100644 index a421c810647..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 107}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json deleted file mode 100644 index c80cdf6fdb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 103}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json deleted file mode 100644 index 0ad120b1e1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 104}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json deleted file mode 100644 index 621d8200701..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 105}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json deleted file mode 100644 index fe5ba863c6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 106}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_107.json b/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_107.json deleted file mode 100644 index c8a6263704d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7894234-7814-44c2-92a9-f7d851ea246a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual instances of dllhost.exe making outbound network connections. This may indicate adversarial Command and Control activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Network Connection via DllHost", "query": "sequence by host.id, process.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"dllhost.exe\" and process.args_count == 1]\n [network where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\")]\n", "references": ["https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c7894234-7814-44c2-92a9-f7d851ea246a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "type": "eql", "version": 107}, "id": "c7894234-7814-44c2-92a9-f7d851ea246a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json deleted file mode 100644 index 2c747e13a47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", "false_positives": ["By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Privileged Pod Created", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json deleted file mode 100644 index 902ff6162ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", "false_positives": ["By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Privileged Pod Created", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json deleted file mode 100644 index 42bb63f5870..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", "false_positives": ["By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Privileged Pod Created", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json b/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json deleted file mode 100644 index b82ed01fed5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7908cac-337a-4f38-b50d-5eeb78bdb531_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a user creates a pod/container running in privileged mode. A highly privileged container has access to the node's resources and breaks the isolation between containers. If compromised, an attacker can use the privileged container to gain access to the underlying host. Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.", "false_positives": ["By default a container is not allowed to access any devices on the host, but a \"privileged\" container is given access to all devices on the host. This allows the container nearly all the same access as processes running on the host. An administrator may want to run a privileged container to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices from within the cluster. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Privileged Pod Created", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:pods\n and kubernetes.audit.verb:create\n and kubernetes.audit.requestObject.spec.containers.securityContext.privileged:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF", "https://kubernetes.io/docs/tasks/configure-pod-container/security-context/"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.securityContext.privileged", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "c7908cac-337a-4f38-b50d-5eeb78bdb531", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "c7908cac-337a-4f38-b50d-5eeb78bdb531_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json deleted file mode 100644 index 004a460a1f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\") and\n\n /* DNS logs with custom names, header converts to \"DNS Server log\" */\n not ?file.Ext.header_bytes : \"444e5320536572766572206c6f67*\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json deleted file mode 100644 index 669677c441f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json deleted file mode 100644 index aa9cc2c29a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json deleted file mode 100644 index 40449106b28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json deleted file mode 100644 index 9aca31b3a2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json deleted file mode 100644 index 809edd65fc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n\n", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json deleted file mode 100644 index 092666838b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json deleted file mode 100644 index b72cd666faf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\")\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_111.json b/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_111.json deleted file mode 100644 index 29afb12821e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual File Modification by dns.exe", "note": "## Triage and analysis\n\n### Investigating Unusual File Write\nDetection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:\n- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.\n- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.\n", "query": "file where host.os.type == \"windows\" and process.name : \"dns.exe\" and event.type in (\"creation\", \"deletion\", \"change\") and\n not file.name : \"dns.log\" and not\n (file.extension : (\"old\", \"temp\", \"bak\", \"dns\", \"arpa\") and file.path : \"C:\\\\Windows\\\\System32\\\\dns\\\\*\") and\n\n /* DNS logs with custom names, header converts to \"DNS Server log\" */\n not ?file.Ext.header_bytes : \"444e5320536572766572206c6f67*\"\n", "references": ["https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json deleted file mode 100644 index 125641314d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_by_destination_country", "name": "Spike in Network Traffic To a Country", "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 105}, "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json deleted file mode 100644 index 028e96924e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_by_destination_country", "name": "Spike in Network Traffic To a Country", "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 102}, "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json deleted file mode 100644 index f4edf3731b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_by_destination_country", "name": "Spike in Network Traffic To a Country", "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_104.json b/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_104.json deleted file mode 100644 index 2251be5c588..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c7db5533-ca2a-41f6-a8b0-ee98abe0f573_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network activity to one destination country in the network logs. This could be due to unusually large amounts of reconnaissance or enumeration traffic. Data exfiltration activity may also produce such a surge in traffic to a destination country that does not normally appear in network traffic or business workflows. Malware instances and persistence mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network.", "false_positives": ["Business workflows that occur very occasionally, and involve an unusual surge in network traffic to one destination country, can trigger this alert. A new business workflow or a surge in business activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_by_destination_country", "name": "Spike in Network Traffic To a Country", "note": "## Triage and analysis\n\n### Investigating Spike in Network Traffic To a Country\n\nMonitoring network traffic for anomalies is a good methodology for uncovering various potentially suspicious activities. For example, data exfiltration or infected machines may communicate with a command-and-control (C2) server in another country your company doesn't have business with.\n\nThis rule uses a machine learning job to detect a significant spike in the network traffic to a country, which can indicate reconnaissance or enumeration activities, an infected machine being used as a bot in a DDoS attack, or potentially data exfiltration.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Investigate other alerts associated with the involved assets during the past 48 hours.\n- Examine the data available and determine the exact users and processes involved in those connections.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Consider the time of day. If the user is a human (not a program or script), did the activity occurs during working hours?\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the connections by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n - Remove and block malicious artifacts identified during triage.\n- Consider implementing temporary network border rules to block or alert connections to the target country, if relevant.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "c7db5533-ca2a-41f6-a8b0-ee98abe0f573_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json deleted file mode 100644 index 40a3d0f5450..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) and\n not process.executable:(/Library/Addigy/download-cache/* or \"/Library/Kandji/Kandji Agent.app/Contents/MacOS/kandji-library-manager\")\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json deleted file mode 100644 index 30029246fbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json deleted file mode 100644 index 13734e4846c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json deleted file mode 100644 index b84e4947f69..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json deleted file mode 100644 index 57d842785b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json b/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json deleted file mode 100644 index 1e01540d632..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c81cefcb-82b9-4408-a533-3c3df549e62d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Persistence via Docker Shortcut Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Preferences/com.apple.dock.plist and\n not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService)\n", "references": ["https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c81cefcb-82b9-4408-a533-3c3df549e62d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "c81cefcb-82b9-4408-a533-3c3df549e62d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json deleted file mode 100644 index 4e6d467c27a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json deleted file mode 100644 index e341f32ca8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json deleted file mode 100644 index 945035c1e68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json deleted file mode 100644 index 96e4e08bd36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json b/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json deleted file mode 100644 index 536da6f4bfa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82b2bd8-d701-420c-ba43-f11a155b681a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects network events that may indicate the use of Windows file sharing (also called SMB or CIFS) traffic to the Internet. SMB is commonly used within networks to share files, printers, and other system resources amongst trusted systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector or for data exfiltration.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMB (Windows File Sharing) Activity to the Internet", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:(139 or 445) or event.dataset:zeek.smb) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 73, "rule_id": "c82b2bd8-d701-420c-ba43-f11a155b681a", "severity": "high", "tags": ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c82b2bd8-d701-420c-ba43-f11a155b681a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json deleted file mode 100644 index 94f2631d347..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "SMB Connections via LOLBin or Untrusted Process", "note": "## Triage and analysis\n\n### Performance\n\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\n\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\n\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n\n /* first sequence to capture the start of Windows processes */\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n\n /* ignore NT Authority and Network Service accounts */\n not user.id : (\"S-1-5-19\", \"S-1-5-20\") and\n\n /* filter out anything trusted but not from Microsoft */\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \"Microsoft\")) and\n\n /* filter out PowerShell scripts from Windows Defender ATP */\n not (\n process.name : \"powershell.exe\" and\n process.args :\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\PSScript_*.ps1\")]\n\n /* second sequence to capture network connections over port 445 related to SMB */\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4]\n\n/* end the sequence when the process ends where joining was on process.entity_id */\nuntil [process where host.os.type == \"windows\" and event.type == \"end\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 111}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json deleted file mode 100644 index 4be09d24ad7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 104}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json deleted file mode 100644 index 05e7c35d5b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 105}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json deleted file mode 100644 index d54df5d16cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 106}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json deleted file mode 100644 index ee0f01239df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n not (process.executable : \"D:\\\\EnterpriseCare\\\\tools\\\\jre.1\\\\bin\\\\java.exe\" and process.args : \"com.emeraldcube.prism.launcher.Invoker\") and\n not (process.executable : \"C:\\\\Docusnap 11\\\\Tools\\\\nmap\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\SentinelOne\\\\Sentinel Agent *\\\\Ranger\\\\SentinelRanger.exe\",\n \"?:\\\\Program Files\\\\Ivanti\\\\Security Controls\\\\ST.EngineHost.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 107}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108.json deleted file mode 100644 index deeb1353a94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and \n not user.id : (\"S-1-5-19\", \"S-1-5-20\") and \n not (process.code_signature.trusted == true and not process.code_signature.subject_name : (\"Microsoft*\", \"Famatech Corp.\", \"Insecure.Com LLC\")) and \n not (process.name : \"powershell.exe\" and process.args : \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\PSScript_*.ps1\") and \n not (process.executable : \"?:\\\\EnterpriseCare\\\\tools\\\\*\\\\bin\\\\java.exe\" and process.args : \"com.*.launcher.Invoker\") and\n not (process.executable : \"?:\\\\Docusnap*\\\\Tools\\\\*\\\\nmap.exe\" and process.args : \"smb-os-discovery.nse\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\", \n \"?:\\\\Windows\\\\ProPatches\\\\Installation\\\\InstallationSandbox*\\\\stdeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\Fortinet\\\\FSAE\\\\collectoragent.exe\",\n \"?:\\\\Program Files (x86)\\\\Nmap\\\\nmap.exe\",\n \"?:\\\\Program Files\\\\Azure Advanced Threat Protection Sensor\\\\*\\\\Microsoft.Tri.Sensor.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikService-release-*\\\\AuvikService.exe\",\n \"?:\\\\Program Files\\\\uptime software\\\\uptime\\\\UptimeDataCollector.exe\",\n \"?:\\\\Program Files\\\\CloudMatters\\\\auvik\\\\AuvikAgentService.exe\",\n \"?:\\\\Program Files\\\\Rumble\\\\rumble-agent-*.exe\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\nuntil [process where host.os.type == \"windows\" and event.type == \"end\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 108}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109.json deleted file mode 100644 index a3268228f14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and \n not user.id : (\"S-1-5-19\", \"S-1-5-20\") and \n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \"Microsoft *\") and \n not (process.name : \"powershell.exe\" and process.args : \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\PSScript_*.ps1\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\nuntil [process where host.os.type == \"windows\" and event.type == \"end\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 109}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110.json deleted file mode 100644 index ede86e7f80b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unexpected processes making network connections over port 445. Windows File Sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "Direct Outbound SMB Connection", "note": "## Triage and analysis\n\n### Investigating Direct Outbound SMB Connection\n\nThis rule looks for unexpected processes making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=2m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and \n not user.id : (\"S-1-5-19\", \"S-1-5-20\") and \n not (process.code_signature.trusted == true and not process.code_signature.subject_name : \"Microsoft *\") and \n not (process.name : \"powershell.exe\" and process.args : \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\PSScript_*.ps1\")]\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4 and\n not cidrmatch(destination.ip, \"127.0.0.1\", \"::1\")]\nuntil [process where host.os.type == \"windows\" and event.type == \"end\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 110}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111.json b/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111.json deleted file mode 100644 index d6d19975dd0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potentially suspicious processes that are not trusted or living-off-the-land binaries (LOLBin) making Server Message Block (SMB) network connections over port 445. Windows File Sharing is typically implemented over SMB, which communicates between hosts using port 445. Legitimate connections are generally established by the kernel (PID 4). This rule helps to detect processes that might be port scanners, exploits, or user-level processes attempting lateral movement within the network by leveraging SMB connections.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*"], "language": "eql", "license": "Elastic License v2", "name": "SMB Connections via LOLBin or Untrusted Process", "note": "## Triage and analysis\n\n### Performance\n\nThis rule may have low to medium performance impact due to filtering for LOLBins processes starting, followed by network connections over port 445. Additional filtering is applied to reduce the volume of matching events and improve performance.\n\n### Investigating Untrusted Non-Microsoft or LOLBin SMB Connections\n\nThis rule looks for unexpected processes or LOLBins making network connections over port 445. Windows file sharing is typically implemented over Server Message Block (SMB), which communicates between hosts using port 445. When legitimate, these network connections are established by the kernel (PID 4). Occurrences of non-system processes using this port can indicate port scanners, exploits, and tools used to move laterally on the environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- In hybrid environments, SMB may be used for legitimate purposes if operations are performed in Azure. In such cases, consider adding exceptions for known Azure services and operations.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n\n /* first sequence to capture the start of Windows processes */\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.pid != 4 and\n\n /* ignore NT Authority and Network Service accounts */\n not user.id : (\"S-1-5-19\", \"S-1-5-20\") and\n\n /* filter out anything trusted but not from Microsoft */\n /* LOLBins will be inherently trusted and signed, so ignore everything else trusted */\n not (process.code_signature.trusted == true and not startsWith(process.code_signature.subject_name, \"Microsoft\")) and\n\n /* filter out PowerShell scripts from Windows Defender ATP */\n not (\n process.name : \"powershell.exe\" and\n process.args :\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\Downloads\\\\PSScript_*.ps1\")]\n\n /* second sequence to capture network connections over port 445 related to SMB */\n [network where host.os.type == \"windows\" and destination.port == 445 and process.pid != 4]\n\n/* end the sequence when the process ends where joining was on process.entity_id */\nuntil [process where host.os.type == \"windows\" and event.type == \"end\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "type": "eql", "version": 111}, "id": "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json deleted file mode 100644 index fd1e8d205bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": ["https://objective-see.com/blog/blog_0x4F.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json deleted file mode 100644 index 793ce505820..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", "note": "", "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": ["https://objective-see.com/blog/blog_0x4F.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json deleted file mode 100644 index 03c32643e09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", "note": "", "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": ["https://objective-see.com/blog/blog_0x4F.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json deleted file mode 100644 index 3819915ccfb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", "note": "", "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": ["https://objective-see.com/blog/blog_0x4F.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json b/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json deleted file mode 100644 index 0d2626039e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c85eb82c-d2c8-485c-a36f-534f914b7663_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary may attempt to get detailed information about the operating system and hardware. This rule identifies common locations used to discover virtual machine hardware by a non-root user. This technique has been used by the Pupy RAT and other malware.", "false_positives": ["Certain tools or automated software may enumerate hardware information. These tools can be exempted via user name or process arguments to eliminate potential noise."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Virtual Machine Fingerprinting via Grep", "query": "process where event.type == \"start\" and\n process.name in (\"grep\", \"egrep\") and user.id != \"0\" and\n process.args : (\"parallels*\", \"vmware*\", \"virtualbox*\") and process.args : \"Manufacturer*\" and\n not process.parent.executable in (\"/Applications/Docker.app/Contents/MacOS/Docker\", \"/usr/libexec/kcare/virt-what\")\n", "references": ["https://objective-see.com/blog/blog_0x4F.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "c85eb82c-d2c8-485c-a36f-534f914b7663", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c85eb82c-d2c8-485c-a36f-534f914b7663_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json deleted file mode 100644 index f0995c94aa3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 106}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json deleted file mode 100644 index 45a43fd154a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 102}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json deleted file mode 100644 index 25bab808bfe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 103}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json deleted file mode 100644 index 8bfb8adb407..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 104}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json deleted file mode 100644 index 6b8c5c51a79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 105}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json b/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json deleted file mode 100644 index f1ae5bc7189..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies parent process spoofing used to thwart detection. Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Parent Process PID Spoofing", "query": "/* This rule is compatible with Elastic Endpoint only */\n\nsequence by host.id, user.id with maxspan=3m \n\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.Ext.token.integrity_level_name != \"system\" and \n (\n process.pe.original_file_name : (\"winword.exe\", \"excel.exe\", \"outlook.exe\", \"powerpnt.exe\", \"eqnedt32.exe\",\n \"fltldr.exe\", \"mspub.exe\", \"msaccess.exe\", \"powershell.exe\", \"pwsh.exe\",\n \"cscript.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\", \"msbuild.exe\",\n \"mshta.exe\", \"wmic.exe\", \"cmstp.exe\", \"msxsl.exe\") or \n \n (process.executable : (\"?:\\\\Users\\\\*.exe\",\n \"?:\\\\ProgramData\\\\*.exe\",\n \"?:\\\\Windows\\\\Temp\\\\*.exe\",\n \"?:\\\\Windows\\\\Tasks\\\\*\") and \n (process.code_signature.exists == false or process.code_signature.status : \"errorBadDigest\")) or \n \n process.executable : \"?:\\\\Windows\\\\Microsoft.NET\\\\*.exe\" \n ) and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.pid\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.Ext.real.pid > 0 and \n \n /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */\n not (process.name : \"msedge.exe\" and process.parent.name : \"sihost.exe\") and \n \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\", \n \"?:\\\\WINDOWS\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\")\n ] by process.parent.Ext.real.pid\n", "references": ["https://blog.didierstevens.com/2017/03/20/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": false, "name": "process.parent.Ext.real.pid", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.004", "name": "Parent PID Spoofing", "reference": "https://attack.mitre.org/techniques/T1134/004/"}]}]}], "type": "eql", "version": 106}, "id": "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json deleted file mode 100644 index d3eb42f2bf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\") and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\", \"rustup-init\"\n )\n ] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 9}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json deleted file mode 100644 index 5be14e15cc4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. Generally, a ransomware note with contact details is dropped onto the file system which can be used by the victim to contact the attacker. This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and \n file.extension == \"txt\" and file.name : (\n \"*crypt*\", \n \"*restore*\", \n \"*lock*\", \n \"*recovery*\", \n \"*data*\",\n \"*read*\", \n \"*instruction*\", \n \"*how_to*\", \n \"*ransom*\"\n ) ] | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 1}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json deleted file mode 100644 index 38e2fa88078..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file. Generally, a ransomware note with contact details is dropped onto the file system which can be used by the victim to contact the attacker. This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and \n event.action == \"rename\" and file.extension != \"\" ] with runs=50\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and \n file.extension == \"txt\" and file.name : (\n \"*crypt*\", \n \"*restore*\", \n \"*lock*\", \n \"*recovery*\", \n \"*data*\",\n \"*read*\", \n \"*instruction*\", \n \"*how_to*\", \n \"*ransom*\"\n ) ] | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 2}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json deleted file mode 100644 index 7e28d55f355..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"txt\" and \n file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \n \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n ) ] | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 3}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json deleted file mode 100644 index acaa888b8da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [ file where host.os.type == \"linux\" and event.type == \"change\" and\n event.action == \"rename\" and file.extension != \"\" and \n file.path : (\n \"/home/*\", \"/etc/*\", \"/root/*\", \"/opt/*\", \"/var/backups/*\", \"/var/lib/log/*\"\n ) and not \n file.extension : (\n \"xml\", \"json\", \"conf\", \"dat\", \"gz\", \"info\", \"mod\", \"final\",\n \"php\", \"pyc\", \"log\", \"bak\", \"bin\", \"csv\", \"pdf\", \"cfg\", \"*old\"\n ) and not \n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\"\n ) ] with runs=100\n [ file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"txt\" and \n file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \n \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n ) and not process.name : (\"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\") ] | tail 1\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 4}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json deleted file mode 100644 index 225b2034615..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by host.id, process.entity_id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and ((process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"ash\", \"openssl\")) or\n (process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\"))) and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\") and not ((\n process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\")) or (file.path : \"/etc/selinux/*\") or (file.extension in (\"qmlc\", \"txt\")\n ))] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 5}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json deleted file mode 100644 index 97523d20174..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\")] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 6}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json deleted file mode 100644 index 967f547e31a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\",\n \"/opt/*\", \"/etc/*\", \"/var/log/*\", \"/var/lib/log/*\", \"/var/backup/*\", \"/var/www/*\")] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 7}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json deleted file mode 100644 index 5e6e17aec04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\", \"/srv/*\", \"/run/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\") and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\"\n )\n ] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 8}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_9.json b/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_9.json deleted file mode 100644 index 118f8f34904..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8935a8b-634a-4449-98f7-bb24d3b2c0af_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies a sequence of a mass file encryption event in conjunction with the creation of a .txt file with a file name containing ransomware keywords executed by the same process in a 1 second timespan. Ransomware is a type of malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) in exchange for the decryption key. One important indicator of a ransomware attack is the mass encryption of the file system, after which a new file extension is added to the file.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Ransomware Note Creation Detected", "query": "sequence by process.entity_id, host.id with maxspan=1s \n [file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and file.extension : \"?*\" \n and process.executable : (\"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/dev/shm/*\", \"/var/run/*\", \"/boot/*\") and\n file.path : (\n \"/home/*/Downloads/*\", \"/home/*/Documents/*\", \"/root/*\", \"/bin/*\", \"/usr/bin/*\", \"/var/log/*\", \"/var/lib/log/*\",\n \"/var/backup/*\", \"/var/www/*\") and\n not process.name : (\n \"dpkg\", \"yum\", \"dnf\", \"rpm\", \"dockerd\", \"go\", \"java\", \"pip*\", \"python*\", \"node\", \"containerd\", \"php\", \"p4d\",\n \"conda\", \"chrome\", \"imap\", \"cmake\", \"firefox\", \"semanage\", \"semodule\", \"ansible-galaxy\", \"fc-cache\", \"jammy\", \"git\",\n \"systemsettings\", \"vmis-launcher\", \"bundle\", \"kudu-tserver\", \"suldownloader\", \"rustup-init\"\n )\n ] with runs=25\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.name : (\n \"*crypt*\", \"*restore*\", \"*lock*\", \"*recovery*\", \"*data*\", \"*read*\", \"*instruction*\", \"*how_to*\", \"*ransom*\"\n )\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 9}, "id": "c8935a8b-634a-4449-98f7-bb24d3b2c0af_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json deleted file mode 100644 index 14993022baf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Common Startup\", \"Startup\") and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json deleted file mode 100644 index 8888be2dc9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json deleted file mode 100644 index 277c99e591d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json deleted file mode 100644 index f2c413251cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json deleted file mode 100644 index e230a65515d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json deleted file mode 100644 index 66ac1175c50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json deleted file mode 100644 index 2c7b2355b1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json deleted file mode 100644 index f9668749906..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_111.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_111.json deleted file mode 100644 index 601e65e684f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Common Startup\", \"Startup\") and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_112.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_112.json deleted file mode 100644 index 66f6bd2cd52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Common Startup\", \"Startup\") and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_113.json b/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_113.json deleted file mode 100644 index 23dce69bbd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8b150f0-0164-475b-a75e-74b47800a9ff_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious startup shell folder modifications to change the default Startup directory in order to bypass detections monitoring file creation in the Windows Startup folder.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Startup Shell Folder Modification", "note": "## Triage and analysis\n\n### Investigating Suspicious Startup Shell Folder Modification\n\nTechniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for an attacker.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related file tied to the Windows Registry entry.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- There is a high possibility of benign legitimate programs being added to shell folders. This activity could be based on new software installations, patches, or other network administrator activity. Before undertaking further investigation, it should be verified that this activity is not benign.\n\n### Related rules\n\n- Startup or Run Key Registry Modification - 97fc44d3-8dae-4019-ae83-298c3015600f\n- Persistent Scripts in the Startup Directory - f7c4dc5a-a58d-491d-9f14-9b66507121c0\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value : (\"Common Startup\", \"Startup\") and\n registry.path : (\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"HKLM\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Common Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\User Shell Folders\\\\Startup\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Explorer\\\\Shell Folders\\\\Startup\"\n ) and\n registry.data.strings != null and\n /* Normal Startup Folder Paths */\n not registry.data.strings : (\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%ProgramData%\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"%USERPROFILE%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\"\n )\n", "references": ["https://www.elastic.co/security-labs/elastic-security-uncovers-blister-malware-campaign", "https://www.elastic.co/security-labs/revisiting-blister-new-developments-of-the-blister-loader"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "c8b150f0-0164-475b-a75e-74b47800a9ff", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "c8b150f0-0164-475b-a75e-74b47800a9ff_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json deleted file mode 100644 index 9eb6af15447..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json deleted file mode 100644 index b36001ac525..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json deleted file mode 100644 index 295e2f2d0d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json deleted file mode 100644 index 2c2c45f38f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json deleted file mode 100644 index 1752af6da46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json deleted file mode 100644 index cf7a79e853c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json deleted file mode 100644 index c035454aef0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json deleted file mode 100644 index f54be080507..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_111.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_111.json deleted file mode 100644 index b02715a3f67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_112.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_112.json deleted file mode 100644 index fb2083582f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_312.json b/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_312.json deleted file mode 100644 index 88b00084726..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c8cccb06-faf2-4cd5-886e-2c9636cfcb87_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the Set-MpPreference PowerShell command to disable or weaken certain Windows Defender settings.", "false_positives": ["Planned Windows Defender configuration changes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling Windows Defender Security Settings via PowerShell", "note": "## Triage and analysis\n\n### Investigating Disabling Windows Defender Security Settings via PowerShell\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the execution of commands that can tamper the Windows Defender antivirus features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which action was executed. Based on that, examine exceptions, antivirus state, sample submission, etc.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Based on the command line, take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\")\n ) and\n process.args : \"Set-MpPreference\" and process.args : (\"-Disable*\", \"Disabled\", \"NeverSend\", \"-Exclusion*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps", "https://www.elastic.co/security-labs/operation-bleeding-bear", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "c8cccb06-faf2-4cd5-886e-2c9636cfcb87_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923.json deleted file mode 100644 index 3341671ad45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json deleted file mode 100644 index 6a74b4bb568..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name : \"Slack Technologies, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name : (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name : \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name : \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name : \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name : \"WhatsApp LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name : \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json deleted file mode 100644 index 7db2f500285..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json deleted file mode 100644 index 3bc55a693b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json deleted file mode 100644 index e2852bcc7d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json b/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json deleted file mode 100644 index 0f66c08952f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9482bfa-a553-4226-8ea2-4959bd4f7923_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious instances of communications apps, both unsigned and renamed ones, that can indicate an attempt to conceal malicious activity, bypass security features such as allowlists, or trick users into executing malware.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Communication Apps", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and\n (\n /* Slack */\n (process.name : \"slack.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"WebexHost.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"Teams.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"Discord.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* RocketChat */\n (process.name : \"Rocket.Chat.exe\" and not\n (process.code_signature.subject_name == \"Rocket.Chat Technologies Corp.\" and process.code_signature.trusted == true)\n ) or\n\n /* Mattermost */\n (process.name : \"Mattermost.exe\" and not\n (process.code_signature.subject_name == \"Mattermost, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"WhatsApp.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : \"Zoom.exe\" and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"outlook.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Thunderbird */\n (process.name : \"thunderbird.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "c9482bfa-a553-4226-8ea2-4959bd4f7923", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "c9482bfa-a553-4226-8ea2-4959bd4f7923_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json deleted file mode 100644 index b8427becc39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json deleted file mode 100644 index bdbba4a3c32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 100}, "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json deleted file mode 100644 index 648eed35cb8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "type": "query", "version": 101}, "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102.json b/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102.json deleted file mode 100644 index 6035c1a4de6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Manipulation - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json deleted file mode 100644 index f600090b000..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", "false_positives": ["A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json deleted file mode 100644 index b8c30f8931f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", "false_positives": ["A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json deleted file mode 100644 index bb041e79180..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", "false_positives": ["A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json deleted file mode 100644 index 20f5b4952c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", "false_positives": ["A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json b/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json deleted file mode 100644 index 134fb42416a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca79768e-40e1-4e45-a097-0e5fbc876ac2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter rule has been deleted or disabled in Microsoft 365. An adversary or insider threat may want to modify a malware filter rule to evade detection.", "false_positives": ["A malware filter rule may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Rule Modification", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:(\"Remove-MalwareFilterRule\" or \"Disable-MalwareFilterRule\") and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ca79768e-40e1-4e45-a097-0e5fbc876ac2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json deleted file mode 100644 index 34540be40cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json deleted file mode 100644 index 98636fd7f52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json deleted file mode 100644 index 2401853448f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json deleted file mode 100644 index bfd77ff9517..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json deleted file mode 100644 index 4bd9b0b2d4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "note": "", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json deleted file mode 100644 index 18d8bf4cc4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json deleted file mode 100644 index 55ffa0e5e09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json b/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json deleted file mode 100644 index 989f9a607ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ca98c7cf-a56e-4057-a4e8-39603f7f0389_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped DLL. This behavior may indicate an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed processes.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Unsigned DLL Side-Loading from a Suspicious Folder", "query": "library where host.os.type == \"windows\" and\n\n process.code_signature.trusted == true and \n \n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and \n \n not dll.code_signature.status : (\"trusted\", \"errorExpired\", \"errorCode_endpoint*\", \"errorChaining\") and \n \n /* Suspicious Paths */\n dll.path : (\"?:\\\\PerfLogs\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Pictures\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Music\\\\*.dll\",\n \"?:\\\\Users\\\\Public\\\\*.dll\",\n \"?:\\\\Users\\\\*\\\\Documents\\\\*.dll\",\n \"?:\\\\Windows\\\\Tasks\\\\*.dll\",\n \"?:\\\\Windows\\\\System32\\\\Tasks\\\\*.dll\",\n \"?:\\\\Intel\\\\*.dll\",\n \"?:\\\\AMD\\\\Temp\\\\*.dll\",\n \"?:\\\\Windows\\\\AppReadiness\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.dll\",\n \"?:\\\\Windows\\\\security\\\\*.dll\",\n\t\t \"?:\\\\Windows\\\\System\\\\*.dll\",\n \"?:\\\\Windows\\\\IdentityCRL\\\\*.dll\",\n \"?:\\\\Windows\\\\Branding\\\\*.dll\",\n \"?:\\\\Windows\\\\csc\\\\*.dll\",\n \"?:\\\\Windows\\\\DigitalLocker\\\\*.dll\",\n \"?:\\\\Windows\\\\en-US\\\\*.dll\",\n \"?:\\\\Windows\\\\wlansvc\\\\*.dll\",\n \"?:\\\\Windows\\\\Prefetch\\\\*.dll\",\n \"?:\\\\Windows\\\\Fonts\\\\*.dll\",\n \"?:\\\\Windows\\\\diagnostics\\\\*.dll\",\n \"?:\\\\Windows\\\\TAPI\\\\*.dll\",\n \"?:\\\\Windows\\\\INF\\\\*.dll\",\n \"?:\\\\windows\\\\tracing\\\\*.dll\",\n \"?:\\\\windows\\\\IME\\\\*.dll\",\n \"?:\\\\Windows\\\\Performance\\\\*.dll\",\n \"?:\\\\windows\\\\intel\\\\*.dll\",\n \"?:\\\\windows\\\\ms\\\\*.dll\",\n \"?:\\\\Windows\\\\dot3svc\\\\*.dll\",\n \"?:\\\\Windows\\\\ServiceProfiles\\\\*.dll\",\n \"?:\\\\Windows\\\\panther\\\\*.dll\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.dll\",\n \"?:\\\\Windows\\\\OCR\\\\*.dll\",\n \"?:\\\\Windows\\\\appcompat\\\\*.dll\",\n \"?:\\\\Windows\\\\apppatch\\\\*.dll\",\n \"?:\\\\Windows\\\\addins\\\\*.dll\",\n \"?:\\\\Windows\\\\Setup\\\\*.dll\",\n \"?:\\\\Windows\\\\Help\\\\*.dll\",\n \"?:\\\\Windows\\\\SKB\\\\*.dll\",\n \"?:\\\\Windows\\\\Vss\\\\*.dll\",\n \"?:\\\\Windows\\\\Web\\\\*.dll\",\n \"?:\\\\Windows\\\\servicing\\\\*.dll\",\n \"?:\\\\Windows\\\\CbsTemp\\\\*.dll\",\n \"?:\\\\Windows\\\\Logs\\\\*.dll\",\n \"?:\\\\Windows\\\\WaaS\\\\*.dll\",\n \"?:\\\\Windows\\\\twain_32\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellExperiences\\\\*.dll\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.dll\",\n \"?:\\\\Windows\\\\PLA\\\\*.dll\",\n \"?:\\\\Windows\\\\Migration\\\\*.dll\",\n \"?:\\\\Windows\\\\debug\\\\*.dll\",\n \"?:\\\\Windows\\\\Cursors\\\\*.dll\",\n \"?:\\\\Windows\\\\Containers\\\\*.dll\",\n \"?:\\\\Windows\\\\Boot\\\\*.dll\",\n \"?:\\\\Windows\\\\bcastdvr\\\\*.dll\",\n \"?:\\\\Windows\\\\TextInput\\\\*.dll\",\n \"?:\\\\Windows\\\\schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\SchCache\\\\*.dll\",\n \"?:\\\\Windows\\\\Resources\\\\*.dll\",\n \"?:\\\\Windows\\\\rescache\\\\*.dll\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.dll\",\n \"?:\\\\Windows\\\\PrintDialog\\\\*.dll\",\n \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.dll\",\n \"?:\\\\Windows\\\\media\\\\*.dll\",\n \"?:\\\\Windows\\\\Globalization\\\\*.dll\",\n \"?:\\\\Windows\\\\L2Schemas\\\\*.dll\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.dll\",\n \"?:\\\\Windows\\\\ModemLogs\\\\*.dll\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.dll\",\n \"?:\\\\$Recycle.Bin\\\\*.dll\") and \n\t \n\t /* DLL loaded from the process.executable current directory */\n\t endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1)))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "ca98c7cf-a56e-4057-a4e8-39603f7f0389_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json deleted file mode 100644 index b40c3b064d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\nnot file.name : (jem.*.pid)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 213}, "id": "cac91072-d165-11ec-a764-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json deleted file mode 100644 index 9194089cfcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"/var/run/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json deleted file mode 100644 index 592b4c6d8d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"(/var/run|/run)/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json deleted file mode 100644 index b63e9443fe2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* add file size filters when data is available */\nfile where host.os.type == \"linux\" and event.type == \"creation\" and user.id == \"0\" and\n file.path regex~ \"\"\"(/var/run|/run)/\\w+\\.(pid|lock|reboot)\"\"\" and file.extension in (\"pid\",\"lock\",\"reboot\") and\n\n /* handle common legitimate files */\n\n not file.name in (\n \"auditd.pid\",\n \"python*\",\n \"apport.pid\",\n \"apport.lock\",\n \"kworker*\",\n \"gdm3.pid\",\n \"sshd.pid\",\n \"acpid.pid\",\n \"unattended-upgrades.lock\",\n \"unattended-upgrades.pid\",\n \"cmd.pid\",\n \"yum.pid\",\n \"netconfig.pid\",\n \"docker.pid\",\n \"atd.pid\",\n \"lfd.pid\",\n \"atop.pid\",\n \"nginx.pid\",\n \"dhclient.pid\",\n \"smtpd.pid\",\n \"stunnel.pid\",\n \"1_waagent.pid\",\n \"crond.pid\",\n \"cron.reboot\",\n \"sssd.pid\",\n \"tomcat8.pid\"\n )\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json deleted file mode 100644 index 4bc68384a5b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : (\"creation\" or \"file_create_event\") and\nuser.id : \"0\" and file.path : (/var/run/* or /run/*) and file.extension : (\"pid\" or \"lock\" or \"reboot\") and not \nfile.name : (\"auditd.pid\" or \"python*\" or \"apport.pid\" or \"apport.lock\" or \"kworker*\" or \"gdm3.pid\" or \"sshd.pid\" or \n\"acpid.pid\" or \"unattended-upgrades.lock\" or \"unattended-upgrades.pid\" or \"cmd.pid\" or \"yum.pid\" or \"netconfig.pid\" or \n\"docker.pid\" or \"atd.pid\" or \"lfd.pid\" or \"atop.pid\" or \"nginx.pid\" or \"dhclient.pid\" or \"smtpd.pid\" or \"stunnel.pid\" or \n\"1_waagent.pid\" or \"crond.pid\" or \"cron.reboot\" or \"sssd.pid\" or \"tomcat8.pid\")\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json deleted file mode 100644 index 61ef9fd3baf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.category : \"file\" and event.action : (\"creation\" or \"file_create_event\") and\nuser.id : \"0\" and file.extension : (\"pid\" or \"lock\" or \"reboot\") and file.path : (/var/run/* or /run/*) and not \nfile.name : (\"auditd.pid\" or python* or \"apport.pid\" or \"apport.lock\" or kworker* or \"gdm3.pid\" or \"sshd.pid\" or \n\"acpid.pid\" or \"unattended-upgrades.lock\" or \"unattended-upgrades.pid\" or \"cmd.pid\" or \"yum.pid\" or \"netconfig.pid\" or \n\"docker.pid\" or \"atd.pid\" or \"lfd.pid\" or \"atop.pid\" or \"nginx.pid\" or \"dhclient.pid\" or \"smtpd.pid\" or \"stunnel.pid\" or \n\"1_waagent.pid\" or \"crond.pid\" or \"cron.reboot\" or \"sssd.pid\" or \"tomcat8.pid\" or \"winbindd.pid\" or \"chronyd.pid\") and\nnot process.name : (\"runc\" or \"ufw\" or \"snapd\" or \"snap\" or \"iptables\")\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json deleted file mode 100644 index a7edfefccfc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:creation and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json deleted file mode 100644 index 916a0e06bc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:linux and event.category:file and event.action:creation and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json deleted file mode 100644 index 0e428d36f7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:linux and event.category:file and event.action:creation and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 211}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_212.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_212.json deleted file mode 100644 index 06752cdf4ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:linux and event.category:file and event.action:creation and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \nvzctl or ifup or rpcbind) and\nnot file.name : (jem.*.pid)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 212}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json b/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json deleted file mode 100644 index 9876b14295d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cac91072-d165-11ec-a764-f661ea17fbce_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files.", "false_positives": ["False-Positives (FP) can appear if the PID file is legitimate and holding a process ID as intended. To differentiate, if the PID file is an executable or larger than 10 bytes, it should be ruled suspicious."], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Abnormal Process ID or Lock File Created", "new_terms_fields": ["host.id", "process.executable", "file.path"], "note": "## Triage and analysis\n\n### Investigating Abnormal Process ID or Lock File Created\n\nLinux applications may need to save their process identification number (PID) for various purposes: from signaling that a program is running to serving as a signal that a previous instance of an application didn't exit successfully. PID files contain its creator process PID in an integer value.\n\nLinux lock files are used to coordinate operations in files so that conflicts and race conditions are prevented.\n\nThis rule identifies the creation of PID, lock, or reboot files in the /var/run/ directory. Attackers can masquerade malware, payloads, staged data for exfiltration, and more as legitimate PID files.\n\n#### Possible investigation steps\n\n- Retrieve the file and determine if it is malicious:\n - Check the contents of the PID files. They should only contain integer strings.\n - Check the file type of the lock and PID files to determine if they are executables. This is only observed in malicious files.\n - Check the size of the subject file. Legitimate PID files should be under 10 bytes.\n - Check if the lock or PID file has high entropy. This typically indicates an encrypted payload.\n - Analysts can use tools like `ent` to measure entropy.\n - Examine the reputation of the SHA-256 hash in the PID file. Use a database like VirusTotal to identify additional pivots and artifacts for investigation.\n- Trace the file's creation to ensure it came from a legitimate or authorized process.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n- Investigate any abnormal behavior by the subject process such as network connections, file modifications, and any spawned child processes.\n\n### False positive analysis\n\n- False positives can appear if the PID file is legitimate and holding a process ID as intended. If the PID file is an executable or has a file size that's larger than 10 bytes, it should be ruled suspicious.\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file name and process executable conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Block the identified indicators of compromise (IoCs).\n- Take actions to terminate processes and connections used by the attacker.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:linux and event.category:file and event.action:(creation or file_create_event) and\nuser.id:0 and file.extension:(pid or lock or reboot) and file.path:(/var/run/* or /run/*) and (\n (process.name : (\n bash or dash or sh or tcsh or csh or zsh or ksh or fish or ash or touch or nano or vim or vi or editor or mv or cp)\n ) or (\n process.executable : (\n ./* or /tmp/* or /var/tmp/* or /dev/shm/* or /var/run/* or /boot/* or /srv/* or /run/*\n ))\n) and not process.name : (go or git or containerd* or snap-confine or cron or crond or sshd or unattended-upgrade or \nvzctl or ifup or rpcbind or runc or gitlab-runner-helper or elastic-agent or metricbeat) and\nnot file.name : (jem.*.pid)\n", "references": ["https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cac91072-d165-11ec-a764-f661ea17fbce", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 213}, "id": "cac91072-d165-11ec-a764-f661ea17fbce_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json deleted file mode 100644 index 687ce52c1b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace MFA Enforcement Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", "references": ["https://support.google.com/a/answer/9176657?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json deleted file mode 100644 index 560ef6751e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace MFA Enforcement Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", "references": ["https://support.google.com/a/answer/9176657?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Impact", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json b/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json deleted file mode 100644 index e8d917bf9d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) enforcement is disabled for Google Workspace users. An adversary may disable MFA enforcement in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA policies may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace MFA Enforcement Disabled", "note": "## Triage and analysis\n\n### Investigating Google Workspace MFA Enforcement Disabled\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies the disabling of MFA enforcement in Google Workspace. This modification weakens the security of the accounts and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin\n and event.category:iam and event.action:ENFORCE_STRONG_AUTHENTICATION\n and google_workspace.admin.new_value:false\n", "references": ["https://support.google.com/a/answer/9176657?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cad4500a-abd7-4ef3-b5d3-95524de7cfe1_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json deleted file mode 100644 index 14504f48364..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", "false_positives": ["Trusted applications for managing calendars and reminders."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": ["https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json deleted file mode 100644 index 2d2b1b440a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", "false_positives": ["Trusted applications for managing calendars and reminders."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": ["https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json deleted file mode 100644 index 969a25e85a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", "false_positives": ["Trusted applications for managing calendars and reminders."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": ["https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json deleted file mode 100644 index c8a4da45902..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", "false_positives": ["Trusted applications for managing calendars and reminders."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": ["https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json b/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json deleted file mode 100644 index abb248d4961..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.", "false_positives": ["Trusted applications for managing calendars and reminders."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Calendar File Modification", "query": "event.category:file and host.os.type:macos and event.action:modification and\n file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and\n process.executable:\n (* and not\n (\n /System/Library/* or\n /System/Applications/Calendar.app/Contents/MacOS/* or\n /System/Applications/Mail.app/Contents/MacOS/Mail or\n /usr/libexec/xpcproxy or\n /sbin/launchd or\n /Applications/*\n )\n )\n", "references": ["https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos", "https://github.com/FSecureLABS/CalendarPersist", "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json deleted file mode 100644 index f6426e44f46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Enable the Root Account", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", "references": ["https://ss64.com/osx/dsenableroot.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json deleted file mode 100644 index 09d6cd64bee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Enable the Root Account", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", "references": ["https://ss64.com/osx/dsenableroot.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json deleted file mode 100644 index 74ac6ac75dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Enable the Root Account", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", "references": ["https://ss64.com/osx/dsenableroot.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json deleted file mode 100644 index 9c63d62ea43..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Enable the Root Account", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", "references": ["https://ss64.com/osx/dsenableroot.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json b/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json deleted file mode 100644 index d6fe5a98d2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc2fd2d0-ba3a-4939-b87f-2901764ed036_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Enable the Root Account", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:dsenableroot and not process.args:\"-d\"\n", "references": ["https://ss64.com/osx/dsenableroot.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cc2fd2d0-ba3a-4939-b87f-2901764ed036_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd.json deleted file mode 100644 index 7b8a83e3e47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Device Token Hashes for Single Okta Session", "note": "## Triage and analysis\n\n### Investigating Multiple Device Token Hashes for Single Okta Session\n\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\n\n### Response and remediation:\n- Consider stopping all sessions for the user(s) involved in this action.\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n // ignore authentication events where session and device token hash change often\n AND NOT event.action IN (\n \"policy.evaluate_sign_on\",\n \"user.session.start\",\n \"user.authentication.sso\"\n )\n // ignore Okta system events and only allow registered users\n AND (\n okta.actor.alternate_id != \"system@okta.com\"\n AND okta.actor.alternate_id RLIKE \"[^@\\\\s]+\\\\@[^@\\\\s]+\"\n )\n AND okta.authentication_context.external_session_id != \"unknown\"\n| STATS\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\n okta.actor.alternate_id,\n okta.authentication_context.external_session_id\n| WHERE\n dt_hash_counts >= 2\n| SORT\n dt_hash_counts DESC\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US"], "risk_score": 47, "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 102}, "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json deleted file mode 100644 index 2ed02358dd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Client Addresses for a Single User Session", "note": "", "query": "event.dataset:okta.system\n and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "unknown"}], "risk_score": 47, "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.debug_context.debug_data.dt_hash", "value": 2}], "field": ["okta.actor.id", "okta.authentication_context.external_session_id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_102.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_102.json deleted file mode 100644 index aea0303dd4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Device Token Hashes for Single Okta Session", "note": "## Triage and analysis\n\n### Investigating Multiple Device Token Hashes for Single Okta Session\n\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\n\n### Response and remediation:\n- Consider stopping all sessions for the user(s) involved in this action.\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n // ignore authentication events where session and device token hash change often\n AND NOT event.action IN (\n \"policy.evaluate_sign_on\",\n \"user.session.start\",\n \"user.authentication.sso\"\n )\n // ignore Okta system events and only allow registered users\n AND (\n okta.actor.alternate_id != \"system@okta.com\"\n AND okta.actor.alternate_id RLIKE \"[^@\\\\s]+\\\\@[^@\\\\s]+\"\n )\n AND okta.authentication_context.external_session_id != \"unknown\"\n| STATS\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\n okta.actor.alternate_id,\n okta.authentication_context.external_session_id\n| WHERE\n dt_hash_counts >= 2\n| SORT\n dt_hash_counts DESC\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US"], "risk_score": 47, "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 102}, "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_103.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_103.json deleted file mode 100644 index 3199baa13fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.", "from": "now-9m", "language": "esql", "license": "Elastic License v2", "name": "Multiple Device Token Hashes for Single Okta Session", "note": "## Triage and analysis\n\n### Investigating Multiple Device Token Hashes for Single Okta Session\n\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\n\n### Response and remediation:\n- Consider stopping all sessions for the user(s) involved in this action.\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n // ignore authentication events where session and device token hash change often\n AND NOT event.action IN (\n \"policy.evaluate_sign_on\",\n \"user.session.start\",\n \"user.authentication.sso\"\n )\n // ignore Okta system events and only allow registered users\n AND (\n okta.actor.alternate_id != \"system@okta.com\"\n AND okta.actor.alternate_id RLIKE \"[^@\\\\s]+\\\\@[^@\\\\s]+\"\n )\n AND okta.authentication_context.external_session_id != \"unknown\"\n| STATS\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\n okta.actor.alternate_id,\n okta.authentication_context.external_session_id\n| WHERE\n dt_hash_counts >= 2\n| SORT\n dt_hash_counts DESC\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "risk_score": 47, "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1539", "name": "Steal Web Session Cookie", "reference": "https://attack.mitre.org/techniques/T1539/"}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 103}, "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json deleted file mode 100644 index f57f32eb50f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "Multiple Okta Client Addresses for a Single User Session", "note": "", "query": "event.dataset:okta.system\n and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:*\n and not (okta.actor.id: okta* or okta.actor.display_name: okta*)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.display_name", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.authentication_context.external_session_id", "type": "keyword"}, {"ecs": false, "name": "okta.debug_context.debug_data.dt_hash", "type": "keyword"}], "risk_score": 47, "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "threshold": {"cardinality": [{"field": "okta.debug_context.debug_data.dt_hash", "value": 2}], "field": ["okta.actor.id", "okta.authentication_context.external_session_id"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 2}, "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_204.json b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_204.json new file mode 100644 index 00000000000..9a3f13ba051 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc382a2e-7e52-11ee-9aac-f661ea17fbcd_204.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.", + "from": "now-9m", + "language": "esql", + "license": "Elastic License v2", + "name": "Multiple Device Token Hashes for Single Okta Session", + "note": "## Triage and analysis\n\n### Investigating Multiple Device Token Hashes for Single Okta Session\n\nThis rule detects when a specific Okta actor has multiple device token hashes for a single Okta session. This may indicate an authenticated session has been hijacked or is being used by multiple devices. Adversaries may hijack a session to gain unauthorized access to Okta admin console, applications, tenants, or other resources.\n\n#### Possible investigation steps:\n- Since this is an ES|QL rule, the `okta.actor.alternate_id` and `okta.authentication_context.external_session_id` values can be used to pivot into the raw authentication events related to this alert.\n- Identify the users involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the device client used for these actions by analyzing `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- With Okta end users identified, review the `okta.debug_context.debug_data.dt_hash` field.\n - Historical analysis should indicate if this device token hash is commonly associated with the user.\n- Review the `okta.event_type` field to determine the type of authentication event that occurred.\n - Authentication events have been filtered out to focus on Okta activity via established sessions.\n- Review the past activities of the actor(s) involved in this action by checking their previous actions.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n - This may help determine the authentication and authorization actions that occurred between the user, Okta and application.\n- Aggregate by `okta.actor.alternate_id` and `event.action` to determine the type of actions that are being performed by the actor(s) involved in this action.\n - If various activity is reported that seems to indicate actions from separate users, consider deactivating the user's account temporarily.\n\n### False positive analysis:\n- It is very rare that a legitimate user would have multiple device token hashes for a single Okta session as DT hashes do not change after an authenticated session is established.\n\n### Response and remediation:\n- Consider stopping all sessions for the user(s) involved in this action.\n- If this does not appear to be a false positive, consider resetting passwords for the users involved and enabling multi-factor authentication (MFA).\n - If MFA is already enabled, consider resetting MFA for the users.\n- If any of the users are not legitimate, consider deactivating the user's account.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- Check with internal IT teams to determine if the accounts involved recently had MFA reset at the request of the user.\n - If so, confirm with the user this was a legitimate request.\n - If so and this was not a legitimate request, consider deactivating the user's account temporarily.\n - Reset passwords and reset MFA for the user.\n- Alternatively adding `okta.client.ip` or a CIDR range to the `exceptions` list can prevent future occurrences of this event from triggering the rule.\n - This should be done with caution as it may prevent legitimate alerts from being generated.\n", + "query": "FROM logs-okta*\n| WHERE\n event.dataset == \"okta.system\"\n // ignore authentication events where session and device token hash change often\n AND NOT event.action IN (\n \"policy.evaluate_sign_on\",\n \"user.session.start\",\n \"user.authentication.sso\"\n )\n // ignore Okta system events and only allow registered users\n AND (\n okta.actor.alternate_id != \"system@okta.com\"\n AND okta.actor.alternate_id RLIKE \"[^@\\\\s]+\\\\@[^@\\\\s]+\"\n )\n AND okta.authentication_context.external_session_id != \"unknown\"\n| KEEP event.action, okta.actor.alternate_id, okta.authentication_context.external_session_id, okta.debug_context.debug_data.dt_hash\n| STATS\n dt_hash_counts = COUNT_DISTINCT(okta.debug_context.debug_data.dt_hash) BY\n okta.actor.alternate_id,\n okta.authentication_context.external_session_id\n| WHERE\n dt_hash_counts >= 2\n| SORT\n dt_hash_counts DESC\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://support.okta.com/help/s/article/session-hijacking-attack-definition-damage-defense?language=en_US", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "risk_score": 47, + "rule_id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd", + "setup": "## Setup\n\nThe Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Domain: SaaS" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1539", + "name": "Steal Web Session Cookie", + "reference": "https://attack.mitre.org/techniques/T1539/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "esql", + "version": 204 + }, + "id": "cc382a2e-7e52-11ee-9aac-f661ea17fbcd_204", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c.json deleted file mode 100644 index 851d8117c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_ip", "name": "Potential Data Exfiltration Activity to an Unusual IP Address", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 4}, "id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json deleted file mode 100644 index a07af503d20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_ip", "name": "Potential Data Exfiltration Activity to an Unusual IP Address", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 1}, "id": "cc653d77-ddd2-45b1-9197-c75ad19df66c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_2.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_2.json deleted file mode 100644 index 78d55bae92e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_ip", "name": "Potential Data Exfiltration Activity to an Unusual IP Address", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 2}, "id": "cc653d77-ddd2-45b1-9197-c75ad19df66c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json b/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json deleted file mode 100644 index 3d6a12e5bc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc653d77-ddd2-45b1-9197-c75ad19df66c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by IP address). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_ip", "name": "Potential Data Exfiltration Activity to an Unusual IP Address", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "cc653d77-ddd2-45b1-9197-c75ad19df66c", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 3}, "id": "cc653d77-ddd2-45b1-9197-c75ad19df66c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json deleted file mode 100644 index 4fc977b5ace..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", "false_positives": ["Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace User Organizational Unit Changed", "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json deleted file mode 100644 index db79a6db45a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", "false_positives": ["Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace User Organizational Unit Changed", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json deleted file mode 100644 index 56907323c97..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", "false_positives": ["Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace User Organizational Unit Changed", "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json b/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json deleted file mode 100644 index 03392d15b31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc6a8a20-2df2-11ed-8378-f661ea17fbce_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Users in Google Workspace are typically assigned a specific organizational unit that grants them permissions to certain services and roles that are inherited from this organizational unit. Adversaries may compromise a valid account and change which organizational account the user belongs to which then could allow them to inherit permissions to applications and resources inaccessible prior to.", "false_positives": ["Google Workspace administrators may adjust change which organizational unit a user belongs to as a result of internal role adjustments."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Google Workspace User Organizational Unit Changed", "note": "## Triage and analysis\n\n### Investigating Google Workspace User Organizational Unit Changed\n\nAn organizational unit is a group that an administrator can create in the Google Admin console to apply settings to a specific set of users for Google Workspace. By default, all users are placed in the top-level (parent) organizational unit. Child organizational units inherit the settings from the parent but can be changed to fit the needs of the child organizational unit.\n\nPermissions and privileges for users are often inherited from the organizational unit they are placed in. Therefore, if a user is changed to a separate organizational unit, they will inherit all privileges and permissions. User accounts may have unexpected privileges when switching organizational units that would allow a threat actor to gain a stronger foothold within the organization. The principle of least privileged (PoLP) should be followed when users are switched to different groups in Google Workspace.\n\nThis rule identifies when a user has been moved to a different organizational unit.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n - The `user.target.email` field contains the user that had their assigned organizational unit switched.\n- Identify the user's previously assigned unit and new organizational unit by checking the `google_workspace.admin.org_unit.name` and `google_workspace.admin.new_value` fields.\n- Identify Google Workspace applications whose settings were explicitly set for this organizational unit.\n - Search for `event.action` is `CREATE_APPLICATION_SETTING` where `google_workspace.admin.org_unit.name` is the new organizational unit.\n- After identifying the involved user, verify administrative privileges are scoped properly to allow changing user organizational units.\n- Identify if the user account was recently created by searching for `event.action: CREATE_USER`.\n - Add `user.email` with the target user account that recently had their organizational unit changed.\n- Filter on `user.name` or `user.target.email` of the user who took this action and review the last 48 hours of activity for anything that may indicate a compromise.\n\n### False positive analysis\n\n- After identifying the user account that changed another user's organizational unit, verify the action was intentional.\n- Verify whether the target user who received this update is expected to inherit privileges from the new organizational unit.\n- Review potential maintenance notes or organizational changes. They might explain why a user's organization was changed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:\"google_workspace.admin\" and event.type:change and event.category:iam\n and google_workspace.event.type:\"USER_SETTINGS\" and event.action:\"MOVE_USER_TO_ORG_UNIT\"\n", "references": ["https://support.google.com/a/answer/6328701?hl=en#"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.event.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cc6a8a20-2df2-11ed-8378-f661ea17fbce_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json deleted file mode 100644 index d8ffeac01ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", "false_positives": ["Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json b/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json deleted file mode 100644 index eee67f29237..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc89312d-6f47-48e4-a87c-4977bd4633c3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", "false_positives": ["Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.DeleteSubscription and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "cc89312d-6f47-48e4-a87c-4977bd4633c3", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cc89312d-6f47-48e4-a87c-4977bd4633c3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json deleted file mode 100644 index c77c8b78000..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json deleted file mode 100644 index 48fd7cb313f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json deleted file mode 100644 index a1f20d62fee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json deleted file mode 100644 index dcabacf6988..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json deleted file mode 100644 index 585c3af3bce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json deleted file mode 100644 index f6c4c3ccf42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json deleted file mode 100644 index 99527225a33..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_208.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_208.json deleted file mode 100644 index 6de3500eb87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_210.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_210.json deleted file mode 100644 index ee1607559cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 210}, "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_310.json b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_310.json new file mode 100644 index 00000000000..a841d189367 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cc92c835-da92-45c9-9f29-b4992ad621a0_310.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate a rule within an Okta policy. An adversary may attempt to deactivate a rule within an Okta policy in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly deactivated in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Policy Rule", + "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Policy Rule\n\nIdentity and Access Management (IAM) systems like Okta serve as the first line of defense for an organization's network, and are often targeted by adversaries. By disabling security rules, adversaries can circumvent multi-factor authentication, access controls, or other protective measures enforced by these policies, enabling unauthorized access, privilege escalation, or other malicious activities.\n\nThis rule detects attempts to deactivate a rule within an Okta policy, which could be indicative of an adversary's attempt to weaken an organization's security controls. A threat actor may do this to remove barriers to their activities or enable future attacks.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deactivation attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deactivation attempt.\n- Check if there are multiple policy rule deactivation attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deactivation attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deactivation attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deactivation attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deactivation attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deactivation is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deactivation technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:policy.rule.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cc92c835-da92-45c9-9f29-b4992ad621a0", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 310 + }, + "id": "cc92c835-da92-45c9-9f29-b4992ad621a0_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json deleted file mode 100644 index 4530856e811..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json deleted file mode 100644 index a5702136234..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json deleted file mode 100644 index e3e8b7a0f53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json deleted file mode 100644 index 7e48569bc55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json deleted file mode 100644 index ed4936610bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json deleted file mode 100644 index 2c71ba8c2f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_207.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_207.json deleted file mode 100644 index a140d1e3cd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_209.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_209.json deleted file mode 100644 index 0a359d8af45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Modification or Removal of an Okta Application Sign-On Policy", "note": "", "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_309.json b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_309.json new file mode 100644 index 00000000000..6d1ee9bbd44 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd16fb10-0261-46e8-9932-a0336278cdbe_309.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify or delete a sign on policy for an Okta application. An adversary may attempt to modify or delete the sign on policy for an Okta application in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if sign on policies for Okta applications are regularly modified or deleted in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Modification or Removal of an Okta Application Sign-On Policy", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.policy.sign_on.update or application.policy.sign_on.rule.delete)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "cd16fb10-0261-46e8-9932-a0336278cdbe", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "cd16fb10-0261-46e8-9932-a0336278cdbe_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json deleted file mode 100644 index bb7d824c92e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", "false_positives": ["Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_user_compiler"], "name": "Anomalous Linux Compiler Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0042", "name": "Resource Development", "reference": "https://attack.mitre.org/tactics/TA0042/"}, "technique": [{"id": "T1588", "name": "Obtain Capabilities", "reference": "https://attack.mitre.org/techniques/T1588/", "subtechnique": [{"id": "T1588.001", "name": "Malware", "reference": "https://attack.mitre.org/techniques/T1588/001/"}]}]}], "type": "machine_learning", "version": 104}, "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json deleted file mode 100644 index aa06f5e3369..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", "false_positives": ["Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_user_compiler"], "name": "Anomalous Linux Compiler Activity", "risk_score": 21, "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Resource Development"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0042", "name": "Resource Development", "reference": "https://attack.mitre.org/tactics/TA0042/"}, "technique": [{"id": "T1588", "name": "Obtain Capabilities", "reference": "https://attack.mitre.org/techniques/T1588/", "subtechnique": [{"id": "T1588.001", "name": "Malware", "reference": "https://attack.mitre.org/techniques/T1588/001/"}]}]}], "type": "machine_learning", "version": 101}, "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json deleted file mode 100644 index 889d5d7ec15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", "false_positives": ["Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_user_compiler"], "name": "Anomalous Linux Compiler Activity", "risk_score": 21, "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0042", "name": "Resource Development", "reference": "https://attack.mitre.org/tactics/TA0042/"}, "technique": [{"id": "T1588", "name": "Obtain Capabilities", "reference": "https://attack.mitre.org/techniques/T1588/", "subtechnique": [{"id": "T1588.001", "name": "Malware", "reference": "https://attack.mitre.org/techniques/T1588/001/"}]}]}], "type": "machine_learning", "version": 102}, "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json b/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json deleted file mode 100644 index 9c2d1ef8034..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.", "false_positives": ["Uncommon compiler activity can be due to an engineer running a local build on a production or staging instance in the course of troubleshooting or fixing a software issue."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_rare_user_compiler"], "name": "Anomalous Linux Compiler Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0042", "name": "Resource Development", "reference": "https://attack.mitre.org/tactics/TA0042/"}, "technique": [{"id": "T1588", "name": "Obtain Capabilities", "reference": "https://attack.mitre.org/techniques/T1588/", "subtechnique": [{"id": "T1588.001", "name": "Malware", "reference": "https://attack.mitre.org/techniques/T1588/001/"}]}]}], "type": "machine_learning", "version": 103}, "id": "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json deleted file mode 100644 index c2034882ffe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"rmmod\" or (process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json deleted file mode 100644 index 8e6946f8c76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.args:((rmmod and sudo) or (modprobe and sudo and (\"--remove\" or \"-r\")))\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json deleted file mode 100644 index eff8a3d2571..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\"))\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json deleted file mode 100644 index 0f2fb09a543..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json deleted file mode 100644 index edf1785ceb6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json deleted file mode 100644 index 60932ce6668..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and process.name == \"rmmod\" or\n(process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json deleted file mode 100644 index 1aad7709fbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name == \"rmmod\" or (process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json b/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json deleted file mode 100644 index 52c2bf3bf1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This rule identifies attempts to remove a kernel module.", "false_positives": ["There is usually no reason to remove modules, but some buggy modules require it. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Kernel Module Removal", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"rmmod\" or (process.name == \"modprobe\" and process.args in (\"--remove\", \"-r\")) and \nprocess.parent.name in (\"sudo\", \"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n", "references": ["http://man7.org/linux/man-pages/man8/modprobe.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.006", "name": "Kernel Modules and Extensions", "reference": "https://attack.mitre.org/techniques/T1547/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "cd66a5af-e34b-4bb0-8931-57d0a043f2ef_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb.json b/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb.json deleted file mode 100644 index 436324f59ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Downloaded URL Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"url\"\n and file.Ext.windows.zone_identifier > 1 and not process.name : \"explorer.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json b/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json deleted file mode 100644 index 53c1444d137..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Downloaded URL Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"url\"\n and file.Ext.windows.zone_identifier > 1 and not process.name : \"explorer.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_2.json b/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_2.json deleted file mode 100644 index 9ef11ef08b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd82e3d6-1346-4afd-8f22-38388bbf34cb_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies .url shortcut files downloaded from outside the local network. These shortcut files are commonly used in phishing campaigns.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Downloaded URL Files", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and file.extension == \"url\"\n and file.Ext.windows.zone_identifier > 1 and not process.name : \"explorer.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.windows.zone_identifier", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "cd82e3d6-1346-4afd-8f22-38388bbf34cb_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json deleted file mode 100644 index 9f9957da9d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "from": "now-12h", "index": ["filebeat-*", "logs-okta.system*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "MFA Deactivation with no Re-Activation for Okta User Account", "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n", "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.deactivate\"\n and okta.outcome.result == \"SUCCESS\" and not okta.client.user_agent.raw_user_agent like \"SFDC-Callout*\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 207}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json deleted file mode 100644 index 3237cf9989c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json deleted file mode 100644 index af1bb352164..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json deleted file mode 100644 index 067b1b3d5ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json deleted file mode 100644 index a6f1f14e9d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json deleted file mode 100644 index bbfa27e20bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate multi-factor authentication (MFA) for an Okta user. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate MFA for an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.mfa.factor.deactivate\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_207.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_207.json deleted file mode 100644 index d3ea73664e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "from": "now-12h", "index": ["filebeat-*", "logs-okta.system*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "MFA Deactivation with no Re-Activation for Okta User Account", "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n", "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.deactivate\"\n and okta.outcome.result == \"SUCCESS\" and not okta.client.user_agent.raw_user_agent like \"SFDC-Callout*\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 207}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_208.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_208.json deleted file mode 100644 index f7b3a30f11a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "from": "now-12h", "index": ["filebeat-*", "logs-okta.system*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "MFA Deactivation with no Re-Activation for Okta User Account", "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n", "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.deactivate\"\n and okta.outcome.result == \"SUCCESS\" and not okta.client.user_agent.raw_user_agent like \"SFDC-Callout*\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.client.user_agent.raw_user_agent", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 208}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_209.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_209.json deleted file mode 100644 index c9443f90bd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "from": "now-12h", "index": ["filebeat-*", "logs-okta.system*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "MFA Deactivation with no Re-Activation for Okta User Account", "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\n", "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type in (\"user.mfa.factor.deactivate\", \"user.mfa.factor.reset_all\")\n and okta.outcome.reason != \"User reset SECURITY_QUESTION factor\" and okta.outcome.result == \"SUCCESS\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 209}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_211.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_211.json deleted file mode 100644 index babedfcbeda..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", "false_positives": ["If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives."], "from": "now-12h", "index": ["filebeat-*", "logs-okta.system*"], "interval": "6h", "language": "eql", "license": "Elastic License v2", "name": "MFA Deactivation with no Re-Activation for Okta User Account", "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\n", "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type in (\"user.mfa.factor.deactivate\", \"user.mfa.factor.reset_all\")\n and okta.outcome.reason != \"User reset SECURITY_QUESTION factor\" and okta.outcome.result == \"SUCCESS\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "okta.actor.id", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.result", "type": "keyword"}], "risk_score": 21, "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", "severity": "low", "tags": ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/", "subtechnique": [{"id": "T1556.006", "name": "Multi-Factor Authentication", "reference": "https://attack.mitre.org/techniques/T1556/006/"}]}]}], "type": "eql", "version": 211}, "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_311.json b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_311.json new file mode 100644 index 00000000000..0c38d057802 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cd89602e-9db0-48e3-9391-ae3bf241acd8_311.json @@ -0,0 +1,100 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects multi-factor authentication (MFA) deactivation with no subsequent re-activation for an Okta user account. An adversary may deactivate MFA for an Okta user account in order to weaken the authentication requirements for the account.", + "false_positives": [ + "If the behavior of deactivating MFA for Okta user accounts is expected, consider adding exceptions to this rule to filter false positives." + ], + "from": "now-12h", + "index": [ + "filebeat-*", + "logs-okta.system*" + ], + "interval": "6h", + "language": "eql", + "license": "Elastic License v2", + "name": "MFA Deactivation with no Re-Activation for Okta User Account", + "note": "## Triage and analysis\n\n### Investigating MFA Deactivation with no Re-Activation for Okta User Account\n\nMFA is used to provide an additional layer of security for user accounts. An adversary may achieve MFA deactivation for an Okta user account to achieve persistence.\n\nThis rule fires when an Okta user account has MFA deactivated and no subsequent MFA reactivation is observed within 12 hours.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review `okta.target` or `user.target.full_name` fields to determine if deactivation was performed by a se parate user.\n- Using the `okta.actor.alternate_id` field, search for MFA re-activation events where `okta.event_type` is `user.mfa.factor.activate`.\n- Review events where `okta.event_type` is `user.authenticate*` to determine if the user account had suspicious login activity.\n - Geolocation details found in `client.geo*` related fields may be useful in determining if the login activity was suspicious for this user.\n\n#### False positive steps:\n\n- Determine with the target user if MFA deactivation was expected.\n- Determine if MFA is required for the target user account.\n\n#### Response and remediation:\n\n- If the MFA deactivation was not expected, consider deactivating the user\n - This should be followed by resetting the user's password and re-enabling MFA.\n- If the MFA deactivation was expected, consider adding an exception to this rule to filter false positives.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data, applications or systems.\n- Review the client user-agent to determine if it's a known custom application that can be whitelisted.\n", + "query": "sequence by okta.actor.id with maxspan=12h\n [any where event.dataset == \"okta.system\" and okta.event_type in (\"user.mfa.factor.deactivate\", \"user.mfa.factor.reset_all\")\n and okta.outcome.reason != \"User reset SECURITY_QUESTION factor\" and okta.outcome.result == \"SUCCESS\"]\n ![any where event.dataset == \"okta.system\" and okta.event_type == \"user.mfa.factor.activate\"]\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.actor.id", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.result", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "cd89602e-9db0-48e3-9391-ae3bf241acd8", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n", + "severity": "low", + "tags": [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Domain: Cloud" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1556", + "name": "Modify Authentication Process", + "reference": "https://attack.mitre.org/techniques/T1556/", + "subtechnique": [ + { + "id": "T1556.006", + "name": "Multi-Factor Authentication", + "reference": "https://attack.mitre.org/techniques/T1556/006/" + } + ] + } + ] + } + ], + "type": "eql", + "version": 311 + }, + "id": "cd89602e-9db0-48e3-9391-ae3bf241acd8_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json deleted file mode 100644 index c179a715f04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json deleted file mode 100644 index 0349395f5e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json deleted file mode 100644 index 0bce623728e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json deleted file mode 100644 index 0a1e1090dde..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json deleted file mode 100644 index 55447a59248..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json deleted file mode 100644 index 8520b4b71db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json deleted file mode 100644 index c300e34c3ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_208.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_208.json deleted file mode 100644 index 2bec16085bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_210.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_210.json deleted file mode 100644 index 5eaeecdff40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", "from": "now-30m", "index": ["filebeat-*", "logs-okta*"], "interval": "15m", "language": "kuery", "license": "Elastic License v2", "name": "Okta User Session Impersonation", "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", "references": ["https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 210}, "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_310.json b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_310.json new file mode 100644 index 00000000000..015b4c70be4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/cdbebdc1-dc97-43c6-a538-f26a20c0a911_310.json @@ -0,0 +1,69 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "A user has initiated a session impersonation granting them access to the environment with the permissions of the user they are impersonating. This would likely indicate Okta administrative access and should only ever occur if requested and expected.", + "from": "now-30m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "interval": "15m", + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta User Session Impersonation", + "note": "## Triage and analysis\n\n### Investigating Okta User Session Impersonation\n\nThe detection of an Okta User Session Impersonation indicates that a user has initiated a session impersonation which grants them access with the permissions of the user they are impersonating. This type of activity typically indicates Okta administrative access and should only ever occur if requested and expected.\n\n#### Possible investigation steps\n\n- Identify the actor associated with the impersonation event by checking the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields.\n- Review the `event.action` field to confirm the initiation of the impersonation event.\n- Check the `event.time` field to understand the timing of the event.\n- Check the `okta.target.id`, `okta.target.type`, `okta.target.alternate_id`, or `okta.target.display_name` to identify the user who was impersonated.\n- Review any activities that occurred during the impersonation session. Look for any activities related to the impersonated user's account during and after the impersonation event.\n\n### False positive analysis\n\n- Verify if the session impersonation was part of an approved activity. Check if it was associated with any documented administrative tasks or troubleshooting efforts.\n- Ensure that the impersonation session was initiated by an authorized individual. You can check this by verifying the `okta.actor.id` or `okta.actor.display_name` against the list of approved administrators.\n\n### Response and remediation\n\n- If the impersonation was not authorized, consider it as a breach. Suspend the user account of the impersonator immediately.\n- Reset the user session and invalidate any active sessions related to the impersonated user.\n- If a specific impersonation technique was used, ensure that systems are patched or configured to prevent such techniques.\n- Conduct a thorough investigation to understand the extent of the breach and the potential impact on the systems and data.\n- Review and update your security policies to prevent such incidents in the future.\n- Implement additional monitoring and logging of Okta events to improve visibility of user actions.", + "query": "event.dataset:okta.system and event.action:user.session.impersonation.initiate\n", + "references": [ + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "high", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 310 + }, + "id": "cdbebdc1-dc97-43c6-a538-f26a20c0a911_310", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json deleted file mode 100644 index b4e06d2f46e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or \n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json deleted file mode 100644 index f176e4ed7fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 10}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json deleted file mode 100644 index 21666301ad5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or \n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_112.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_112.json deleted file mode 100644 index 072a5360d81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"New-RelayEnumObject\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or \"New-SOASerialNumberArray\" or \n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json deleted file mode 100644 index 46f7f812dae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json deleted file mode 100644 index 63476d4c925..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json deleted file mode 100644 index 87402a8510f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-SID\" or \"ConvertFrom-UACValue\" or\n \"ConvertTo-SID\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or \"Get-DomainController\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-IniContent\" or \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-PrincipalContext\" or \"Get-ProcAddress\" or\n \"Get-ProcessTokenGroup\" or \"Get-ProcessTokenPrivilege\" or\n \"Get-ProcessTokenType\" or \"Get-Property\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or \"New-ScriptBlockCallback\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json deleted file mode 100644 index 1dbcd95bc6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n )\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n )\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json deleted file mode 100644 index 73ef06d4d56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json deleted file mode 100644 index 1c14053820e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 7}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_8.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_8.json deleted file mode 100644 index e30066d7a82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or \"Invoke-Method\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 8}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_9.json b/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_9.json deleted file mode 100644 index 6dd60275472..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cde1bafa-9f01-4f43-a872-605b678968b0_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects known PowerShell offensive tooling functions names in PowerShell scripts. Attackers commonly use out-of-the-box offensive tools without modifying the code. This rule aim is to take advantage of that.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential PowerShell HackTool Script by Function Names", "note": "## Triage and analysis\n\n### Investigating Potential PowerShell HackTool Script by Function Names\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAdversaries often exploit PowerShell's capabilities to execute malicious scripts and perform various attacks. This rule identifies known offensive tooling function names in PowerShell scripts, as attackers commonly use out-of-the-box tools without modifying the code. By monitoring these specific function names, the rule aims to detect and alert potential malicious PowerShell activity.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the script's execution context, such as the user account, privileges, the role of the system on which it was executed, and any relevant timestamps.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Investigate the origin of the PowerShell script, including its source, download method, and any associated URLs or IP addresses.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This rule may generate false positives if legitimate scripts or tools used by administrators contain any of the listed function names. These function names are commonly associated with offensive tooling, but they may also be present in benign scripts or tools.\n- To handle these false positives consider adding exceptions - preferably with a combination of full file path and users.\n\n### Related Rules\n\n- PowerShell Invoke-NinjaCopy script - b8386923-b02c-4b94-986a-d223d9b01f88\n- PowerShell Suspicious Discovery Related Windows API Functions - 61ac3638-40a3-44b2-855a-985636ca985e\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Keylogging Script - bd2c86a0-8b61-4457-ab38-96943984e889\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"Add-DomainGroupMember\" or \"Add-DomainObjectAcl\" or\n \"Add-RemoteConnection\" or \"Add-ServiceDacl\" or\n \"Add-Win32Type\" or \"Convert-ADName\" or\n \"Convert-LDAPProperty\" or \"ConvertFrom-LDAPLogonHours\" or\n \"ConvertFrom-UACValue\" or \"Copy-ArrayOfMemAddresses\" or\n \"Create-NamedPipe\" or \"Create-ProcessWithToken\" or\n \"Create-RemoteThread\" or \"Create-SuspendedWinLogon\" or\n \"Create-WinLogonProcess\" or \"Emit-CallThreadStub\" or\n \"Enable-SeAssignPrimaryTokenPrivilege\" or \"Enable-SeDebugPrivilege\" or\n \"Enum-AllTokens\" or \"Export-PowerViewCSV\" or\n \"Find-AVSignature\" or \"Find-AppLockerLog\" or\n \"Find-DomainLocalGroupMember\" or \"Find-DomainObjectPropertyOutlier\" or\n \"Find-DomainProcess\" or \"Find-DomainShare\" or\n \"Find-DomainUserEvent\" or \"Find-DomainUserLocation\" or\n \"Find-InterestingDomainAcl\" or \"Find-InterestingDomainShareFile\" or\n \"Find-InterestingFile\" or \"Find-LocalAdminAccess\" or\n \"Find-PSScriptsInPSAppLog\" or \"Find-PathDLLHijack\" or\n \"Find-ProcessDLLHijack\" or \"Find-RDPClientConnection\" or\n \"Get-AllAttributesForClass\" or \"Get-CachedGPPPassword\" or\n \"Get-DecryptedCpassword\" or \"Get-DecryptedSitelistPassword\" or\n \"Get-DelegateType\" or\n \"Get-DomainDFSShare\" or \"Get-DomainDFSShareV1\" or\n \"Get-DomainDFSShareV2\" or \"Get-DomainDNSRecord\" or\n \"Get-DomainDNSZone\" or \"Get-DomainFileServer\" or\n \"Get-DomainForeignGroupMember\" or \"Get-DomainForeignUser\" or\n \"Get-DomainGPO\" or \"Get-DomainGPOComputerLocalGroupMapping\" or\n \"Get-DomainGPOLocalGroup\" or \"Get-DomainGPOUserLocalGroupMapping\" or\n \"Get-DomainGUIDMap\" or \"Get-DomainGroup\" or\n \"Get-DomainGroupMember\" or \"Get-DomainGroupMemberDeleted\" or\n \"Get-DomainManagedSecurityGroup\" or \"Get-DomainOU\" or\n \"Get-DomainObject\" or \"Get-DomainObjectAcl\" or\n \"Get-DomainObjectAttributeHistory\" or \"Get-DomainObjectLinkedAttributeHistory\" or\n \"Get-DomainPolicyData\" or \"Get-DomainSID\" or\n \"Get-DomainSPNTicket\" or \"Get-DomainSearcher\" or\n \"Get-DomainSite\" or \"Get-DomainSubnet\" or\n \"Get-DomainTrust\" or \"Get-DomainTrustMapping\" or\n \"Get-DomainUser\" or \"Get-DomainUserEvent\" or\n \"Get-Forest\" or \"Get-ForestDomain\" or\n \"Get-ForestGlobalCatalog\" or \"Get-ForestSchemaClass\" or\n \"Get-ForestTrust\" or \"Get-GPODelegation\" or\n \"Get-GPPAutologon\" or \"Get-GPPInnerField\" or\n \"Get-GPPInnerFields\" or \"Get-GPPPassword\" or\n \"Get-GptTmpl\" or \"Get-GroupsXML\" or\n \"Get-HttpStatus\" or \"Get-ImageNtHeaders\" or\n \"Get-Keystrokes\" or\n \"Get-MemoryProcAddress\" or \"Get-MicrophoneAudio\" or\n \"Get-ModifiablePath\" or \"Get-ModifiableRegistryAutoRun\" or\n \"Get-ModifiableScheduledTaskFile\" or \"Get-ModifiableService\" or\n \"Get-ModifiableServiceFile\" or \"Get-Name\" or\n \"Get-NetComputerSiteName\" or \"Get-NetLocalGroup\" or\n \"Get-NetLocalGroupMember\" or \"Get-NetLoggedon\" or\n \"Get-NetRDPSession\" or \"Get-NetSession\" or\n \"Get-NetShare\" or \"Get-PEArchitecture\" or\n \"Get-PEBasicInfo\" or \"Get-PEDetailedInfo\" or\n \"Get-PathAcl\" or \"Get-PrimaryToken\" or\n \"Get-ProcAddress\" or \"Get-ProcessTokenGroup\" or\n \"Get-ProcessTokenPrivilege\" or \"Get-ProcessTokenType\" or\n \"Get-RegLoggedOn\" or \"Get-RegistryAlwaysInstallElevated\" or\n \"Get-RegistryAutoLogon\" or \"Get-RemoteProcAddress\" or\n \"Get-Screenshot\" or \"Get-ServiceDetail\" or\n \"Get-SiteListPassword\" or \"Get-SitelistField\" or\n \"Get-System\" or \"Get-SystemNamedPipe\" or\n \"Get-SystemToken\" or \"Get-ThreadToken\" or\n \"Get-TimedScreenshot\" or \"Get-TokenInformation\" or\n \"Get-TopPort\" or \"Get-UnattendedInstallFile\" or\n \"Get-UniqueTokens\" or \"Get-UnquotedService\" or\n \"Get-VaultCredential\" or \"Get-VaultElementValue\" or\n \"Get-VirtualProtectValue\" or \"Get-VolumeShadowCopy\" or\n \"Get-WMIProcess\" or \"Get-WMIRegCachedRDPConnection\" or\n \"Get-WMIRegLastLoggedOn\" or \"Get-WMIRegMountedDrive\" or\n \"Get-WMIRegProxy\" or \"Get-WebConfig\" or\n \"Get-Win32Constants\" or \"Get-Win32Functions\" or\n \"Get-Win32Types\" or \"Import-DllImports\" or\n \"Import-DllInRemoteProcess\" or \"Inject-LocalShellcode\" or\n \"Inject-RemoteShellcode\" or \"Install-ServiceBinary\" or\n \"Invoke-CompareAttributesForClass\" or \"Invoke-CreateRemoteThread\" or\n \"Invoke-CredentialInjection\" or \"Invoke-DllInjection\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-ImpersonateUser\" or\n \"Invoke-Kerberoast\" or \"Invoke-MemoryFreeLibrary\" or\n \"Invoke-MemoryLoadLibrary\" or\n \"Invoke-Mimikatz\" or \"Invoke-NinjaCopy\" or\n \"Invoke-PatchDll\" or \"Invoke-Portscan\" or\n \"Invoke-PrivescAudit\" or \"Invoke-ReflectivePEInjection\" or\n \"Invoke-ReverseDnsLookup\" or \"Invoke-RevertToSelf\" or\n \"Invoke-ServiceAbuse\" or \"Invoke-Shellcode\" or\n \"Invoke-TokenManipulation\" or \"Invoke-UserImpersonation\" or\n \"Invoke-WmiCommand\" or \"Mount-VolumeShadowCopy\" or\n \"New-ADObjectAccessControlEntry\" or \"New-DomainGroup\" or\n \"New-DomainUser\" or \"New-DynamicParameter\" or\n \"New-InMemoryModule\" or\n \"New-ThreadedFunction\" or \"New-VolumeShadowCopy\" or\n \"Out-CompressedDll\" or \"Out-EncodedCommand\" or\n \"Out-EncryptedScript\" or \"Out-Minidump\" or\n \"PortScan-Alive\" or \"Portscan-Port\" or\n \"Remove-DomainGroupMember\" or \"Remove-DomainObjectAcl\" or\n \"Remove-RemoteConnection\" or \"Remove-VolumeShadowCopy\" or\n \"Restore-ServiceBinary\" or \"Set-DesktopACLToAllowEveryone\" or\n \"Set-DesktopACLs\" or \"Set-DomainObject\" or\n \"Set-DomainObjectOwner\" or \"Set-DomainUserPassword\" or\n \"Set-ServiceBinaryPath\" or \"Sub-SignedIntAsUnsigned\" or\n \"Test-AdminAccess\" or \"Test-MemoryRangeValid\" or\n \"Test-ServiceDaclPermission\" or \"Update-ExeFunctions\" or\n \"Update-MemoryAddresses\" or \"Update-MemoryProtectionFlags\" or\n \"Write-BytesToMemory\" or \"Write-HijackDll\" or\n \"Write-PortscanOut\" or \"Write-ServiceBinary\" or\n \"Write-UserAddMSI\" or \"Invoke-Privesc\" or\n \"func_get_proc_address\" or \"Invoke-BloodHound\" or\n \"Invoke-HostEnum\" or \"Get-BrowserInformation\" or\n \"Get-DomainAccountPolicy\" or \"Get-DomainAdmins\" or\n \"Get-AVProcesses\" or \"Get-AVInfo\" or\n \"Get-RecycleBin\" or \"Invoke-BruteForce\" or\n \"Get-PassHints\" or \"Invoke-SessionGopher\" or\n \"Get-LSASecret\" or \"Get-PassHashes\" or\n \"Invoke-WdigestDowngrade\" or \"Get-ChromeDump\" or\n \"Invoke-DomainPasswordSpray\" or \"Get-FoxDump\" or\n \"New-HoneyHash\" or \"Invoke-DCSync\" or\n \"Invoke-PowerDump\" or \"Invoke-SSIDExfil\" or\n \"Invoke-PowerShellTCP\" or \"Add-Exfiltration\" or\n \"Do-Exfiltration\" or \"Invoke-DropboxUpload\" or\n \"Invoke-ExfilDataToGitHub\" or \"Invoke-EgressCheck\" or\n \"Invoke-PostExfil\" or \"Create-MultipleSessions\" or\n \"Invoke-NetworkRelay\" or \"New-GPOImmediateTask\" or\n \"Invoke-WMIDebugger\" or \"Invoke-SQLOSCMD\" or\n \"Invoke-SMBExec\" or \"Invoke-PSRemoting\" or\n \"Invoke-ExecuteMSBuild\" or \"Invoke-DCOM\" or\n \"Invoke-InveighRelay\" or \"Invoke-PsExec\" or\n \"Invoke-SSHCommand\" or \"Find-ActiveUsersWMI\" or\n \"Get-SystemDrivesWMI\" or \"Get-ActiveNICSWMI\" or\n \"Remove-Persistence\" or \"DNS_TXT_Pwnage\" or\n \"Execute-OnTime\" or \"HTTP-Backdoor\" or\n \"Add-ConstrainedDelegationBackdoor\" or \"Add-RegBackdoor\" or\n \"Add-ScrnSaveBackdoor\" or \"Gupt-Backdoor\" or\n \"Invoke-ADSBackdoor\" or \"Add-Persistence\" or\n \"Invoke-ResolverBackdoor\" or \"Invoke-EventLogBackdoor\" or\n \"Invoke-DeadUserBackdoor\" or \"Invoke-DisableMachineAcctChange\" or\n \"Invoke-AccessBinary\" or \"Add-NetUser\" or\n \"Invoke-Schtasks\" or \"Invoke-JSRatRegsvr\" or\n \"Invoke-JSRatRundll\" or \"Invoke-PoshRatHttps\" or\n \"Invoke-PsGcatAgent\" or \"Remove-PoshRat\" or\n \"Install-SSP\" or \"Invoke-BackdoorLNK\" or\n \"PowerBreach\" or \"InstallEXE-Persistence\" or\n \"RemoveEXE-Persistence\" or \"Install-ServiceLevel-Persistence\" or\n \"Remove-ServiceLevel-Persistence\" or \"Invoke-Prompt\" or\n \"Invoke-PacketCapture\" or \"Start-WebcamRecorder\" or\n \"Get-USBKeyStrokes\" or \"Invoke-KeeThief\" or\n \"Get-Keystrokes\" or \"Invoke-NetRipper\" or\n \"Get-EmailItems\" or \"Invoke-MailSearch\" or\n \"Invoke-SearchGAL\" or \"Get-WebCredentials\" or\n \"Start-CaptureServer\" or \"Invoke-PowerShellIcmp\" or\n \"Invoke-PowerShellTcpOneLine\" or \"Invoke-PowerShellTcpOneLineBind\" or\n \"Invoke-PowerShellUdp\" or \"Invoke-PowerShellUdpOneLine\" or\n \"Run-EXEonRemote\" or \"Download-Execute-PS\" or\n \"Out-RundllCommand\" or \"Set-RemoteWMI\" or\n \"Set-DCShadowPermissions\" or \"Invoke-PowerShellWMI\" or\n \"Invoke-Vnc\" or \"Invoke-LockWorkStation\" or\n \"Invoke-EternalBlue\" or \"Invoke-ShellcodeMSIL\" or\n \"Invoke-MetasploitPayload\" or \"Invoke-DowngradeAccount\" or\n \"Invoke-RunAs\" or \"ExetoText\" or\n \"Disable-SecuritySettings\" or \"Set-MacAttribute\" or\n \"Invoke-MS16032\" or \"Invoke-BypassUACTokenManipulation\" or\n \"Invoke-SDCLTBypass\" or \"Invoke-FodHelperBypass\" or\n \"Invoke-EventVwrBypass\" or \"Invoke-EnvBypass\" or\n \"Get-ServiceUnquoted\" or \"Get-ServiceFilePermission\" or\n \"Get-ServicePermission\" or\n \"Enable-DuplicateToken\" or \"Invoke-PsUaCme\" or\n \"Invoke-Tater\" or \"Invoke-WScriptBypassUAC\" or\n \"Invoke-AllChecks\" or \"Find-TrustedDocuments\" or\n \"Invoke-Interceptor\" or \"Invoke-PoshRatHttp\" or\n \"Invoke-ExecCommandWMI\" or \"Invoke-KillProcessWMI\" or\n \"Invoke-CreateShareandExecute\" or \"Invoke-RemoteScriptWithOutput\" or\n \"Invoke-SchedJobManipulation\" or \"Invoke-ServiceManipulation\" or\n \"Invoke-PowerOptionsWMI\" or \"Invoke-DirectoryListing\" or\n \"Invoke-FileTransferOverWMI\" or \"Invoke-WMImplant\" or\n \"Invoke-WMIObfuscatedPSCommand\" or \"Invoke-WMIDuplicateClass\" or\n \"Invoke-WMIUpload\" or \"Invoke-WMIRemoteExtract\" or \"Invoke-winPEAS\"\n ) and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\"\n ) and\n not file.path : (\n ?\\:\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows?Defender?Advanced?Threat?Protection\\\\\\\\DataCollection\\\\\\\\*\n ) and\n not user.id : (\"S-1-5-18\" or \"S-1-5-19\")\n", "references": ["https://github.com/atc-project/atc-data/blob/master/docs/Logging_Policies/LP_0109_windows_powershell_script_block_log.md", "https://github.com/BC-SECURITY/Empire"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "cde1bafa-9f01-4f43-a872-605b678968b0", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 9}, "id": "cde1bafa-9f01-4f43-a872-605b678968b0_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029.json b/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029.json deleted file mode 100644 index cd0a9babbab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shadow File Modification", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.path == \"/etc/shadow\" and file.Ext.original.path != null\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cdf1a39b-1ca5-4e2a-9739-17fc4d026029", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "cdf1a39b-1ca5-4e2a-9739-17fc4d026029", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029_1.json b/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029_1.json deleted file mode 100644 index 0217f47d34b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cdf1a39b-1ca5-4e2a-9739-17fc4d026029_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for Linux Shadow file modifications. These modifications are indicative of a potential password change or user addition event. Threat actors may attempt to create new users or change the password of a user account to maintain access to a system.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Shadow File Modification", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.path == \"/etc/shadow\" and file.Ext.original.path != null\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "cdf1a39b-1ca5-4e2a-9739-17fc4d026029", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "cdf1a39b-1ca5-4e2a-9739-17fc4d026029_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5.json b/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5.json deleted file mode 100644 index 5bbc3c9ea20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "event.action"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\nevent.action:* and github.hashed_token:* and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}], "risk_score": 21, "rule_id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_1.json b/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_1.json deleted file mode 100644 index 4df7e4da39e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "event.action"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\nevent.action:* and github.hashed_token:* and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}], "risk_score": 21, "rule_id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_103.json b/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_103.json new file mode 100644 index 00000000000..0d898333ff1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ce08b55a-f67d-4804-92b5-617b0fe5a5b5_103.json @@ -0,0 +1,88 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence GitHub Event for a Personal Access Token (PAT)", + "new_terms_fields": [ + "github.hashed_token", + "event.action" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\nevent.action:* and github.hashed_token:* and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.hashed_token", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "ce08b55a-f67d-4804-92b5-617b0fe5a5b5_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json deleted file mode 100644 index 4e8ea10e96e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json deleted file mode 100644 index 6e3018e9a18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json deleted file mode 100644 index c906fef6d44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json deleted file mode 100644 index dc59287cc49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json deleted file mode 100644 index 5658e80a6ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json deleted file mode 100644 index e0199572b31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json deleted file mode 100644 index efaa98e5467..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json deleted file mode 100644 index fefb88ef4db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_110.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_110.json deleted file mode 100644 index 877b0ad835c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_310.json b/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_310.json deleted file mode 100644 index 8823728bdac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ce64d965-6cb0-466d-b74f-8d2c76f47f05_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.", "false_positives": ["Legitimate exchange system administration activity."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "New ActiveSyncAllowedDeviceID Added via PowerShell", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and process.args : \"Set-CASMailbox*ActiveSyncAllowedDeviceIDs*\"\n", "references": ["https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.002", "name": "Additional Email Delegate Permissions", "reference": "https://attack.mitre.org/techniques/T1098/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "ce64d965-6cb0-466d-b74f-8d2c76f47f05_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json deleted file mode 100644 index 0e83f0c02fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", "false_positives": ["This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Cobalt Strike Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "((event.category: (network OR network_traffic) AND type: (tls OR http))\n OR event.dataset: (network_traffic.tls OR network_traffic.http)\n) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", "references": ["https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [], "risk_score": 73, "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json deleted file mode 100644 index a408be6e3cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", "false_positives": ["This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "lucene", "license": "Elastic License v2", "name": "Cobalt Strike Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network OR network_traffic) AND type:(tls OR http) AND network.transport:tcp AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", "references": ["https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [], "risk_score": 73, "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "severity": "high", "tags": ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json deleted file mode 100644 index c90ec605dbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", "false_positives": ["This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Cobalt Strike Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.dataset: (network_traffic.tls or network_traffic.http) AND destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", "references": ["https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [], "risk_score": 73, "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json b/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json deleted file mode 100644 index 4472b6ffb9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf53f532-9cc9-445a-9ae7-fced307ec53c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for command and control.", "false_positives": ["This rule should be tailored to either exclude systems, as sources or destinations, in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "lucene", "license": "Elastic License v2", "name": "Cobalt Strike Command and Control Beacon", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "((event.category: (network or network_traffic) and type: (tls or http))\n or event.dataset: (network_traffic.tls or network_traffic.http)\n) and destination.domain:/[a-z]{3}.stage.[0-9]{8}\\..*/\n", "references": ["https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [], "risk_score": 73, "rule_id": "cf53f532-9cc9-445a-9ae7-fced307ec53c", "severity": "high", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}, {"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "cf53f532-9cc9-445a-9ae7-fced307ec53c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json deleted file mode 100644 index 4352c6b7ad1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", "false_positives": ["Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Domain Added to Google Workspace Trusted Domains", "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", "references": ["https://support.google.com/a/answer/6160020?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json deleted file mode 100644 index c8b6773482a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", "false_positives": ["Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Domain Added to Google Workspace Trusted Domains", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", "references": ["https://support.google.com/a/answer/6160020?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json deleted file mode 100644 index 00bdfdce252..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", "false_positives": ["Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Domain Added to Google Workspace Trusted Domains", "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", "references": ["https://support.google.com/a/answer/6160020?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json b/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json deleted file mode 100644 index e15540138c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a domain is added to the list of trusted Google Workspace domains. An adversary may add a trusted domain in order to collect and exfiltrate data from their target\u2019s organization with less restrictive security controls.", "false_positives": ["Trusted domains may be added by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Domain Added to Google Workspace Trusted Domains", "note": "## Triage and analysis\n\n### Investigating Domain Added to Google Workspace Trusted Domains\n\nOrganizations use trusted domains in Google Workspace to give external users access to resources.\n\nA threat actor with administrative privileges may be able to add a malicious domain to the trusted domain list. Based on the configuration, potentially sensitive resources may be exposed or accessible by an unintended third-party.\n\nThis rule detects when a third-party domain is added to the list of trusted domains in Google Workspace.\n\n#### Possible investigation steps\n\n- Identify the associated user accounts by reviewing `user.name` or `user.email` fields in the alert.\n- After identifying the user, verify if the user should have administrative privileges to add external domains.\n- Check the `google_workspace.admin.domain.name` field to find the newly added domain.\n- Use reputational services, such as VirusTotal, for the trusted domain's third-party intelligence reputation.\n- Filter your data. Create a filter where `event.dataset` is `google_workspace.drive` and `google_workspace.drive.file.owner.email` is being compared to `user.email`.\n - If mismatches are identified, this could indicate access from an external Google Workspace domain.\n\n### False positive analysis\n\n- Verify that the user account should have administrative privileges that allow them to edit trusted domains in Google Workspace.\n- Talk to the user to evaluate why they added the third-party domain and if the domain has confidentiality risks.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:ADD_TRUSTED_DOMAINS\n", "references": ["https://support.google.com/a/answer/6160020?hl=en"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Configuration Audit", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "cf549724-c577-4fd6-8f9b-d1b8ec519ec0_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3.json b/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3.json deleted file mode 100644 index bb1d27cd28f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.", "from": "now-9m", "history_window_start": "now-14d", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Unusual Discovery Activity by User", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\n \"d68e95ad-1c82-4074-a12a-125fe10ac8ba\" or \"7b8bfc26-81d2-435e-965c-d722ee397ef1\" or\n \"0635c542-1b96-4335-9b47-126582d2c19a\" or \"6ea55c81-e2ba-42f2-a134-bccf857ba922\" or\n \"e0881d20-54ac-457f-8733-fe0bc5d44c55\" or \"06568a02-af29-4f20-929c-f3af281e41aa\" or\n \"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\" or \"51176ed2-2d90-49f2-9f3d-17196428b169\" or\n \"1d72d014-e2ab-4707-b056-9b96abe7b511\"\n)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "cf575427-0839-4c69-a9e6-99fde02606f3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "cf575427-0839-4c69-a9e6-99fde02606f3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json b/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json deleted file mode 100644 index 1d7986973a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf575427-0839-4c69-a9e6-99fde02606f3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule leverages alert data from various Discovery building block rules to alert on signals with unusual unique host.id and user.id entries.", "from": "now-9m", "history_window_start": "now-14d", "index": [".alerts-security.*"], "language": "kuery", "license": "Elastic License v2", "name": "Unusual Discovery Activity by User", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.kind:signal and kibana.alert.rule.rule_id:(\n \"d68e95ad-1c82-4074-a12a-125fe10ac8ba\" or \"7b8bfc26-81d2-435e-965c-d722ee397ef1\" or\n \"0635c542-1b96-4335-9b47-126582d2c19a\" or \"6ea55c81-e2ba-42f2-a134-bccf857ba922\" or\n \"e0881d20-54ac-457f-8733-fe0bc5d44c55\" or \"06568a02-af29-4f20-929c-f3af281e41aa\" or\n \"c4e9ed3e-55a2-4309-a012-bc3c78dad10a\" or \"51176ed2-2d90-49f2-9f3d-17196428b169\" or\n \"1d72d014-e2ab-4707-b056-9b96abe7b511\"\n)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "kibana.alert.rule.rule_id", "type": "unknown"}], "risk_score": 21, "rule_id": "cf575427-0839-4c69-a9e6-99fde02606f3", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: Higher-Order Rule"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "cf575427-0839-4c69-a9e6-99fde02606f3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e.json b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e.json deleted file mode 100644 index 8e2bd011f87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify activity related where adversaries can include a trap command which then allows programs and shells to specify commands that will be executed upon receiving interrupt signals.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Trap Signals Execution", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name == \"trap\" and process.args : \"SIG*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.005", "name": "Trap", "reference": "https://attack.mitre.org/techniques/T1546/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json b/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json deleted file mode 100644 index d536d3a8052..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identify activity related where adversaries can include a trap command which then allows programs and shells to specify commands that will be executed upon receiving interrupt signals.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Trap Signals Execution", "query": "process where event.type : (\"start\", \"process_started\") and process.name : \"trap\" and process.args : \"SIG*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.005", "name": "Trap", "reference": "https://attack.mitre.org/techniques/T1546/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "cf6995ec-32a9-4b2d-9340-f8e61acf3f4e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json deleted file mode 100644 index 9839b31a2f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json deleted file mode 100644 index 8c1b83be387..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json deleted file mode 100644 index adf494430ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json deleted file mode 100644 index 4a2b392b47f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json deleted file mode 100644 index daad0a594ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json deleted file mode 100644 index 8b5c47dfb02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_110.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_110.json deleted file mode 100644 index b29a92af296..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json deleted file mode 100644 index f555bc23e04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json deleted file mode 100644 index 88b90c59a1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_113.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_113.json deleted file mode 100644 index 93814d51992..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_114.json b/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_114.json deleted file mode 100644 index ad18614930c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cff92c41-2225-4763-b4ce-6f71e5bda5e6_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This may be abused by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution from Unusual Directory - Command Line", "note": "## Triage and analysis\n\n### Investigating Execution from Unusual Directory - Command Line\n\nThis rule looks for the execution of scripts from unusual directories. Attackers can use system or application paths to hide malware and make the execution less suspicious.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine which commands or scripts were executed.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of parent process executable and command line conditions.\n\n### Related rules\n\n- Process Execution from an Unusual Directory - ebfe1448-7fac-4d59-acea-181bd89b1f7f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"wscript.exe\",\n \"cscript.exe\",\n \"rundll32.exe\",\n \"regsvr32.exe\",\n \"cmstp.exe\",\n \"RegAsm.exe\",\n \"installutil.exe\",\n \"mshta.exe\",\n \"RegSvcs.exe\",\n \"powershell.exe\",\n \"pwsh.exe\",\n \"cmd.exe\") and\n\n /* add suspicious execution paths here */\n process.args : (\"C:\\\\PerfLogs\\\\*\",\n \"C:\\\\Users\\\\Public\\\\*\",\n \"C:\\\\Windows\\\\Tasks\\\\*\",\n \"C:\\\\Intel\\\\*\",\n \"C:\\\\AMD\\\\Temp\\\\*\",\n \"C:\\\\Windows\\\\AppReadiness\\\\*\",\n \"C:\\\\Windows\\\\ServiceState\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\IdentityCRL\\\\*\",\n \"C:\\\\Windows\\\\Branding\\\\*\",\n \"C:\\\\Windows\\\\csc\\\\*\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*\",\n \"C:\\\\Windows\\\\en-US\\\\*\",\n \"C:\\\\Windows\\\\wlansvc\\\\*\",\n \"C:\\\\Windows\\\\Prefetch\\\\*\",\n \"C:\\\\Windows\\\\Fonts\\\\*\",\n \"C:\\\\Windows\\\\diagnostics\\\\*\",\n \"C:\\\\Windows\\\\TAPI\\\\*\",\n \"C:\\\\Windows\\\\INF\\\\*\",\n \"C:\\\\Windows\\\\System32\\\\Speech\\\\*\",\n \"C:\\\\windows\\\\tracing\\\\*\",\n \"c:\\\\windows\\\\IME\\\\*\",\n \"c:\\\\Windows\\\\Performance\\\\*\",\n \"c:\\\\windows\\\\intel\\\\*\",\n \"c:\\\\windows\\\\ms\\\\*\",\n \"C:\\\\Windows\\\\dot3svc\\\\*\",\n \"C:\\\\Windows\\\\panther\\\\*\",\n \"C:\\\\Windows\\\\RemotePackages\\\\*\",\n \"C:\\\\Windows\\\\OCR\\\\*\",\n \"C:\\\\Windows\\\\appcompat\\\\*\",\n \"C:\\\\Windows\\\\apppatch\\\\*\",\n \"C:\\\\Windows\\\\addins\\\\*\",\n \"C:\\\\Windows\\\\Setup\\\\*\",\n \"C:\\\\Windows\\\\Help\\\\*\",\n \"C:\\\\Windows\\\\SKB\\\\*\",\n \"C:\\\\Windows\\\\Vss\\\\*\",\n \"C:\\\\Windows\\\\servicing\\\\*\",\n \"C:\\\\Windows\\\\CbsTemp\\\\*\",\n \"C:\\\\Windows\\\\Logs\\\\*\",\n \"C:\\\\Windows\\\\WaaS\\\\*\",\n \"C:\\\\Windows\\\\twain_32\\\\*\",\n \"C:\\\\Windows\\\\ShellExperiences\\\\*\",\n \"C:\\\\Windows\\\\ShellComponents\\\\*\",\n \"C:\\\\Windows\\\\PLA\\\\*\",\n \"C:\\\\Windows\\\\Migration\\\\*\",\n \"C:\\\\Windows\\\\debug\\\\*\",\n \"C:\\\\Windows\\\\Cursors\\\\*\",\n \"C:\\\\Windows\\\\Containers\\\\*\",\n \"C:\\\\Windows\\\\Boot\\\\*\",\n \"C:\\\\Windows\\\\bcastdvr\\\\*\",\n \"C:\\\\Windows\\\\TextInput\\\\*\",\n \"C:\\\\Windows\\\\security\\\\*\",\n \"C:\\\\Windows\\\\schemas\\\\*\",\n \"C:\\\\Windows\\\\SchCache\\\\*\",\n \"C:\\\\Windows\\\\Resources\\\\*\",\n \"C:\\\\Windows\\\\rescache\\\\*\",\n \"C:\\\\Windows\\\\Provisioning\\\\*\",\n \"C:\\\\Windows\\\\PrintDialog\\\\*\",\n \"C:\\\\Windows\\\\PolicyDefinitions\\\\*\",\n \"C:\\\\Windows\\\\media\\\\*\",\n \"C:\\\\Windows\\\\Globalization\\\\*\",\n \"C:\\\\Windows\\\\L2Schemas\\\\*\",\n \"C:\\\\Windows\\\\LiveKernelReports\\\\*\",\n \"C:\\\\Windows\\\\ModemLogs\\\\*\",\n \"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*\",\n \"C:\\\\$Recycle.Bin\\\\*\") and\n\n /* noisy FP patterns */\n\n not process.parent.executable : (\"C:\\\\WINDOWS\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\igfxCUIService*.exe\",\n \"C:\\\\Windows\\\\System32\\\\spacedeskService.exe\",\n \"C:\\\\Program Files\\\\Dell\\\\SupportAssistAgent\\\\SRE\\\\SRE.exe\") and\n not (process.name : \"rundll32.exe\" and\n process.args : (\"uxtheme.dll,#64\",\n \"PRINTUI.DLL,PrintUIEntry\",\n \"?:\\\\Windows\\\\System32\\\\FirewallControlPanel.dll,ShowNotificationDialog\",\n \"?:\\\\WINDOWS\\\\system32\\\\Speech\\\\SpeechUX\\\\sapi.cpl\",\n \"?:\\\\Windows\\\\system32\\\\shell32.dll,OpenAs_RunDLL\")) and\n\n not (process.name : \"cscript.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\calluxxprovider.vbs\") and\n\n not (process.name : \"cmd.exe\" and process.args : \"?:\\\\WINDOWS\\\\system32\\\\powercfg.exe\" and process.args : \"?:\\\\WINDOWS\\\\inf\\\\PowerPlan.log\") and\n\n not (process.name : \"regsvr32.exe\" and process.args : \"?:\\\\Windows\\\\Help\\\\OEM\\\\scripts\\\\checkmui.dll\") and\n\n not (process.name : \"cmd.exe\" and\n process.parent.executable : (\"?:\\\\Windows\\\\System32\\\\oobe\\\\windeploy.exe\",\n \"?:\\\\Program Files (x86)\\\\ossec-agent\\\\wazuh-agent.exe\",\n \"?:\\\\Windows\\\\System32\\\\igfxCUIService.exe\",\n \"?:\\\\Windows\\\\Temp\\\\IE*.tmp\\\\IE*-support\\\\ienrcore.exe\"))\n", "references": ["https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper", "https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "cff92c41-2225-4763-b4ce-6f71e5bda5e6_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826.json b/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826.json deleted file mode 100644 index db0085590ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Archive File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n\n /* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */\n file.Ext.header_bytes : (\"52617221*\", \"377ABCAF271C*\", \"1F8B*\", \"4d534346*\", \"FD377A585A00*\", \"504B0304*\", \"504B0708*\") and\n\n (\n /* common image file extensions */\n file.extension : (\"jpg\", \"jpeg\", \"emf\", \"tiff\", \"gif\", \"png\", \"bmp\", \"ico\", \"fpx\", \"eps\", \"inf\") or\n\n /* common audio and video file extensions */\n file.extension : (\"mp3\", \"wav\", \"avi\", \"mpeg\", \"flv\", \"wma\", \"wmv\", \"mov\", \"mp4\", \"3gp\") or\n\n /* common document file extensions */\n (file.extension : (\"doc\", \"docx\", \"rtf\", \"ppt\", \"pptx\", \"xls\", \"xlsx\") and\n\n /* exclude ZIP file header values for OPENXML documents */\n not file.Ext.header_bytes : (\"504B0304*\", \"504B0708*\"))\n ) and\n\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\" and file.path : \"?:\\\\inetpub\\\\temp\\\\IIS Temporary Compressed Files\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "cffbaf47-9391-4e09-a83c-1f27d7474826", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "cffbaf47-9391-4e09-a83c-1f27d7474826", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json b/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json deleted file mode 100644 index 696740668cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/cffbaf47-9391-4e09-a83c-1f27d7474826_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation of an archive file with an unusual extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Archive File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n\n /* common archive file headers - Rar, 7z, GZIP, MSCF, XZ, ZIP */\n file.Ext.header_bytes : (\"52617221*\", \"377ABCAF271C*\", \"1F8B*\", \"4d534346*\", \"FD377A585A00*\", \"504B0304*\", \"504B0708*\") and\n\n (\n /* common image file extensions */\n file.extension : (\"jpg\", \"jpeg\", \"emf\", \"tiff\", \"gif\", \"png\", \"bmp\", \"ico\", \"fpx\", \"eps\", \"inf\") or\n\n /* common audio and video file extensions */\n file.extension : (\"mp3\", \"wav\", \"avi\", \"mpeg\", \"flv\", \"wma\", \"wmv\", \"mov\", \"mp4\", \"3gp\") or\n\n /* common document file extensions */\n (file.extension : (\"doc\", \"docx\", \"rtf\", \"ppt\", \"pptx\", \"xls\", \"xlsx\") and\n\n /* exclude ZIP file header values for OPENXML documents */\n not file.Ext.header_bytes : (\"504B0304*\", \"504B0708*\"))\n ) and\n\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\" and file.path : \"?:\\\\inetpub\\\\temp\\\\IIS Temporary Compressed Files\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "cffbaf47-9391-4e09-a83c-1f27d7474826", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "cffbaf47-9391-4e09-a83c-1f27d7474826_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json deleted file mode 100644 index 5b8aeb943f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args == \"/usr/bin/snap\" and not process.parent.name in (\"zz-proxmox-boot\", \"java\")\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json deleted file mode 100644 index e7ccc427ac9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json deleted file mode 100644 index 24d2923357e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json deleted file mode 100644 index ff5008b8df7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json deleted file mode 100644 index ab79d3b67d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json b/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json deleted file mode 100644 index f8eea83a954..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d00f33e7-b57d-4023-9952-2db91b1767c4_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious usage of unshare to manipulate system namespaces. Unshare can be utilized to escalate privileges or escape container security boundaries. Threat actors have utilized this binary to allow themselves to escape to the host and access other resources or escalate privileges.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Namespace Manipulation Using Unshare", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action : (\"exec\", \"exec_event\") and\nprocess.executable: \"/usr/bin/unshare\" and\nnot process.parent.executable: (\"/usr/bin/udevadm\", \"*/lib/systemd/systemd-udevd\", \"/usr/bin/unshare\") and\nnot process.args : \"/usr/bin/snap\"\n", "references": ["https://man7.org/linux/man-pages/man1/unshare.1.html", "https://www.crowdstrike.com/blog/cve-2022-0185-kubernetes-container-escape-using-linux-kernel-exploit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "d00f33e7-b57d-4023-9952-2db91b1767c4", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "d00f33e7-b57d-4023-9952-2db91b1767c4_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767.json b/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767.json deleted file mode 100644 index 1767ae32483..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0b0f3ed-0b37-44bf-adee-e8cb7de92767.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "AWS Credentials Searched For Inside A Container", "query": "process where event.module == \"cloud_defend\" and \n event.type == \"start\" and\n \n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n(process.name : (\"grep\", \"egrep\", \"fgrep\", \"find\", \"locate\", \"mlocate\") or process.args : (\"grep\", \"egrep\", \"fgrep\", \"find\", \"locate\", \"mlocate\")) and \nprocess.args : (\"*aws_access_key_id*\", \"*aws_secret_access_key*\", \"*aws_session_token*\", \"*accesskeyid*\", \"*secretaccesskey*\", \"*access_key*\", \"*.aws/credentials*\")\n", "references": ["https://sysdig.com/blog/threat-detection-aws-cloud-containers/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d0b0f3ed-0b37-44bf-adee-e8cb7de92767", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.001", "name": "Credentials In Files", "reference": "https://attack.mitre.org/techniques/T1552/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d0b0f3ed-0b37-44bf-adee-e8cb7de92767", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json deleted file mode 100644 index 6372beca068..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json deleted file mode 100644 index 0c088f5007c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - $osquery_0\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_1\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_2\n - $osquery_3\n - $osquery_4\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json deleted file mode 100644 index d6d1de2892d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json deleted file mode 100644 index 34a2e572049..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json deleted file mode 100644 index 5c2aaba166e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json deleted file mode 100644 index 7cad463a10d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json deleted file mode 100644 index ea1623d161c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and not process.executable : (\n \"C:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"C:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"C:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_108.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_108.json deleted file mode 100644 index b49af774382..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json deleted file mode 100644 index ff918ce5167..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json deleted file mode 100644 index ac3819f2eb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_111.json b/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_111.json deleted file mode 100644 index 5460da55874..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d0e159cf-73e9-40d1-a9ed-077e3158a855_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "AppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads user32.dll) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications. Attackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Registry Persistence via AppInit DLL", "note": "## Triage and analysis\n\n### Investigating Registry Persistence via AppInit DLL\n\nAppInit DLLs are dynamic-link libraries (DLLs) that are loaded into every process that creates a user interface (loads `user32.dll`) on Microsoft Windows operating systems. The AppInit DLL mechanism is used to load custom code into user-mode processes, allowing for the customization of the user interface and the behavior of Windows-based applications.\n\nAttackers who add those DLLs to the registry locations can execute code with elevated privileges, similar to process injection, and provide a solid and constant persistence on the machine.\n\nThis rule identifies modifications on the AppInit registry keys.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Review the source process and related DLL file tied to the Windows Registry entry.\n - Check whether the DLL is signed, and tied to a authorized program used on your environment.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Retrieve all DLLs under the AppInit registry keys:\n - !{osquery{\"label\":\"Osquery - Retrieve AppInit Registry Value\",\"query\":\"SELECT * FROM registry r where (r.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows' or\\nr.key == 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows') and r.name ==\\n'AppInit_DLLs'\\n\"}}\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable and the DLLs using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"HKLM\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_Dlls\"\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\\\\Display.NvContainer\\\\NVDisplay.Container.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files (x86)\\\\Commvault\\\\ContentStore*\\\\Base\\\\cvd.exe\",\n \"?:\\\\Program Files\\\\NVIDIA Corporation\\\\Display.NvContainer\\\\NVDisplay.Container.exe\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d0e159cf-73e9-40d1-a9ed-077e3158a855", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.010", "name": "AppInit DLLs", "reference": "https://attack.mitre.org/techniques/T1546/010/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d0e159cf-73e9-40d1-a9ed-077e3158a855_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json deleted file mode 100644 index 1490ec1815b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json deleted file mode 100644 index ebadda00b67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json deleted file mode 100644 index d162d446bf5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json deleted file mode 100644 index 0250e4e263b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json deleted file mode 100644 index 835a87ef28f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "Ensure advanced audit policies for Windows are enabled, specifically:\nObject Access policies Event ID 4656 (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json deleted file mode 100644 index 2fee00a778f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\") and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json deleted file mode 100644 index 3cce273b38e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json deleted file mode 100644 index 1eee15edb18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json deleted file mode 100644 index 5907106c141..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_112.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_112.json deleted file mode 100644 index 9630b32e52d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_312.json b/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_312.json deleted file mode 100644 index be72f7bec51..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d117cbb4-7d56-41b4-b999-bdf8c25648a0_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of symbolic links to a shadow copy. Symbolic links can be used to access files in the shadow copy, including sensitive files such as ntds.dit, System Boot Key and browser offline credentials.", "false_positives": ["Legitimate administrative activity related to shadow copies."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Symbolic Link to Shadow Copy Created", "note": "## Triage and analysis\n\n### Investigating Symbolic Link to Shadow Copy Created\n\nShadow copies are backups or snapshots of an endpoint's files or volumes while they are in use. Adversaries may attempt to discover and create symbolic links to these shadow copies in order to copy sensitive information offline. If Active Directory (AD) is in use, often the ntds.dit file is a target as it contains password hashes, but an offline copy is needed to extract these hashes and potentially conduct lateral movement.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if a volume shadow copy was recently created on this endpoint.\n- Review privileges of the end user as this requires administrative access.\n- Verify if the ntds.dit file was successfully copied and determine its copy destination.\n- Investigate for registry SYSTEM file copies made recently or saved via Reg.exe.\n- Investigate recent deletions of volume shadow copies.\n- Identify other files potentially copied from volume shadow copy paths directly.\n\n### False positive analysis\n\n- This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- If the entire domain or the `krbtgt` user was compromised:\n - Activate your incident response plan for total Active Directory compromise which should include, but not be limited to, a password reset (twice) of the `krbtgt` user.\n- Locate and remove static files copied from volume shadow copies.\n- Command-Line tool mklink should require administrative access by default unless in developer mode.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n (?process.pe.original_file_name in (\"Cmd.Exe\",\"PowerShell.EXE\")) or\n (process.name : (\"cmd.exe\", \"powershell.exe\"))\n ) and\n\n /* Create Symbolic Link to Shadow Copies */\n process.args : (\"*mklink*\", \"*SymbolicLink*\") and process.command_line : (\"*HarddiskVolumeShadowCopy*\")\n", "references": ["https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", "https://blog.netwrix.com/2021/11/30/extracting-password-hashes-from-the-ntds-dit-file/", "https://www.hackingarticles.in/credential-dumping-ntds-dit/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0", "setup": "## Setup\n\nEnsure advanced audit policies for Windows are enabled, specifically:\nObject Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested)\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nSystem Audit Policies >\nObject Access >\nAudit File System (Success,Failure)\nAudit Handle Manipulation (Success,Failure)\n```\n\nThis event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments.\nDirect access to a shell and calling symbolic link creation tools will not generate an event matching this rule.\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "d117cbb4-7d56-41b4-b999-bdf8c25648a0_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d.json deleted file mode 100644 index 3ee9acf9160..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Expired or Revoked Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json deleted file mode 100644 index 9ae4e0f51f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Expired or Revoked Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json deleted file mode 100644 index b3949aba0e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Expired or Revoked Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json deleted file mode 100644 index 81235f2f9ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Expired or Revoked Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_4.json b/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_4.json deleted file mode 100644 index 9ebd6669016..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d12bac54-ab2a-4159-933f-d7bcefa7b61d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an attempt to load a revoked or expired driver. Adversaries may bring outdated drivers with vulnerabilities to gain code execution in kernel mode or abuse revoked certificates to sign their drivers.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Expired or Revoked Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d12bac54-ab2a-4159-933f-d7bcefa7b61d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148.json b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148.json deleted file mode 100644 index 400f3c7216c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["logs-endpoint.events.library-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Compression DLL Loaded by Unusual Process", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.name : (\"System.IO.Compression.FileSystem.ni.dll\", \"System.IO.Compression.ni.dll\") and\n not \n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\mscorsvw.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdiagnhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*\\\\OpenHandleCollector.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"NuGet.exe\" and process.code_signature.trusted == true and user.id : (\"S-1-5-18\", \"S-1-5-20\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "d197478e-39f0-4347-a22f-ba654718b148", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d197478e-39f0-4347-a22f-ba654718b148", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json deleted file mode 100644 index 408b2be4a82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Compression DLL Loaded by Unusual Process", "query": "library where \n dll.name : (\"System.IO.Compression.FileSystem.ni.dll\", \"System.IO.Compression.ni.dll\") and\n \n /* FP Patterns */\n not process.executable :\n (\"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\mscorsvw.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdiagnhost.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d197478e-39f0-4347-a22f-ba654718b148", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d197478e-39f0-4347-a22f-ba654718b148_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json b/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json deleted file mode 100644 index e7f45cb0334..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d197478e-39f0-4347-a22f-ba654718b148_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the image load of a compression DLL. Adversaries will often compress and encrypt data in preparation for exfiltration.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Compression DLL Loaded by Unusual Process", "query": "library where \n dll.name : (\"System.IO.Compression.FileSystem.ni.dll\", \"System.IO.Compression.ni.dll\") and\n not \n (\n (\n process.executable : (\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\mscorsvw.exe\",\n \"?:\\\\Windows\\\\System32\\\\sdiagnhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\w3wp.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*\\\\OpenHandleCollector.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n process.name : \"NuGet.exe\" and process.code_signature.trusted == true and user.id : (\"S-1-5-18\", \"S-1-5-20\")\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "d197478e-39f0-4347-a22f-ba654718b148", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1560", "name": "Archive Collected Data", "reference": "https://attack.mitre.org/techniques/T1560/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d197478e-39f0-4347-a22f-ba654718b148_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd.json b/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd.json deleted file mode 100644 index 4c4e0b9b40e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d1e5e410-3e34-412e-9b1f-dd500b3b55cd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful console login activity by an EC2 instance profile using an assumed role. This is uncommon behavior and could indicate an attacker using compromised credentials to further exploit an environment. An EC2 instance assumes a role using their EC2 ID as the session name. This rule looks for the pattern \"i-\" which is the beginning pattern for assumed role sessions started by an EC2 instance and a successful `ConsoleLogin` or `GetSigninToken` API call.", "false_positives": ["This is very uncommon behavior and should result in minimal false positives, ensure validity of the triggered event and include exceptions where necessary."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS EC2 Instance Console Login via Assumed Role", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"signin.amazonaws.com\"\n and event.action in (\"ConsoleLogin\", \"GetSigninToken\") \n and event.outcome == \"success\"\n and aws.cloudtrail.user_identity.type == \"AssumedRole\"\n and stringContains (user.id, \":i-\")\n", "references": ["https://redcanary.com/blog/aws-sts/", "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d1e5e410-3e34-412e-9b1f-dd500b3b55cd", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS EC2", "Data Source: AWS STS", "Use Case: Identity and Access Audit", "Tactic: Lateral Movement", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.007", "name": "Cloud Services", "reference": "https://attack.mitre.org/techniques/T1021/007/"}]}, {"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.001", "name": "Application Access Token", "reference": "https://attack.mitre.org/techniques/T1550/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d1e5e410-3e34-412e-9b1f-dd500b3b55cd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json deleted file mode 100644 index c300ad4ecdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", "references": ["https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json deleted file mode 100644 index 367754f307c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", "query": "event.category:file and host.os.type:macos and not event.type:deletion and file.name:~$*.zip and host.os.type:macos\n", "references": ["https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json deleted file mode 100644 index b03cc9b791d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", "references": ["https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json deleted file mode 100644 index 188b6c69b1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", "references": ["https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json b/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json deleted file mode 100644 index 7a57777ce2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d22a85c6-d2ad-4cc4-bf7b-54787473669a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Microsoft Office Sandbox Evasion", "query": "event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip\n", "references": ["https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf", "https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/", "https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d22a85c6-d2ad-4cc4-bf7b-54787473669a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json deleted file mode 100644 index eb053fa5ecb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json deleted file mode 100644 index 628939b2631..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json deleted file mode 100644 index 1e5f794b6f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json deleted file mode 100644 index 2ce619fde7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json deleted file mode 100644 index 16a3b944290..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json deleted file mode 100644 index e1fd0b279e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json deleted file mode 100644 index 25c7ec8ca57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json deleted file mode 100644 index 5fddf40f98b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_111.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_111.json deleted file mode 100644 index cfc063cc0c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_112.json b/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_112.json deleted file mode 100644 index afceff6c66c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d31f183a-e5b1-451b-8534-ba62bca0b404_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "User Account Control (UAC) can help mitigate the impact of malware on Windows hosts. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. This rule identifies registry value changes to bypass User Access Control (UAC) protection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Disabling User Account Control via Registry Modification", "note": "## Triage and analysis\n\n### Investigating Disabling User Account Control via Registry Modification\n\nWindows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted.\n\nFor more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works).\n\nAttackers may disable UAC to execute code directly in high integrity. This rule identifies registry value changes to bypass the UAC protection.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behaviors in the alert timeframe.\n- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Analyze non-system processes executed with high integrity after UAC was disabled for unknown or suspicious processes.\n- Retrieve the suspicious processes' executables and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled tasks creation.\n - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore UAC settings to the desired state.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path :\n (\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\EnableLUA\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\ConsentPromptBehaviorAdmin\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System\\\\PromptOnSecureDesktop\"\n ) and\n registry.data.strings : (\"0\", \"0x00000000\")\n", "references": ["https://www.greyhathacker.net/?p=796", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings", "https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-overview", "https://www.elastic.co/security-labs/dissecting-remcos-rat-part-four"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "d31f183a-e5b1-451b-8534-ba62bca0b404", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d31f183a-e5b1-451b-8534-ba62bca0b404_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json deleted file mode 100644 index 98b5938acaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json deleted file mode 100644 index d2c7f5ac6f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json deleted file mode 100644 index 539f81e2c1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json deleted file mode 100644 index c2b41ecada7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json deleted file mode 100644 index 2c718df0b66..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json deleted file mode 100644 index 788873856dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_110.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_110.json deleted file mode 100644 index 6205f6ea63b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json deleted file mode 100644 index 1c87d2e2be9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json deleted file mode 100644 index 1ad5b25a9bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_113.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_113.json deleted file mode 100644 index b65f6d9c6c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_114.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_114.json deleted file mode 100644 index 2d306f30d35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_314.json b/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_314.json deleted file mode 100644 index a7b91a8d6b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d331bbe2-6db4-4941-80a5-8270db72eb61_314.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to clear or disable Windows event log stores using Windows wevetutil command. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Clearing Windows Event Logs", "note": "## Triage and analysis\n\n### Investigating Clearing Windows Event Logs\n\nWindows event logs are a fundamental data source for security monitoring, forensics, and incident response. Adversaries can tamper, clear, and delete this data to break SIEM detections, cover their tracks, and slow down incident response.\n\nThis rule looks for the execution of the `wevtutil.exe` utility or the `Clear-EventLog` cmdlet to clear event logs.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Investigate the event logs prior to the action for suspicious behaviors that an attacker may be trying to cover up.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity and there are justifications for this action.\n- Analyze whether the cleared event log is pertinent to security and general monitoring. Administrators can clear non-relevant event logs using this mechanism. If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - This activity is potentially done after the adversary achieves its objectives on the host. Ensure that previous actions, if any, are investigated accordingly with their response playbooks.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n (process.name : \"wevtutil.exe\" or ?process.pe.original_file_name == \"wevtutil.exe\") and\n process.args : (\"/e:false\", \"cl\", \"clear-log\")\n ) or\n (\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : \"Clear-EventLog\"\n )\n)\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d331bbe2-6db4-4941-80a5-8270db72eb61", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.001", "name": "Clear Windows Event Logs", "reference": "https://attack.mitre.org/techniques/T1070/001/"}, {"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 314}, "id": "d331bbe2-6db4-4941-80a5-8270db72eb61_314", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json deleted file mode 100644 index afd398221a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Windows Service Installed", "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.id", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "eql", "version": 7}, "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json deleted file mode 100644 index e01c64501e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Windows Service Installed", "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where host.os.type == \"windows\" and event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where host.os.type == \"windows\" and event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.id", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "eql", "version": 4}, "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json deleted file mode 100644 index a6e9889ddf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Windows Service Installed", "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.id", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "eql", "version": 5}, "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json deleted file mode 100644 index b6ea2bacf64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Windows Service Installed", "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.id", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "eql", "version": 6}, "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7.json b/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7.json deleted file mode 100644 index e9fe2fb594c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a network logon followed by Windows service creation with same LogonId. This could be indicative of lateral movement, but will be noisy if commonly done by administrators.\"", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote Windows Service Installed", "query": "sequence by winlog.logon.id, winlog.computer_name with maxspan=1m\n[authentication where event.action == \"logged-in\" and winlog.logon.type : \"Network\" and\nevent.outcome==\"success\" and source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\"]\n[iam where event.action == \"service-installed\" and\n not winlog.event_data.SubjectLogonId : \"0x3e7\" and\n not winlog.event_data.ServiceFileName :\n (\"?:\\\\Windows\\\\ADCR_Agent\\\\adcrsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\VSSVC.exe\",\n \"?:\\\\Windows\\\\servicing\\\\TrustedInstaller.exe\",\n \"?:\\\\Windows\\\\System32\\\\svchost.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Windows\\\\PSEXESVC.EXE\",\n \"?:\\\\Windows\\\\System32\\\\sppsvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiApSrv.exe\",\n \"?:\\\\WINDOWS\\\\RemoteAuditService.exe\",\n \"?:\\\\Windows\\\\VeeamVssSupport\\\\VeeamGuestHelper.exe\",\n \"?:\\\\Windows\\\\VeeamLogShipper\\\\VeeamLogShipper.exe\",\n \"?:\\\\Windows\\\\CAInvokerService.exe\",\n \"?:\\\\Windows\\\\System32\\\\upfc.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQ*.exe\",\n \"?:\\\\Windows\\\\System32\\\\vds.exe\",\n \"?:\\\\Windows\\\\Veeam\\\\Backup\\\\VeeamDeploymentSvc.exe\",\n \"?:\\\\Windows\\\\ProPatches\\\\Scheduler\\\\STSchedEx.exe\",\n \"?:\\\\Windows\\\\System32\\\\certsrv.exe\",\n \"?:\\\\Windows\\\\eset-remote-install-service.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\OSCToGPAutoService\\\\OSCToGPAutoSvc.exe\",\n \"?:\\\\Pella Corporation\\\\Pella Order Management\\\\GPAutoSvc.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\NwxExeSvc\\\\NwxExeSvc.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostex.exe\")]\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.id", "type": "unknown"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "type": "eql", "version": 7}, "id": "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6.json b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6.json deleted file mode 100644 index 0e2cd75fffe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMI WBEMTEST Utility Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"wbemtest.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d3551433-782f-4e22-bbea-c816af2d41c6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d3551433-782f-4e22-bbea-c816af2d41c6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json deleted file mode 100644 index 58486c745c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMI WBEMTEST Utility Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"wbemtest.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d3551433-782f-4e22-bbea-c816af2d41c6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d3551433-782f-4e22-bbea-c816af2d41c6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_2.json b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_2.json deleted file mode 100644 index 57deb2b5812..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMI WBEMTEST Utility Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"wbemtest.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d3551433-782f-4e22-bbea-c816af2d41c6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d3551433-782f-4e22-bbea-c816af2d41c6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_3.json b/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_3.json deleted file mode 100644 index 6f8f7f03bd8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d3551433-782f-4e22-bbea-c816af2d41c6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against local or remote endpoints.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMI WBEMTEST Utility Execution", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"wbemtest.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d3551433-782f-4e22-bbea-c816af2d41c6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d3551433-782f-4e22-bbea-c816af2d41c6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json deleted file mode 100644 index be81126801d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\" and process.args : \"-e\"] by process.entity_id\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : (\"sh\", \"bash\", \"zsh\") and process.args == \"-c\" and process.args : (\"*curl*\", \"*pbcopy*\", \"*http*\", \"*chmod*\")] by process.parent.entity_id\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 107}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json deleted file mode 100644 index 5afc2e5d102..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 102}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json deleted file mode 100644 index 67ea4817d75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 103}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json deleted file mode 100644 index 5f2dfb414c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 104}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json deleted file mode 100644 index f5ad44d8495..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 105}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json b/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json deleted file mode 100644 index db489dfeddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d461fac0-43e8-49e2-85ea-3a58fe120b4f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Shell Execution via Apple Scripting", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\", \"info\") and process.name == \"osascript\"] by process.pid\n [process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name == \"sh\" and process.args == \"-c\"] by process.parent.pid\n", "references": ["https://developer.apple.com/library/archive/technotes/tn2065/_index.html", "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 47, "rule_id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "type": "eql", "version": 106}, "id": "d461fac0-43e8-49e2-85ea-3a58fe120b4f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c.json b/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c.json deleted file mode 100644 index fb959946c28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d488f026-7907-4f56-ad51-742feb3db01c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the `PutBucketReplication` operation is used to replicate S3 objects to a bucket in another AWS account. Adversaries may use bucket replication to exfiltrate sensitive data to an environment they control.", "false_positives": ["Bucket replication accross accounts is a legitimate practice in some AWS environments. Ensure that the sharing is authorized before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Bucket Replicated to Another Account", "note": "## Triage and Analysis\n\n### Investigating AWS S3 Bucket Replicated to Another Account\n\nThis rule identifies when an S3 bucket is replicated to another AWS account. While sharing bucket replication is a common practice, adversaries may exploit this feature to exfiltrate data by replicating objects to external accounts under their control.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Sharing Event**: Identify the S3 bucket involved and review the event details. Look for `PutBucketReplication` actions where an `Account` key-value pair is included signifying replication to an external account.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` and `aws.cloudtrail.response_elements` fields in the CloudTrail event to identify the role used and account ID where the bucket was replicated.\n- **Verify the Shared Bucket**: Check the S3 bucket that was replicated and its contents to determine the sensitivity of the data stored within it.\n- **Validate External Account**: Examine the AWS account to which the bucket was replicated. Determine whether this account is known and previously authorized to access such resources.\n- **Contextualize with Recent Changes**: Compare this sharing event against recent changes in S3 configurations. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the share was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB backups and snapshots.\n\n### False Positive Analysis\n\n- **Legitimate Backup Actions**: Confirm if the S3 bucket replication aligns with scheduled backups or legitimate automation tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the S3 configurations to remove any unauthorized replication rules.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on S3 bucket/object sharing to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing and securing S3 buckets in AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security.html/) and AWS best practices for security.\n", "query": "any where event.dataset == \"aws.cloudtrail\" \n and event.action == \"PutBucketReplication\"\n and event.outcome == \"success\" \n and stringContains(aws.cloudtrail.request_parameters, \"Account\")\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication-walkthrough-2.html/", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "d488f026-7907-4f56-ad51-742feb3db01c", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d488f026-7907-4f56-ad51-742feb3db01c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json deleted file mode 100644 index fe7f73f62f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json deleted file mode 100644 index e8b65206dd0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json deleted file mode 100644 index e9832c051b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json deleted file mode 100644 index 2975e3767aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json deleted file mode 100644 index 3d6fb5ec588..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206.json deleted file mode 100644 index 2a792b4718c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208.json deleted file mode 100644 index fdc1531cc29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308.json b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308.json new file mode 100644 index 00000000000..4be1f6a1631 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308.json @@ -0,0 +1,76 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deleted and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Application", + "note": "", + "query": "event.dataset:okta.system and event.action:application.lifecycle.delete\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json deleted file mode 100644 index 59fdc3ac2e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", "false_positives": ["This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n", "references": ["http://sqlmap.org/"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "user_agent.original", "type": "keyword"}], "risk_score": 47, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "severity": "medium", "tags": ["Data Source: APM"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json b/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json deleted file mode 100644 index 803c86e181d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d49cc73f-7a16-4def-89ce-9fc7127d7820_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.", "false_positives": ["This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity."], "index": ["apm-*-transaction*", "traces-apm*"], "language": "kuery", "license": "Elastic License v2", "name": "Web Application Suspicious Activity: sqlmap User Agent", "query": "user_agent.original:\"sqlmap/1.3.11#stable (http://sqlmap.org)\"\n", "references": ["http://sqlmap.org/"], "related_integrations": [{"package": "apm", "version": "^8.0.0"}], "required_fields": [{"ecs": true, "name": "user_agent.original", "type": "keyword"}], "risk_score": 47, "rule_id": "d49cc73f-7a16-4def-89ce-9fc7127d7820", "severity": "medium", "tags": ["Elastic", "APM"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "d49cc73f-7a16-4def-89ce-9fc7127d7820_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json deleted file mode 100644 index c9f29abe270..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_information_discovery"], "name": "Unusual Linux System Information Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "machine_learning", "version": 104}, "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json deleted file mode 100644 index 8546933e6ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_information_discovery"], "name": "Unusual Linux System Information Discovery Activity", "risk_score": 21, "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "machine_learning", "version": 101}, "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json deleted file mode 100644 index 4132399b86a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_information_discovery"], "name": "Unusual Linux System Information Discovery Activity", "risk_score": 21, "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "machine_learning", "version": 102}, "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json b/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json deleted file mode 100644 index 3b9a2d857c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4af3a06-1e0a-48ec-b96a-faf2309fae46_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for commands related to system information discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used to engage in system information discovery in order to gather detailed information about system configuration and software versions. This may be a precursor to selection of a persistence mechanism or a method of privilege elevation.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_system_information_discovery"], "name": "Unusual Linux System Information Discovery Activity", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}]}], "type": "machine_learning", "version": 103}, "id": "d4af3a06-1e0a-48ec-b96a-faf2309fae46_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json deleted file mode 100644 index 6ad58682fd0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", "false_positives": ["Business travelers who roam to new locations may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_source_ip_for_a_user", "name": "Unusual Source IP for a User to Logon from", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 104}, "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json deleted file mode 100644 index 0968b233c98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", "false_positives": ["Business travelers who roam to new locations may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_source_ip_for_a_user", "name": "Unusual Source IP for a User to Logon from", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 101}, "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json deleted file mode 100644 index 71f057d9ed5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", "false_positives": ["Business travelers who roam to new locations may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_source_ip_for_a_user", "name": "Unusual Source IP for a User to Logon from", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 102}, "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json b/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json deleted file mode 100644 index ce4985d77ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4b73fa0-9d43-465e-b8bf-50230da6718b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected a user logging in from an IP address that is unusual for the user. This can be due to credentialed access via a compromised account when the user and the threat actor are in different locations. An unusual source IP address for a username could also be due to lateral movement when a compromised account is used to pivot between hosts.", "false_positives": ["Business travelers who roam to new locations may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_rare_source_ip_for_a_user", "name": "Unusual Source IP for a User to Logon from", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "d4b73fa0-9d43-465e-b8bf-50230da6718b", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "type": "machine_learning", "version": 103}, "id": "d4b73fa0-9d43-465e-b8bf-50230da6718b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f.json deleted file mode 100644 index ff5d86e21a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json deleted file mode 100644 index e41e56ca25b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json deleted file mode 100644 index bb676971aa2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json deleted file mode 100644 index 05af77bbe7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json deleted file mode 100644 index fc5c4c8764d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json b/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json deleted file mode 100644 index 76b4f5b0642..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the potential memory dump of the init process (PID 1) through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include \"truffleproc\" and \"bash-memory-dump\". This behavior should not happen by default, and should be investigated thoroughly.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux init (PID 1) Secret Dump via GDB", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.name == \"gdb\" and process.args in (\"--pid\", \"-p\") and process.args == \"1\"\n", "references": ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5.json deleted file mode 100644 index 16bd50c7814..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": ["https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json deleted file mode 100644 index a90bc4f30a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": ["https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json deleted file mode 100644 index 0e834698d14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": ["https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json deleted file mode 100644 index 8e93ef99cd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": ["https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json b/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json deleted file mode 100644 index 815724e5229..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55436a8-719c-445f-92c4-c113ff2f9ba5_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"systemd-run\" and process.args == \"-t\" and process.args_count >= 3 and user.id >= \"1000000000\"\n", "references": ["https://twitter.com/paragonsec/status/1071152249529884674", "https://github.com/mirchr/security-research/blob/master/vulnerabilities/CVE-2018-19788.sh", "https://gitlab.freedesktop.org/polkit/polkit/-/issues/74"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55436a8-719c-445f-92c4-c113ff2f9ba5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d55436a8-719c-445f-92c4-c113ff2f9ba5_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3.json b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3.json deleted file mode 100644 index 3d1bce4a40c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "query": "sequence by host.id, process.pid with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.name != null and process.thread.capabilities.effective : (\"CAP_CHOWN\", \"CAP_FOWNER\") and\n process.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"]\n [file where host.os.type == \"linux\" and event.action == \"changed-file-ownership-of\" and event.type == \"change\" and\n event.outcome == \"success\" and file.path in (\n \"/etc/passwd\",\n \"/etc/shadow\",\n \"/etc/sudoers\",\n \"/root/.ssh/*\"\n ) and user.id != \"0\"\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55abdfb-5384-402b-add4-6c401501b0c3", "setup": "## Setup\n\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/ -p rwxa -k audit_recursive_etc\"\n -- \"-w /root/ -p rwxa -k audit_root\"\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 3}, "id": "d55abdfb-5384-402b-add4-6c401501b0c3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_1.json b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_1.json deleted file mode 100644 index eadc31e0d4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "query": "sequence by host.id, process.pid with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name != null and process.thread.capabilities.effective : (\"CAP_CHOWN\", \"CAP_FOWNER\") and\n process.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"]\n [file where event.dataset == \"auditd_manager.auditd\" and host.os.type == \"linux\" and\n event.action == \"changed-file-ownership-of\" and event.type == \"change\" and event.outcome == \"success\" and\n file.path in (\n \"/etc/passwd\",\n \"/etc/shadow\",\n \"/etc/sudoers\",\n \"/root/.ssh/*\"\n ) and user.id != \"0\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"integration": "auditd", "package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55abdfb-5384-402b-add4-6c401501b0c3", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/ -p rwxa -k audit_recursive_etc\"\n -- \"-w /root/ -p rwxa -k audit_root\"\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 1}, "id": "d55abdfb-5384-402b-add4-6c401501b0c3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json b/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json deleted file mode 100644 index 56a9812c004..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d55abdfb-5384-402b-add4-6c401501b0c3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies instances where a processes (granted CAP_CHOWN and/or CAP_FOWNER capabilities) is executed, after which the ownership of a suspicious file or binary is changed. In Linux, the CAP_CHOWN capability allows a process to change the owner of a file, while CAP_FOWNER permits it to bypass permission checks on operations that require file ownership (like reading, writing, and executing). Attackers may abuse these capabilities to obtain unauthorized access to files.", "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities", "query": "sequence by host.id, process.pid with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.name != null and process.thread.capabilities.effective : (\"CAP_CHOWN\", \"CAP_FOWNER\") and\n process.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"]\n [file where host.os.type == \"linux\" and event.action == \"changed-file-ownership-of\" and event.type == \"change\" and\n event.outcome == \"success\" and file.path in (\n \"/etc/passwd\",\n \"/etc/shadow\",\n \"/etc/sudoers\",\n \"/root/.ssh/*\"\n ) and user.id != \"0\"\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "d55abdfb-5384-402b-add4-6c401501b0c3", "setup": "\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule the following additional audit rules are required to be added to the integration:\n -- \"-w /etc/ -p rwxa -k audit_recursive_etc\"\n -- \"-w /root/ -p rwxa -k audit_root\"\n\n", "severity": "medium", "tags": ["Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "type": "eql", "version": 2}, "id": "d55abdfb-5384-402b-add4-6c401501b0c3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json deleted file mode 100644 index 1db402127a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.value : (\"windir\", \"systemroot\") and\nregistry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json deleted file mode 100644 index fd126b39105..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json deleted file mode 100644 index 94f963720f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json deleted file mode 100644 index 5ebfe1a3524..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json deleted file mode 100644 index 68af7fb95cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json deleted file mode 100644 index 033c998c6b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and registry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_107.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_107.json deleted file mode 100644 index 1dd139f5db4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.value : (\"windir\", \"systemroot\") and\nregistry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_108.json b/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_108.json deleted file mode 100644 index 94d3573d189..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d563aaba-2e72-462b-8658-3e5ea22db3a6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known primitive that is often combined with other vulnerabilities to elevate privileges.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Privilege Escalation via Windir Environment Variable", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.value : (\"windir\", \"systemroot\") and\nregistry.path : (\n \"HKEY_USERS\\\\*\\\\Environment\\\\windir\",\n \"HKEY_USERS\\\\*\\\\Environment\\\\systemroot\",\n \"HKU\\\\*\\\\Environment\\\\windir\",\n \"HKU\\\\*\\\\Environment\\\\systemroot\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\windir\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Environment\\\\systemroot\"\n ) and\n not registry.data.strings : (\"C:\\\\windows\", \"%SystemRoot%\")\n", "references": ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "d563aaba-2e72-462b-8658-3e5ea22db3a6", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.007", "name": "Path Interception by PATH Environment Variable", "reference": "https://attack.mitre.org/techniques/T1574/007/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d563aaba-2e72-462b-8658-3e5ea22db3a6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json deleted file mode 100644 index 53409c9774d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json deleted file mode 100644 index 60717242214..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json deleted file mode 100644 index 4a395a76a72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json deleted file mode 100644 index b20c14b0c45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json deleted file mode 100644 index 6a2b5326163..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json deleted file mode 100644 index bb748246e46..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_207.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_207.json deleted file mode 100644 index 9e3d9985176..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_209.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_209.json deleted file mode 100644 index a1d73c8f669..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Delete an Okta Policy Rule", "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_309.json b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_309.json new file mode 100644 index 00000000000..722ab151e5d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_309.json @@ -0,0 +1,84 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to delete a rule within an Okta policy. An adversary may attempt to delete an Okta policy rule in order to weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Delete an Okta Policy Rule", + "note": "## Triage and analysis\n\n### Investigating Attempt to Delete an Okta Policy Rule\n\nOkta policy rules are integral components of an organization's security controls, as they define how user access to resources is managed. Deletion of a rule within an Okta policy could potentially weaken the organization's security posture, allowing for unauthorized access or facilitating other malicious activities.\n\nThis rule detects attempts to delete an Okta policy rule, which could indicate an adversary's attempt to weaken an organization's security controls. Adversaries may do this to circumvent security measures and enable further malicious activities.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the deletion attempt.\n- Check the `okta.outcome.result` field to confirm the policy rule deletion attempt.\n- Check if there are multiple policy rule deletion attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the policy rule deletion attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the deletion attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the deletion attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the deletion attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized policy rule deletion is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific deletion technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:policy.rule.delete\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json deleted file mode 100644 index 45e43e62f0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 107}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json deleted file mode 100644 index ad763ccb050..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 103}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json deleted file mode 100644 index b114f10ec18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 104}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json deleted file mode 100644 index f3d93e3f29b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 105}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json deleted file mode 100644 index ab8129c308f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 106}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107.json b/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107.json deleted file mode 100644 index 4343070c3ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Command Lateral Movement", "query": "sequence by process.entity_id with maxspan = 1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name : \"sc.exe\") and\n process.args : \"\\\\\\\\*\" and process.args : (\"binPath=*\", \"binpath=*\") and\n process.args : (\"create\", \"config\", \"failure\", \"start\")]\n [network where host.os.type == \"windows\" and process.name : \"sc.exe\" and destination.ip != \"127.0.0.1\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "type": "eql", "version": 107}, "id": "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9.json b/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9.json deleted file mode 100644 index 4af824d9df2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual DPKG Execution", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.executable : \"/var/lib/dpkg/info/*\" and process.session_leader.name != null and\nprocess.group_leader.name != null and not (\n process.parent.name in (\"dpkg\", \"dpkg-reconfigure\") or\n process.session_leader.name == \"dpkg\" or\n process.group_leader.name == \"dpkg\"\n)\n", "references": ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.group_leader.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d6241c90-99f2-44db-b50f-299b6ebd7ee9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d6241c90-99f2-44db-b50f-299b6ebd7ee9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9_1.json b/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9_1.json deleted file mode 100644 index 350c66dc214..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d6241c90-99f2-44db-b50f-299b6ebd7ee9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of the DPKG command by processes not associated with the DPKG package manager. The DPKG command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the DPKG command to install malicious packages on a system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual DPKG Execution", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\nprocess.executable : \"/var/lib/dpkg/info/*\" and process.session_leader.name != null and\nprocess.group_leader.name != null and not (\n process.parent.name in (\"dpkg\", \"dpkg-reconfigure\") or\n process.session_leader.name == \"dpkg\" or\n process.group_leader.name == \"dpkg\"\n)\n", "references": ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.group_leader.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d6241c90-99f2-44db-b50f-299b6ebd7ee9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d6241c90-99f2-44db-b50f-299b6ebd7ee9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json deleted file mode 100644 index 110a3eb6950..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", "false_positives": ["A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS CloudWatch", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json deleted file mode 100644 index a3fc81f9ac6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", "false_positives": ["A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json deleted file mode 100644 index 80cfc874cca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", "false_positives": ["A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json deleted file mode 100644 index 57fc8bd9a00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", "false_positives": ["A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json b/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json deleted file mode 100644 index fa0f1c6a188..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream.", "false_positives": ["A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Log Stream Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Log Stream Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.\n\nA log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream.\n\nThis rule looks for the deletion of a log stream using the API `DeleteLogStream` action. Attackers can do this to cover their tracks and impact security monitoring that relies on these sources.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Investigate the deleted log stream's criticality and whether the responsible team is aware of the deletion.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:logs.amazonaws.com and event.action:DeleteLogStream and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json deleted file mode 100644 index 8795767182c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", "false_positives": ["Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json b/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json deleted file mode 100644 index 41f5d704e24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d62b64a8-a7c9-43e5-aee3-15a725a794e7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a subscription in Google Cloud Platform (GCP). In GCP, the publisher-subscriber relationship (Pub/Sub) is an asynchronous messaging service that decouples event-producing and event-processing services. A subscription is a named resource representing the stream of messages to be delivered to the subscribing application.", "false_positives": ["Subscription creations may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Pub/Sub Subscription Creation", "note": "", "query": "event.dataset:gcp.audit and event.action:google.pubsub.v*.Subscriber.CreateSubscription and event.outcome:success\n", "references": ["https://cloud.google.com/pubsub/docs/overview"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1530", "name": "Data from Cloud Storage", "reference": "https://attack.mitre.org/techniques/T1530/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d62b64a8-a7c9-43e5-aee3-15a725a794e7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json deleted file mode 100644 index b846c0081b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_10.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_10.json deleted file mode 100644 index a27937cebd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_11.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_11.json deleted file mode 100644 index 4b5a4cf1e2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_12.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_12.json deleted file mode 100644 index c6aeb2d0301..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_13.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_13.json deleted file mode 100644 index b6cb684b04f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.process-*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json deleted file mode 100644 index 7c23ed6ddf7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json deleted file mode 100644 index 8f6785da5f2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json deleted file mode 100644 index eef388633e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json deleted file mode 100644 index 77dfc62f69f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json deleted file mode 100644 index 3f4acb0a6d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json deleted file mode 100644 index ebdb606cae1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json b/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json deleted file mode 100644 index 0c723c5472d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68e95ad-1c82-4074-a12a-125fe10ac8ba_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of discovery commands to enumerate system information, files, and folders using the Windows Command Shell.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Information Discovery via Windows Command Shell", "note": "## Triage and analysis\n\n### Investigating System Information Discovery via Windows Command Shell\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule identifies commands to enumerate system information, files, and folders using the Windows Command Shell.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and process.args : \"/c\" and process.args : (\"set\", \"dir\") and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\PROGRA~1\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1082", "name": "System Information Discovery", "reference": "https://attack.mitre.org/techniques/T1082/"}, {"id": "T1083", "name": "File and Directory Discovery", "reference": "https://attack.mitre.org/techniques/T1083/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "d68e95ad-1c82-4074-a12a-125fe10ac8ba_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json deleted file mode 100644 index 2ab370d3df3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json deleted file mode 100644 index 253d988091c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json deleted file mode 100644 index 0da9530f727..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json deleted file mode 100644 index c6ed1c48f2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json b/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json deleted file mode 100644 index 968112e80a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an anti-phishing policy in Microsoft 365. By default, Microsoft 365 includes built-in features that help protect users from phishing attacks. Anti-phishing polices increase this protection by refining settings to better detect and prevent attacks.", "false_positives": ["An anti-phishing policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Anti-Phish Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-AntiPhishPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json deleted file mode 100644 index dbb537f13c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"creation\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json deleted file mode 100644 index 7bb6dc06705..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json deleted file mode 100644 index fbe5380bad2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json deleted file mode 100644 index e110400af88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json deleted file mode 100644 index 84030ce85d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json deleted file mode 100644 index 869f7040008..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json deleted file mode 100644 index 4f1b79cdd53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_110.json b/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_110.json deleted file mode 100644 index 0f15053e75e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory. This behavior can be indicative of an adversary attempting to weaken the security configuration of an endpoint. Once the UseLogonCredential value is modified, the adversary may attempt to dump clear text passwords from memory.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of WDigest Security Provider", "note": "## Triage and analysis\n\n### Investigating Modification of WDigest Security Provider\n\nIn Windows XP, Microsoft added support for a protocol known as WDigest. The WDigest protocol allows clients to send cleartext credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. Windows versions up to 8 and 2012 store logon credentials in memory in plaintext by default, which is no longer the case with newer Windows versions.\n\nStill, attackers can force WDigest to store the passwords insecurely on the memory by modifying the `HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential` registry key. This activity is commonly related to the execution of credential dumping tools.\n\n#### Possible investigation steps\n\n- It is unlikely that the monitored registry key was modified legitimately in newer versions of Windows. Analysts should treat any activity triggered from this rule with high priority as it typically represents an active adversary.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Determine if credential dumping tools were run on the host, and retrieve and analyze suspicious executables:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team, as these modifications expose the entire domain to credential compromises and consequently unauthorized access.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"creation\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\SecurityProviders\\\\WDigest\\\\UseLogonCredential\"\n ) and registry.data.strings : (\"1\", \"0x00000001\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\svchost.exe\" and user.id : \"S-1-5-18\")\n", "references": ["https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", "https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 73, "rule_id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json deleted file mode 100644 index 7ad3eca3905..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json deleted file mode 100644 index b0e155c00ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json deleted file mode 100644 index 5158a8714b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json deleted file mode 100644 index ddcac8bd2fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json deleted file mode 100644 index c4e0f2bd8b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json deleted file mode 100644 index 4cb190df9a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_109.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_109.json deleted file mode 100644 index 3affd7188cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json deleted file mode 100644 index 9d5e19a1d9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json deleted file mode 100644 index 7b8c09869fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_112.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_112.json deleted file mode 100644 index 2a35e2fb470..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_312.json b/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_312.json deleted file mode 100644 index 6e53725d0aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d72e33fc-6e91-42ff-ac8b-e573268c5a87_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.", "false_positives": ["Trusted SolarWinds child processes. Verify process details such as network connections and file writes."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Command Execution via SolarWinds Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name: (\"cmd.exe\", \"powershell.exe\") and\nprocess.parent.name: (\n \"ConfigurationWizard*.exe\",\n \"NetflowDatabaseMaintenance*.exe\",\n \"NetFlowService*.exe\",\n \"SolarWinds.Administration*.exe\",\n \"SolarWinds.Collector.Service*.exe\",\n \"SolarwindsDiagnostics*.exe\"\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "d72e33fc-6e91-42ff-ac8b-e573268c5a87_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json deleted file mode 100644 index 3851a6fb76f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", "false_positives": ["A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json deleted file mode 100644 index 56541c7764c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", "false_positives": ["A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json deleted file mode 100644 index 06c9b8751bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", "false_positives": ["A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json deleted file mode 100644 index 8a24e9bf5c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", "false_positives": ["A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json b/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json deleted file mode 100644 index 4fbf03fc1c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a malware filter policy has been deleted in Microsoft 365. A malware filter policy is used to alert administrators that an internal user sent a message that contained malware. This may indicate an account or machine compromise that would need to be investigated. Deletion of a malware filter policy may be done to evade detection.", "false_positives": ["A malware filter policy may be deleted by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Malware Filter Policy Deletion", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"Remove-MalwareFilterPolicy\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d743ff2a-203e-4a46-a3e3-40512cfe8fbb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799.json b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799.json deleted file mode 100644 index 168615a77d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Memory grep Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"rgrep\") and process.args in (\"[stack]\", \"[vdso]\", \"[heap]\")\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d74d6506-427a-4790-b170-0c2a6ddac799", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d74d6506-427a-4790-b170-0c2a6ddac799", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json deleted file mode 100644 index 07eae5e2077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Memory grep Activity", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"rgrep\") and process.args in (\"[stack]\", \"[vdso]\", \"[heap]\")\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d74d6506-427a-4790-b170-0c2a6ddac799", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d74d6506-427a-4790-b170-0c2a6ddac799_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json b/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json deleted file mode 100644 index 20ff61edf1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d74d6506-427a-4790-b170-0c2a6ddac799_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Monitors for grep activity related to memory mapping. The /proc/*/maps file in Linux provides a memory map for a specific process, detailing the memory segments, permissions, and what files are mapped to these segments. Attackers may read a process's memory map to identify memory addresses for code injection or process hijacking.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Memory grep Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name in (\"grep\", \"egrep\", \"fgrep\", \"rgrep\") and process.args in (\"[stack]\", \"[vdso]\", \"[heap]\")\n", "references": ["https://github.com/arget13/DDexec"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "d74d6506-427a-4790-b170-0c2a6ddac799", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1057", "name": "Process Discovery", "reference": "https://attack.mitre.org/techniques/T1057/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d74d6506-427a-4790-b170-0c2a6ddac799_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json deleted file mode 100644 index b15259548d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\") and\n not process.Ext.effective_parent.executable : \"/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint\"\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.effective_parent.executable", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json deleted file mode 100644 index 6bf28b84e55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json deleted file mode 100644 index 1b88fd86778..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json deleted file mode 100644 index 5e1c2fe6593..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json deleted file mode 100644 index 603faa80a35..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json b/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json deleted file mode 100644 index d2368dde4ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d75991f2-b989-419d-b797-ac1e54ec2d61_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SystemKey Access via Command Line", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.args:(\"/private/var/db/SystemKey\" or \"/var/db/SystemKey\")\n", "references": ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}], "risk_score": 73, "rule_id": "d75991f2-b989-419d-b797-ac1e54ec2d61", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.001", "name": "Keychain", "reference": "https://attack.mitre.org/techniques/T1555/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "d75991f2-b989-419d-b797-ac1e54ec2d61_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json deleted file mode 100644 index 7825044076d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json deleted file mode 100644 index f91c685017e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:python* and\n process.args:(\"import pty; pty.spawn(\\\"/bin/sh\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/dash\\\")\" or\n \"import pty; pty.spawn(\\\"/bin/bash\\\")\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json deleted file mode 100644 index 0604e7210f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "sequence with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"python*\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and \n process.executable : \"/bin/*sh\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "type": "eql", "version": 104}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json deleted file mode 100644 index 87035e5c845..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "sequence with maxspan=1m\n [process where host.os.type == \"linux\" and event.type == \"start\" and process.name : \"python*\"] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and \n process.executable : \"/bin/*sh\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "type": "eql", "version": 105}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json deleted file mode 100644 index 5b6e655a820..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count >= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json deleted file mode 100644 index ce6050d32c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.parent.args_count >= 3 and\n process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name : \"*sh\" and process.args : \"*sh\" and process.args_count == 1\n and process.parent.args_count == 1)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json deleted file mode 100644 index 41b82093c26..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json b/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json deleted file mode 100644 index 2a116985021..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d76b02ef-fc95-4001-9297-01cb7412232f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Interactive Terminal Spawned via Python", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n(\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.parent.args_count >= 3 and process.parent.args : \"*pty.spawn*\" and process.parent.args : \"-c\") or\n (process.parent.name : \"python*\" and process.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\",\n \"fish\") and process.args : \"*sh\" and process.args_count == 1 and process.parent.args_count == 1)\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.args_count", "type": "long"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d76b02ef-fc95-4001-9297-01cb7412232f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.006", "name": "Python", "reference": "https://attack.mitre.org/techniques/T1059/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d76b02ef-fc95-4001-9297-01cb7412232f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json deleted file mode 100644 index 25eaadd94b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", "false_positives": ["Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Permissions Modification", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json deleted file mode 100644 index 6dd9cff638d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", "false_positives": ["Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Permissions Modification", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json b/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json deleted file mode 100644 index c2eff743a49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d79c4b2a-6134-4edd-86e6-564a92a933f9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may inadvertently modify the permissions, which could lead to data exposure or loss.", "false_positives": ["Blob permissions may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Blob Permissions Modification", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION\" or\n \"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION\") and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "d79c4b2a-6134-4edd-86e6-564a92a933f9", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d79c4b2a-6134-4edd-86e6-564a92a933f9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json deleted file mode 100644 index 50c7ef5d33e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events", "name": "Spike in Logon Events", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 104}, "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json deleted file mode 100644 index b195a543b7b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events", "name": "Spike in Logon Events", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 101}, "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json deleted file mode 100644 index 44da85e2a1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events", "name": "Spike in Logon Events", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 102}, "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json b/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json deleted file mode 100644 index 2239acd54aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events", "name": "Spike in Logon Events", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "type": "machine_learning", "version": 103}, "id": "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json deleted file mode 100644 index 02beda0d899..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json deleted file mode 100644 index 137f3b8ac02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "event.category:(network or network_traffic) and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 100}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json deleted file mode 100644 index 1d8dd863d20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json deleted file mode 100644 index 1eab7809f18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "event.dataset: network_traffic.flow and network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json deleted file mode 100644 index e60d5525952..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "(event.dataset: network_traffic.flow or (event.category: (network or network_traffic))) and\n network.transport:tcp and (destination.port:26 or (event.dataset:zeek.smtp and destination.port:26))\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json b/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json deleted file mode 100644 index abe6da0a24b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d7e62693-aab9-4f66-a21a-3d79ecdd603d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects events that may indicate use of SMTP on TCP port 26. This port is commonly used by several popular mail transfer agents to deconflict with the default SMTP port 25. This port has also been used by a malware family called BadPatch for command and control of Windows systems.", "false_positives": ["Servers that process email traffic may cause false positives and should be excluded from this rule as this is expected behavior."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "SMTP on Port 26/TCP", "query": "(event.dataset: (network_traffic.flow or zeek.smtp) or event.category:(network or network_traffic)) and network.transport:tcp and destination.port:26\n", "references": ["https://unit42.paloaltonetworks.com/unit42-badpatch/", "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}], "risk_score": 21, "rule_id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d", "severity": "low", "tags": ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "d7e62693-aab9-4f66-a21a-3d79ecdd603d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json deleted file mode 100644 index 04d3d14e336..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\", \"errorCode_endpoint:*\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json deleted file mode 100644 index b455ac3fd1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json deleted file mode 100644 index 375b7a87d6e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json deleted file mode 100644 index 2d6d3d113f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json deleted file mode 100644 index 0129474f99a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json deleted file mode 100644 index 3e2d63fc3a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json deleted file mode 100644 index b91bd6191bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_8.json b/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_8.json deleted file mode 100644 index fc9e3f0e6fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8ab1ec1-feeb-48b9-89e7-c12e189448aa_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempt to load an untrusted driver. Adversaries may modify code signing policies to enable execution of unsigned or self-signed code.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Untrusted Driver Loaded", "note": "## Triage and analysis\n\n### Investigating Untrusted Driver Loaded\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies an attempt to load an untrusted driver, which effectively means that DSE was disabled or bypassed. This can indicate that the system was compromised.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If you're using Elastic Defend, path information can be found in the `dll.path` field.\n - Examine the file creation and modification timestamps:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `dll.Ext.relative_file_name_modify_time` fields. The values are in seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "driver where host.os.type == \"windows\" and process.pid == 4 and\n dll.code_signature.trusted != true and \n not dll.code_signature.status : (\"errorExpired\", \"errorRevoked\", \"errorCode_endpoint:*\")\n", "references": ["https://github.com/hfiref0x/TDL", "https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 73, "rule_id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "d8ab1ec1-feeb-48b9-89e7-c12e189448aa_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json deleted file mode 100644 index cdfa0f77a5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json deleted file mode 100644 index ddc487b733c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json deleted file mode 100644 index 1e87ad2e26f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json deleted file mode 100644 index 3892e99ec84..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json deleted file mode 100644 index 8313e31b66e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_209.json b/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_209.json deleted file mode 100644 index 1628f4b66bc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted.", "false_positives": ["A MFA device may be deactivated by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. MFA device deactivations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Deactivation of MFA Device", "note": "## Triage and analysis\n\n### Investigating AWS IAM Deactivation of MFA Device\n\nMulti-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor\u2014what they know), as well as for an authentication code from their AWS MFA device (the second factor\u2014what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.\n\nFor more information about using MFA in AWS, access the [official documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html).\n\nThis rule looks for the deactivation or deletion of AWS MFA devices. These modifications weaken account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:iam.amazonaws.com and event.action:(DeactivateMFADevice or DeleteVirtualMFADevice) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Resources: Investigation Guide", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064.json b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064.json deleted file mode 100644 index 71eff560aa1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "NTDS Dump via Wbadmin", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name : \"wbadmin.exe\") and \n process.args : \"recovery\" and process.command_line : \"*ntds.dit*\"\n", "references": ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d93e61db-82d6-4095-99aa-714988118064", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d93e61db-82d6-4095-99aa-714988118064", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json deleted file mode 100644 index 7c7bb5a825c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "NTDS Dump via Wbadmin", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name : \"wbadmin.exe\") and \n process.args : \"recovery\" and process.command_line : \"*ntds.dit*\"\n", "references": ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d93e61db-82d6-4095-99aa-714988118064", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "d93e61db-82d6-4095-99aa-714988118064_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_2.json b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_2.json deleted file mode 100644 index 7c96b4c9948..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "NTDS Dump via Wbadmin", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name : \"wbadmin.exe\") and \n process.args : \"recovery\" and process.command_line : \"*ntds.dit*\"\n", "references": ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d93e61db-82d6-4095-99aa-714988118064", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "d93e61db-82d6-4095-99aa-714988118064_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_202.json b/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_202.json deleted file mode 100644 index 439997e2aae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d93e61db-82d6-4095-99aa-714988118064_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of wbadmin to access the NTDS.dit file in a domain controller. Attackers with privileges from groups like Backup Operators can abuse the utility to perform credential access and compromise the domain.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "NTDS Dump via Wbadmin", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"wbadmin.exe\" or ?process.pe.original_file_name : \"wbadmin.exe\") and \n process.args : \"recovery\" and process.command_line : \"*ntds.dit*\"\n", "references": ["https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "d93e61db-82d6-4095-99aa-714988118064", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.002", "name": "Security Account Manager", "reference": "https://attack.mitre.org/techniques/T1003/002/"}, {"id": "T1003.003", "name": "NTDS", "reference": "https://attack.mitre.org/techniques/T1003/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1006", "name": "Direct Volume Access", "reference": "https://attack.mitre.org/techniques/T1006/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 202}, "id": "d93e61db-82d6-4095-99aa-714988118064_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json deleted file mode 100644 index 3120e7caf03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json deleted file mode 100644 index 30ea8c6b85f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json deleted file mode 100644 index 7af0ca73087..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json deleted file mode 100644 index 92ed6d91572..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json deleted file mode 100644 index ea5f4fc6769..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json deleted file mode 100644 index a95bca4487d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_109.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_109.json deleted file mode 100644 index 7abdd00c98f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json deleted file mode 100644 index c3b87b79c74..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json deleted file mode 100644 index 10c574b6df9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_112.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_112.json deleted file mode 100644 index 0c8fc1451ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_312.json b/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_312.json deleted file mode 100644 index e09fec03d04..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d99a037b-c8e2-47a5-97b9-170d076827c4_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the use of the Win32_ShadowCopy class and related cmdlets to achieve shadow copy deletion. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via PowerShell", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via PowerShell\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of PowerShell cmdlets to interact with the Win32_ShadowCopy WMI class, retrieve shadow copy objects, and delete them.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n process.args : (\"*Get-WmiObject*\", \"*gwmi*\", \"*Get-CimInstance*\", \"*gcim*\") and\n process.args : (\"*Win32_ShadowCopy*\") and\n process.args : (\"*.Delete()*\", \"*Remove-WmiObject*\", \"*rwmi*\", \"*Remove-CimInstance*\", \"*rcim*\")\n", "references": ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/win32-shadowcopy", "https://powershell.one/wmi/root/cimv2/win32_shadowcopy", "https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d99a037b-c8e2-47a5-97b9-170d076827c4", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "d99a037b-c8e2-47a5-97b9-170d076827c4_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/d9ffc3d6-9de9-4b29-9395-5757d0695ecf_101.json b/packages/security_detection_engine/kibana/security_rule/d9ffc3d6-9de9-4b29-9395-5757d0695ecf_101.json deleted file mode 100644 index 72a31969110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/d9ffc3d6-9de9-4b29-9395-5757d0695ecf_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values. This behavior is often observed during malware installation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*", "logs-windows.sysmon_operational-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Windows Command Shell Arguments", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"cmd.exe\" and \n (\n\n process.command_line : (\"*).Run(*\", \"*GetObject*\", \"* curl*regsvr32*\", \"*echo*wscript*\", \"*echo*ZONE.identifier*\",\n \"*ActiveXObject*\", \"*dir /s /b *echo*\", \"*unescape(*\", \"*findstr*TVNDRgAAAA*\", \"*findstr*passw*\", \"*start*\\\\\\\\*\\\\DavWWWRoot\\\\*\",\n \"* explorer*%CD%*\", \"*%cd%\\\\*.js*\", \"*attrib*%CD%*\", \"*/?cMD<*\", \"*/AutoIt3ExecuteScript*..*\", \"*&cls&cls&cls&cls&cls&*\",\n \"*&#*;&#*;&#*;&#*;*\", \"* &&s^eT*\", \"*& ChrW(*\", \"*&explorer /root*\", \"*start __ & __\\\\*\", \"*findstr /V /L *forfiles*\",\n \"*=wscri& set *\", \"*http*!COmpUternaME!*\", \"*start *.pdf * start /min cmd.exe /c *\\\\\\\\*\", \"*pip install*System.Net.WebClient*\",\n \"*Invoke-WebReques*Start-Process*\", \"*-command (Invoke-webrequest*\", \"*copy /b *\\\\\\\\* ping *-n*\", \"*echo*.ToCharArray*\") or\n\n (process.args : \"echo\" and process.parent.name : (\"wscript.exe\", \"mshta.exe\")) or\n\n process.args : (\"1>?:\\\\*.vbs\", \"1>?:\\\\*.js\") or\n\n (process.args : \"explorer.exe\" and process.args : \"type\" and process.args : \">\" and process.args : \"start\") or\n\n (process.parent.name : \"explorer.exe\" and\n process.command_line :\n (\"*&&S^eT *\",\n \"*&& set *&& set *&& set *&& set *&& set *&& call*\",\n \"**\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??\\\\u00??*\")) or\n\n (process.parent.name : \"explorer.exe\" and process.args : \"copy\" and process.args : \"&&\" and process.args : \"\\\\\\\\*@*\\\\*\")\n ) and\n\n /* false positives */\n not (process.args : \"%TEMP%\\\\Spiceworks\\\\*\" and process.parent.name : \"wmiprvse.exe\") and\n not process.parent.executable :\n (\"?:\\\\Perl64\\\\bin\\\\perl.exe\",\n \"?:\\\\Program Files\\\\nodejs\\\\node.exe\",\n \"?:\\\\Program Files\\\\HP\\\\RS\\\\pgsql\\\\bin\\\\pg_dumpall.exe\",\n \"?:\\\\Program Files (x86)\\\\PRTG Network Monitor\\\\64 bit\\\\PRTG Server.exe\",\n \"?:\\\\Program Files (x86)\\\\Spiceworks\\\\bin\\\\spiceworks-finder.exe\",\n \"?:\\\\Program Files (x86)\\\\Zuercher Suite\\\\production\\\\leds\\\\leds.exe\",\n \"?:\\\\Program Files\\\\Tripwire\\\\Agent\\\\Plugins\\\\twexec\\\\twexec.exe\",\n \"D:\\\\Agents\\\\?\\\\_work\\\\_tasks\\\\*\\\\SonarScanner.MSBuild.exe\",\n \"?:\\\\Program Files\\\\Microsoft VS Code\\\\Code.exe\",\n \"?:\\\\programmiweb\\\\NetBeans-*\\\\netbeans\\\\bin\\\\netbeans64.exe\",\n \"?:\\\\Program Files (x86)\\\\Public Safety Suite Professional\\\\production\\\\leds\\\\leds.exe\",\n \"?:\\\\Program Files (x86)\\\\Tier2Tickets\\\\button_gui.exe\",\n \"?:\\\\Program Files\\\\NetBeans-*\\\\netbeans\\\\bin\\\\netbeans*.exe\",\n \"?:\\\\Program Files (x86)\\\\Public Safety Suite Professional\\\\production\\\\leds\\\\leds.exe\",\n \"?:\\\\Program Files (x86)\\\\Tier2Tickets\\\\button_gui.exe\",\n \"?:\\\\Program Files (x86)\\\\Helpdesk Button\\\\button_gui.exe\",\n \"?:\\\\VTSPortable\\\\VTS\\\\jre\\\\bin\\\\javaw.exe\",\n \"?:\\\\Program Files\\\\Bot Framework Composer\\\\Bot Framework Composer.exe\",\n \"?:\\\\Program Files\\\\KMSYS Worldwide\\\\eQuate\\\\*\\\\SessionMgr.exe\",\n \"?:\\\\Program Files (x86)\\\\Craneware\\\\Pricing Analyzer\\\\Craneware.Pricing.Shell.exe\",\n \"?:\\\\Program Files (x86)\\\\jumpcloud-agent-app\\\\jumpcloud-agent-app.exe\",\n \"?:\\\\Program Files\\\\PostgreSQL\\\\*\\\\bin\\\\pg_dumpall.exe\",\n \"?:\\\\Program Files (x86)\\\\Vim\\\\vim*\\\\vimrun.exe\") and\n not (process.args : \"?:\\\\Program Files\\\\Citrix\\\\Secure Access Client\\\\nsauto.exe\" and process.parent.name : \"userinit.exe\") and\n not process.args :\n (\"?:\\\\Program Files (x86)\\\\PCMatic\\\\PCPitstopScheduleService.exe\",\n \"?:\\\\Program Files (x86)\\\\AllesTechnologyAgent\\\\*\",\n \"https://auth.axis.com/oauth2/oauth-authorize*\") and\n not process.command_line :\n (\"\\\"cmd\\\" /c %NETBEANS_MAVEN_COMMAND_LINE%\",\n \"?:\\\\Windows\\\\system32\\\\cmd.exe /q /d /s /c \\\"npm.cmd ^\\\"install^\\\" ^\\\"--no-bin-links^\\\" ^\\\"--production^\\\"\\\"\") and\n not (process.name : \"cmd.exe\" and process.args : \"%TEMP%\\\\Spiceworks\\\\*\" and process.args : \"http*/dataloader/persist_netstat_data\") and \n not (process.args == \"echo\" and process.args == \"GEQ\" and process.args == \"1073741824\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "d9ffc3d6-9de9-4b29-9395-5757d0695ecf", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: System", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 101}, "id": "d9ffc3d6-9de9-4b29-9395-5757d0695ecf_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json deleted file mode 100644 index 86d5a30cdb7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_10.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_10.json deleted file mode 100644 index 3eb45e57296..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_11.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_11.json deleted file mode 100644 index e1460d770f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json deleted file mode 100644 index b81905bd730..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json deleted file mode 100644 index 948c69ba7c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json deleted file mode 100644 index bf12ee20ce2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json deleted file mode 100644 index fb112fba7a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json deleted file mode 100644 index 613098302ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable/modify the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json deleted file mode 100644 index fb3589a167a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\" and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json deleted file mode 100644 index ca8585ec909..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json b/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json deleted file mode 100644 index 47463aa7f7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7733b1-fe08-487e-b536-0a04c6d8b0cd_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to disable the code signing policy through the registry. Code signing provides authenticity on a program, and grants the user with the ability to check whether the program has been tampered with. By allowing the execution of unsigned or self-signed code, threat actors can craft and execute malicious code.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Code Signing Policy Modification Through Registry", "note": "## Triage and analysis\n\n### Investigating Code Signing Policy Modification Through Registry\n\nMicrosoft created the Windows Driver Signature Enforcement (DSE) security feature to prevent drivers with invalid signatures from loading and executing into the kernel (ring 0). DSE aims to protect systems by blocking attackers from loading malicious drivers on targets. \n\nThis protection is essential for maintaining system security. However, attackers or administrators can disable DSE and load untrusted drivers, which can put the system at risk. Therefore, it's important to keep this feature enabled and only load drivers from trusted sources to ensure system integrity and security.\n\nThis rule identifies registry modifications that can disable DSE.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Use Osquery and endpoint driver events (`event.category = \"driver\"`) to investigate if suspicious drivers were loaded into the system after the registry was modified.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Related Rules\n\n- First Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode.)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type : (\"creation\", \"change\") and\n(\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"HKU\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Driver Signing\\\\BehaviorOnFailedVerify\"\n ) and\n registry.value: \"BehaviorOnFailedVerify\" and\n registry.data.strings : (\"0\", \"0x00000000\", \"1\", \"0x00000001\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.006", "name": "Code Signing Policy Modification", "reference": "https://attack.mitre.org/techniques/T1553/006/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "da7733b1-fe08-487e-b536-0a04c6d8b0cd_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69.json deleted file mode 100644 index ec212eaa2c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "query": "ml_is_dga.malicious_probability > 0.98\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "ml_is_dga.malicious_probability", "type": "unknown"}], "risk_score": 21, "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json deleted file mode 100644 index 46dddf4268a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "note": "", "query": "ml_is_dga.malicious_probability > 0.98\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "ml_is_dga.malicious_probability", "type": "unknown"}], "risk_score": 21, "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "setup": "The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_2.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_2.json deleted file mode 100644 index 3ba6ef64a5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "query": "ml_is_dga.malicious_probability > 0.98\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "ml_is_dga.malicious_probability", "type": "unknown"}], "risk_score": 21, "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "setup": "The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json deleted file mode 100644 index 84ea4de4382..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "query": "ml_is_dga.malicious_probability > 0.98\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "ml_is_dga.malicious_probability", "type": "unknown"}], "risk_score": 21, "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_4.json b/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_4.json deleted file mode 100644 index 66ab260ee02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da7f5803-1cd4-42fd-a890-0173ae80ac69_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name with a high probability of sourcing from a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request With a High DGA Probability Score", "query": "ml_is_dga.malicious_probability > 0.98\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": false, "name": "ml_is_dga.malicious_probability", "type": "unknown"}], "risk_score": 21, "rule_id": "da7f5803-1cd4-42fd-a890-0173ae80ac69", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "da7f5803-1cd4-42fd-a890-0173ae80ac69_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json deleted file mode 100644 index ac591efe854..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_10.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_10.json deleted file mode 100644 index b06c31fbb4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json deleted file mode 100644 index 007c20b7aaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious service was installed in the system", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where host.os.type == \"windows\" and\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json deleted file mode 100644 index ae4eaa19bae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious service was installed in the system", "note": "## Triage and analysis\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json deleted file mode 100644 index dddbd9690f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json deleted file mode 100644 index fc22aba6cd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\172.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json deleted file mode 100644 index 14a5fc97829..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_9.json b/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_9.json deleted file mode 100644 index e6321b6c5a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/da87eee1-129c-4661-a7aa-57d0b9645fad_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Windows service with suspicious Service command values. Windows services typically run as SYSTEM and can be used for privilege escalation and persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Service was Installed in the System", "note": "## Triage and analysis\n\n### Investigating Suspicious Service was Installed in the System\n\nAttackers may create new services to execute system shells and other command execution utilities to elevate their privileges from administrator to SYSTEM. They can also configure services to execute these utilities with persistence payloads.\n\nThis rule looks for suspicious services being created with suspicious traits compatible with the above behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify how the service was created or modified. Look for registry changes events or Windows events related to service activities (for example, 4697 and/or 7045).\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n\n### False positive analysis\n\n- Certain services such as PSEXECSVC may happen legitimately. The security team should address any potential benign true positive (B-TP) by excluding the relevant FP by pattern.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "any where\n (event.code : \"4697\" and\n (winlog.event_data.ServiceFileName : \n (\"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\", \n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\", \n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\") or\n winlog.event_data.ServiceFileName regex~ \"\"\"%systemroot%\\\\[a-z0-9]+\\.exe\"\"\")) or\n\n (event.code : \"7045\" and\n winlog.event_data.ImagePath : (\n \"*COMSPEC*\", \"*\\\\127.0.0.1*\", \"*Admin$*\", \"*powershell*\", \"*rundll32*\", \"*cmd.exe*\", \"*PSEXESVC*\",\n \"*echo*\", \"*RemComSvc*\", \"*.bat*\", \"*.cmd*\", \"*certutil*\", \"*vssadmin*\", \"*certmgr*\", \"*bitsadmin*\",\n \"*\\\\Users\\\\*\", \"*\\\\Windows\\\\Temp\\\\*\", \"*\\\\Windows\\\\Tasks\\\\*\", \"*\\\\PerfLogs\\\\*\", \"*\\\\Windows\\\\Debug\\\\*\",\n \"*regsvr32*\", \"*msbuild*\"))\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.ImagePath", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.ServiceFileName", "type": "unknown"}], "risk_score": 47, "rule_id": "da87eee1-129c-4661-a7aa-57d0b9645fad", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "da87eee1-129c-4661-a7aa-57d0b9645fad_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json deleted file mode 100644 index c4af5e29895..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json deleted file mode 100644 index 65d157e21a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json deleted file mode 100644 index f1a15d8db4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_3.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_3.json deleted file mode 100644 index fe47c4c2a8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_4.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_4.json deleted file mode 100644 index e4aa552db6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_5.json b/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_5.json deleted file mode 100644 index 055cd04ee75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/daafdf96-e7b1-4f14-b494-27e0d24b11f6_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may pass the hash using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.", "from": "now-9m", "history_window_start": "now-10d", "index": ["winlogbeat-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Pass-the-Hash (PtH) Attempt", "new_terms_fields": ["user.id"], "query": "host.os.type:\"windows\" and \nevent.category : \"authentication\" and event.action : \"logged-in\" and \nwinlog.logon.type : \"NewCredentials\" and event.outcome : \"success\" and \nuser.id : (S-1-5-21-* or S-1-12-1-*) and winlog.event_data.LogonProcessName : \"seclogo\"\n", "references": ["https://attack.mitre.org/techniques/T1550/002/"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1550", "name": "Use Alternate Authentication Material", "reference": "https://attack.mitre.org/techniques/T1550/", "subtechnique": [{"id": "T1550.002", "name": "Pass the Hash", "reference": "https://attack.mitre.org/techniques/T1550/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "daafdf96-e7b1-4f14-b494-27e0d24b11f6_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json deleted file mode 100644 index 10ec38fcaa0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Multi-Factor Authentication Disabled for an Azure User", "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json b/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json deleted file mode 100644 index d1b8c41564d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dafa3235-76dc-40e2-9f71-1773b96d24cf_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA for a user account in order to weaken the authentication requirements for the account.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Multi-Factor Authentication Disabled for an Azure User", "note": "## Triage and analysis\n\n### Investigating Multi-Factor Authentication Disabled for an Azure User\n\nMulti-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.\n\nFor more information about using MFA in Azure AD, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).\n\nThis rule identifies the deactivation of MFA for an Azure user account. This modification weakens account security and can lead to the compromise of accounts and other assets.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Disable Strong Authentication\" and event.outcome:(Success or success)\n", "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "dafa3235-76dc-40e2-9f71-1773b96d24cf", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "dafa3235-76dc-40e2-9f71-1773b96d24cf_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42.json deleted file mode 100644 index 68c057f22ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network-Level Authentication (NLA) Disabled", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path :\n (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\", \n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\" ) and\n registry.data.strings : \"0\"\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json deleted file mode 100644 index 984f3518406..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network-Level Authentication (NLA) Disabled", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path :\n (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\", \n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\" ) and\n registry.data.strings : \"0\"\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json deleted file mode 100644 index abb89e91d1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network-Level Authentication (NLA) Disabled", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path :\n (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\", \n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\" ) and\n registry.data.strings : \"0\"\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_3.json b/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_3.json deleted file mode 100644 index 55f7fbec4e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db65f5ba-d1ef-4944-b9e8-7e51060c2b42_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempt to disable Network-Level Authentication (NLA) via registry modification. Network Level Authentication (NLA) is a feature on Windows that provides an extra layer of security for Remote Desktop (RDP) connections, as it requires users to authenticate before allowing a full RDP session. Attackers can disable NLA to enable persistence methods that require access to the Windows sign-in screen without authenticating, such as Accessibility Features persistence methods, like Sticky Keys.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Network-Level Authentication (NLA) Disabled", "query": "registry where host.os.type == \"windows\" and event.action != \"deletion\" and\n registry.path :\n (\"HKLM\\\\SYSTEM\\\\ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\", \n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Terminal Server\\\\WinStations\\\\RDP-Tcp\\\\UserAuthentication\" ) and\n registry.data.strings : \"0\"\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "db65f5ba-d1ef-4944-b9e8-7e51060c2b42_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json deleted file mode 100644 index 292fd19c014..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json deleted file mode 100644 index 35a87274798..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207.json deleted file mode 100644 index 8f008616d48..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 207}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json deleted file mode 100644 index 4dce383e77d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json deleted file mode 100644 index d358b59144c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.executable : \n (\"?:\\\\Windows\\\\System32\\\\wsl.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl.exe\", \n \"?:\\\\Windows\\\\System32\\\\wslhost.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wslhost.exe\") and \n not process.executable : \n (\"?:\\\\Windows\\\\System32\\\\conhost.exe\", \n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\", \n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\", \n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\", \n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\", \n \"?:\\\\Program Files\\\\*\", \n \"?:\\\\Program Files (x86)\\\\*\")\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5.json deleted file mode 100644 index 471ecb75af3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json deleted file mode 100644 index 0b87de7b068..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7.json b/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7.json deleted file mode 100644 index 6af48c35c98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to execute a program on the host from the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Execution via Windows Subsystem for Linux", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n process.parent.name : (\"wsl.exe\", \"wslhost.exe\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\MicrosoftCorporationII.WindowsSubsystemForLinux_*\\\\wsl*.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\lxss\\\\wslhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\Sys*\\\\wslconfig.exe\"\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json deleted file mode 100644 index fafa60b73fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json deleted file mode 100644 index fa99444fa39..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "query", "version": 100}, "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json deleted file mode 100644 index b648595552a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "type": "query", "version": 101}, "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_102.json b/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_102.json deleted file mode 100644 index 6fbdead086a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/db8c33a8-03cd-4988-9e2c-d0a4863adb13_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Credential Dumping - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "rule_id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "db8c33a8-03cd-4988-9e2c-d0a4863adb13_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json deleted file mode 100644 index 55b47488a56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Content Extracted or Decompressed via Funzip", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", "references": ["https://attack.mitre.org/software/S0482/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json deleted file mode 100644 index b9cdc19007a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Content Extracted or Decompressed via Funzip", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", "references": ["https://attack.mitre.org/software/S0482/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json deleted file mode 100644 index 49dae399ceb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Content Extracted or Decompressed via Funzip", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", "references": ["https://attack.mitre.org/software/S0482/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json deleted file mode 100644 index fd8adb6f936..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Content Extracted or Decompressed via Funzip", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", "references": ["https://attack.mitre.org/software/S0482/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json b/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json deleted file mode 100644 index b0ab553b953..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc0b7782-0df0-47ff-8337-db0d678bdb66_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when suspicious content is extracted from a file and subsequently decompressed using the funzip utility. Malware may execute the tail utility using the \"-c\" option to read a sequence of bytes from the end of a file. The output from tail can be piped to funzip in order to decompress malicious code before it is executed. This behavior is consistent with malware families such as Bundlore.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Content Extracted or Decompressed via Funzip", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and\n((process.args == \"tail\" and process.args == \"-c\" and process.args == \"funzip\")) and\nnot process.args : \"/var/log/messages\" and \nnot process.parent.executable : (\"/usr/bin/dracut\", \"/sbin/dracut\", \"/usr/bin/xargs\") and\nnot (process.parent.name in (\"sh\", \"sudo\") and process.parent.command_line : \"*nessus_su*\")\n", "references": ["https://attack.mitre.org/software/S0482/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc0b7782-0df0-47ff-8337-db0d678bdb66", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "dc0b7782-0df0-47ff-8337-db0d678bdb66_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704.json b/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704.json deleted file mode 100644 index d4031a81210..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Command Execution", "query": "sequence by host.id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"git\" and process.args : \".git/hooks/*\" and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc61f382-dc0c-4cc0-a845-069f2a071704", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "dc61f382-dc0c-4cc0-a845-069f2a071704", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704_1.json b/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704_1.json deleted file mode 100644 index de7a4172ea4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc61f382-dc0c-4cc0-a845-069f2a071704_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the execution of a potentially malicious process from a Git hook. Git hooks are scripts that Git executes before or after events such as: commit, push, and receive. An attacker can abuse Git hooks to execute arbitrary commands on the system and establish persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process*"], "language": "eql", "license": "Elastic License v2", "name": "Git Hook Command Execution", "query": "sequence by host.id with maxspan=3s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"git\" and process.args : \".git/hooks/*\" and\n process.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n ] by process.entity_id\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")] by process.parent.entity_id\n", "references": ["https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/linux-persistence/#backdooring-git"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc61f382-dc0c-4cc0-a845-069f2a071704", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "dc61f382-dc0c-4cc0-a845-069f2a071704_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json deleted file mode 100644 index 7fb7a65dd6e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json deleted file mode 100644 index f26dad33acf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where process.name==\"mount\" and event.action ==\"exec\" and\n process.args: ( \"/proc\") and process.args: (\"-o\") and process.args:(\"*hidepid=2*\") and\n host.os.type == \"linux\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json deleted file mode 100644 index 7a26ab2414c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where process.name==\"mount\" and event.action ==\"exec\" and\n process.args: ( \"/proc\") and process.args: (\"-o\") and process.args:(\"*hidepid=2*\") and\n host.os.type == \"linux\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json deleted file mode 100644 index 30390f9a134..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and process.name == \"mount\" and event.action == \"exec\" and\nprocess.args == \"/proc\" and process.args == \"-o\" and process.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json deleted file mode 100644 index 56134f586c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and process.name == \"mount\" and event.action == \"exec\" and\nprocess.args == \"/proc\" and process.args == \"-o\" and process.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json deleted file mode 100644 index 913675a91ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and process.name == \"mount\" and event.action == \"exec\" and\nprocess.args == \"/proc\" and process.args == \"-o\" and process.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json deleted file mode 100644 index c200aaf45ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and event.type == \"start\" \nand process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and process.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json deleted file mode 100644 index b143788e22f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json b/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json deleted file mode 100644 index 9fbf1a5d84c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc71c186-9fe4-4437-a4d0-85ebb32b8204_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of mount process with hidepid parameter, which can make processes invisible to other users from the system. Adversaries using Linux kernel version 3.2+ (or RHEL/CentOS v6.5+ above) can hide the process from other users. When hidepid=2 option is executed to mount the /proc filesystem, only the root user can see all processes and the logged-in user can only see their own process. This provides a defense evasion mechanism for the adversaries to hide their process executions from all other commands such as ps, top, pgrep and more. With the Linux kernel hardening hidepid option all the user has to do is remount the /proc filesystem with the option, which can now be monitored and detected.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Hidden Process via Mount Hidepid", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"mount\" and process.args == \"/proc\" and process.args == \"-o\" and\nprocess.args : \"*hidepid=2*\"\n", "references": ["https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "dc71c186-9fe4-4437-a4d0-85ebb32b8204_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json deleted file mode 100644 index 569f48ac20d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json deleted file mode 100644 index f6464fd7619..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json deleted file mode 100644 index a9fc706ab47..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json deleted file mode 100644 index 25f3dfa2adb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json deleted file mode 100644 index 9a1621b40d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json deleted file mode 100644 index ff32507edce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json deleted file mode 100644 index 669aa9c85a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json deleted file mode 100644 index 3309b130740..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_111.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_111.json deleted file mode 100644 index 6b133755d73..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_311.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_311.json deleted file mode 100644 index 598d6fe18a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_312.json b/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_312.json deleted file mode 100644 index 2ba14066eee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dc9c1f74-dac3-48e3-b47f-eb79db358f57_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Volume Shadow Copy Deletion via WMIC", "note": "## Triage and analysis\n\n### Investigating Volume Shadow Copy Deletion via WMIC\n\nThe Volume Shadow Copy Service (VSS) is a Windows feature that enables system administrators to take snapshots of volumes that can later be restored or mounted to recover specific files or folders.\n\nA typical step in the playbook of an attacker attempting to deploy ransomware is to delete Volume Shadow Copies to ensure that victims have no alternative to paying the ransom, making any action that deletes shadow copies worth monitoring.\n\nThis rule monitors the execution of `wmic.exe` to interact with VSS via the `shadowcopy` alias and delete parameter.\n\n#### Possible investigation steps\n\n- Investigate the program execution chain (parent process tree).\n- Check whether the account is authorized to perform this operation.\n- Contact the account owner and confirm whether they are aware of this activity.\n- In the case of a resize operation, check if the resize value is equal to suspicious values, like 401MB.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences in other hosts.\n- Check if any files on the host machine have been encrypted.\n\n\n### False positive analysis\n\n- This rule has chances of producing benign true positives (B-TPs). If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Related rules\n\n- Volume Shadow Copy Deleted or Resized via VssAdmin - b5ea4bfe-a1b2-421f-9d47-22a75a6f2921\n- Volume Shadow Copy Deletion via PowerShell - d99a037b-c8e2-47a5-97b9-170d076827c4\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Priority should be given due to the advanced stage of this activity on the attack.\n- Consider isolating the involved host to prevent destructive behavior, which is commonly associated with this activity.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If data was encrypted, deleted, or modified, activate your data recovery plan.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Perform data recovery locally or restore the backups from replicated copies (cloud, other servers, etc.).\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"WMIC.exe\" or ?process.pe.original_file_name == \"wmic.exe\") and\n process.args : \"delete\" and process.args : \"shadowcopy\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": "https://attack.mitre.org/techniques/T1490/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "dc9c1f74-dac3-48e3-b47f-eb79db358f57_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json deleted file mode 100644 index 2d695378c14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from AWS.\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### AWS Integration Setup\nThe AWS integration allows you to collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"aws\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAWS\u201d and select the integration to see more details about it.\n- Click \u201cAdd AWS\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201caws\u201d to an existing or a new agent policy, and deploy the agent on your system from which aws log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/aws).\n", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 209}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json deleted file mode 100644 index 4e23e2879ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"], "type": "machine_learning", "version": 104}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json deleted file mode 100644 index ee10c80b2ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 105}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_106.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_106.json deleted file mode 100644 index d6837c0fb14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 106}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_107.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_107.json deleted file mode 100644 index bc7a1a05612..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 107}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_208.json b/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_208.json deleted file mode 100644 index 6a38c6463f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca28dee-c999-400f-b640-50a081cc0fd1_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 50, "author": ["Elastic"], "description": "A machine learning job detected AWS command activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).", "false_positives": ["New or unusual command and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently."], "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "rare_method_for_a_country", "name": "Unusual Country For an AWS Command", "note": "## Triage and analysis\n\n### Investigating Unusual Country For an AWS Command\n\nCloudTrail logging provides visibility on actions taken within an AWS environment. By monitoring these events and understanding what is considered normal behavior within an organization, you can spot suspicious or malicious activity when deviations occur.\n\nThis rule uses a machine learning job to detect an AWS API command that while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the command. This can be the result of compromised credentials or keys used by a threat actor in a different geography than the authorized user(s).\n\nDetection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address.\n\n#### Possible investigation steps\n\n- Identify the user account involved and the action performed. Verify whether it should perform this kind of action.\n - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context.\n - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, or network administrator activity.\n- Examine the request parameters. These might indicate the source of the program or the nature of its tasks.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Contact the account owner and confirm whether they are aware of this activity if suspicious.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False Positive Analysis\n\n- False positives can occur if activity is coming from new employees based in a country with no previous history in AWS.\n- Examine the history of the command. If the command only manifested recently, it might be part of a new automation module or script. If it has a consistent cadence (for example, it appears in small numbers on a weekly or monthly cadence), it might be part of a housekeeping or maintenance process. You can find the command in the `event.action field` field.\n\n### Related Rules\n\n- Unusual City For an AWS Command - 809b70d3-e2c3-455e-af1b-2626a5a1a276\n- Unusual AWS Command for a User - ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1\n- Rare AWS Error Code - 19de8096-e2b0-4bd8-80c9-34a820813fff\n- Spike in AWS Error Messages - 78d3d8d9-b476-451d-a9e0-7a5addd70670\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "aws", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "dca28dee-c999-400f-b640-50a081cc0fd1", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"], "type": "machine_learning", "version": 208}, "id": "dca28dee-c999-400f-b640-50a081cc0fd1_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78.json deleted file mode 100644 index 3d9cf0ec058..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from INET Cache", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json deleted file mode 100644 index 3f9e56e8945..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from INET Cache", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json deleted file mode 100644 index 55dd0ee7dac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from INET Cache", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_203.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_203.json deleted file mode 100644 index 7c7698d267e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from INET Cache", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 203}, "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3.json b/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3.json deleted file mode 100644 index e0e9cca3b6f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Execution from INET Cache", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and \n process.parent.name : (\"explorer.exe\", \"winrar.exe\", \"7zFM.exe\", \"Bandizip.exe\") and\n (process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\" or\n process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\Windows\\\\INetCache\\\\IE\\\\*\")\n", "references": ["https://www.trendmicro.com/en_us/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Command and Control", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dca6b4b0-ae70-44eb-bb7a-ce6db502ee78_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json deleted file mode 100644 index 2ee7926e725..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json deleted file mode 100644 index 5ffbc2e161e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppDara\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208.json deleted file mode 100644 index 9a4e6aab9e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json deleted file mode 100644 index fe8a8b85a98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppDara\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json deleted file mode 100644 index 3c4517e5ace..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json deleted file mode 100644 index 981fd53744c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6.json deleted file mode 100644 index 32b988adea6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json deleted file mode 100644 index dd752f8f74c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8.json b/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8.json deleted file mode 100644 index 882efe8aa1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to install or use Kali Linux via Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Install Kali Linux via WSL", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (process.name : \"wsl.exe\" and process.args : (\"-d\", \"--distribution\", \"-i\", \"--install\") and process.args : \"kali*\") or \n process.executable : \n (\"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\packages\\\\kalilinux*\", \n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\kali.exe\",\n \"?:\\\\Program Files*\\\\WindowsApps\\\\KaliLinux.*\\\\kali.exe\")\n )\n", "references": ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273.json b/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273.json deleted file mode 100644 index 56b0078079f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connections Initiated Through XDG Autostart Entry", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.parent.executable == \"/usr/bin/xfce4-session\") or\n (process.executable == \"/bin/sh\" and process.args == \"-e\" and process.args == \"-u\" and\n process.args == \"-c\" and process.args : \"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\")\n )\n ]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n ) or\n process.executable in (\n \"/usr/lib64/firefox/firefox\", \"/usr/lib/firefox/firefox\", \"/opt/forticlient/fortitraylauncher\"\n )\n )\n ]\n", "references": ["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", "https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "dd52d45a-4602-4195-9018-ebe0f219c273", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dd52d45a-4602-4195-9018-ebe0f219c273", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json b/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json deleted file mode 100644 index e44bb52da19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connections Initiated Through XDG Autostart Entry", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.parent.executable == \"/usr/bin/xfce4-session\") or\n (process.executable == \"/bin/sh\" and process.args == \"-e\" and process.args == \"-u\" and\n process.args == \"-c\" and process.args : \"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\")\n )\n ]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\"]\n", "references": ["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", "https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "dd52d45a-4602-4195-9018-ebe0f219c273", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "dd52d45a-4602-4195-9018-ebe0f219c273_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_2.json b/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_2.json deleted file mode 100644 index f6226495437..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dd52d45a-4602-4195-9018-ebe0f219c273_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects network connections initiated through Cross-Desktop Group (XDG) autostart entries for GNOME and XFCE-based Linux distributions. XDG Autostart entries can be used to execute arbitrary commands or scripts when a user logs in. This rule helps to identify potential malicious activity where an attacker may have modified XDG autostart scripts to establish persistence on the system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connections Initiated Through XDG Autostart Entry", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and (\n (process.parent.executable == \"/usr/bin/xfce4-session\") or\n (process.executable == \"/bin/sh\" and process.args == \"-e\" and process.args == \"-u\" and\n process.args == \"-c\" and process.args : \"export GIO_LAUNCHED_DESKTOP_FILE_PID=$$;*\")\n )\n ]\n [network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n ) or\n process.executable in (\n \"/usr/lib64/firefox/firefox\", \"/usr/lib/firefox/firefox\", \"/opt/forticlient/fortitraylauncher\"\n )\n )\n ]\n", "references": ["https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html", "https://hadess.io/the-art-of-linux-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "dd52d45a-4602-4195-9018-ebe0f219c273", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.013", "name": "XDG Autostart Entries", "reference": "https://attack.mitre.org/techniques/T1547/013/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dd52d45a-4602-4195-9018-ebe0f219c273_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json deleted file mode 100644 index d1d9ede2751..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0 and\nnot registry.data.strings : \"(empty)\"\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json deleted file mode 100644 index e4202442cf9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json deleted file mode 100644 index ba816b9f2fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json deleted file mode 100644 index 485e5b61edb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json deleted file mode 100644 index 869909b5438..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json deleted file mode 100644 index b637730ae83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json deleted file mode 100644 index 63ea1bb0bcc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_109.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_109.json deleted file mode 100644 index dc301bdad7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0 and\nnot registry.data.strings : \"(empty)\"\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_110.json b/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_110.json deleted file mode 100644 index 4ad6bccb0cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ddab1f5f-7089-44f5-9fda-de5b11322e77_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies NullSessionPipe registry modifications that specify which pipes can be accessed anonymously. This could be indicative of adversary lateral movement preparation by making the added pipe available to everyone.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "NullSessionPipe Registry Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\nregistry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\services\\\\LanmanServer\\\\Parameters\\\\NullSessionPipes\"\n) and length(registry.data.strings) > 0 and\nnot registry.data.strings : \"(empty)\"\n", "references": ["https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "ddab1f5f-7089-44f5-9fda-de5b11322e77", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ddab1f5f-7089-44f5-9fda-de5b11322e77_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da.json b/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da.json deleted file mode 100644 index 2598ccfc615..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Role", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected role(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachRolePolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json b/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json deleted file mode 100644 index 2a5b49c0a02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role."], "from": "now-10m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Role", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected role(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachRolePolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, role.name, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_2.json b/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_2.json deleted file mode 100644 index 06ef42f93da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dde13d58-bc39-4aa0-87fd-b4bdbf4591da_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to compromised IAM roles. This rule looks for use of the IAM `AttachRolePolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM role.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachRolePolicy` API operation to attach the `AdministratorAccess` policy to the target role."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Role", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Role\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachRolePolicy` permission, a set of compromised credentials could be used to attach\nthis policy to a compromised role for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachRolePolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachRolePolicy` permission and that the `role.name` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected role(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachRolePolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?roleName}=%{role.name}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "dde13d58-bc39-4aa0-87fd-b4bdbf4591da_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json deleted file mode 100644 index ff14f566d9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json deleted file mode 100644 index 3ba0a21b8d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json deleted file mode 100644 index d35a4dde50e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json deleted file mode 100644 index 3eef314d2d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json deleted file mode 100644 index e94838a7ea5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_108.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_108.json deleted file mode 100644 index 6f1abf7dd53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json deleted file mode 100644 index 5281229d317..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json deleted file mode 100644 index 5d522e80ce9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_111.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_111.json deleted file mode 100644 index 11aef84ae96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_311.json b/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_311.json deleted file mode 100644 index 8bb117a01c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/de9bd7e0-49e9-4e92-a64d-53ade2e66af1_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Process from a System Virtual Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.pid == 4 and process.executable : \"?*\" and\n not process.executable : (\"Registry\", \"MemCompression\", \"?:\\\\Windows\\\\System32\\\\smss.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.pid", "type": "long"}], "risk_score": 73, "rule_id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "de9bd7e0-49e9-4e92-a64d-53ade2e66af1_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json deleted file mode 100644 index eac0c72eb7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and\nnot process.args in (\"--help\", \"--version\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json deleted file mode 100644 index c075aa09e4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json deleted file mode 100644 index cf6de26dced..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json deleted file mode 100644 index 6d0632e7d13..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json deleted file mode 100644 index ad93fd4f373..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json deleted file mode 100644 index 343c0f3a08f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and\n process.name:(base16 or base32 or base32plain or base32hex)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json deleted file mode 100644 index ac59d5a6cd3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\nprocess.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and not process.args in (\"--help\", \"--version\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json b/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json deleted file mode 100644 index b71ceab0f42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/debff20a-46bc-4a4d-bae5-5cdd14222795_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls.", "false_positives": ["Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be filtered by the process executable or username values."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Base16 or Base32 Encoding/Decoding Activity", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name in (\"base16\", \"base32\", \"base32plain\", \"base32hex\") and\nnot process.args in (\"--help\", \"--version\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "debff20a-46bc-4a4d-bae5-5cdd14222795", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/"}, {"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "debff20a-46bc-4a4d-bae5-5cdd14222795_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c.json deleted file mode 100644 index dbb7156ffdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-24h", "history_window_start": "now-7d", "index": ["logs-endpoint.events.process-*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and\n (\n (process.name.caseless:\"reg.exe\" and process.args:\"query\") or\n (process.name.caseless:(\"powershell.exe\" or \"powershell_ise.exe\" or \"pwsh.exe\") and\n process.args:(\n (\"get-childitem\" or \"Get-ChildItem\" or \"gci\" or \"dir\" or \"ls\" or\n \"get-item\" or \"Get-Item\" or \"gi\" or\n \"get-itemproperty\" or \"Get-ItemProperty\" or \"gp\") and\n (\"hkcu\" or \"HKCU\" or \"hkey_current_user\" or \"HKEY_CURRENT_USER\" or\n \"hkey_local_machine\" or \"HKEY_LOCAL_MACHINE\" or\n \"hklm\" or \"HKLM\" or registry\\:\\:*)\n )\n )\n ) and\n not process.command_line : (\n \"C:\\\\Windows\\\\system32\\\\reg.exe query hklm\\\\software\\\\microsoft\\\\windows\\\\softwareinventorylogging /v collectionstate /reg:64\" or\n \"reg query \\\"HKLM\\\\Software\\\\WOW6432Node\\\\Npcap\\\" /ve \"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json deleted file mode 100644 index 7e7c29cecc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name == \"reg.exe\" and process.args : \"query\" and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n ) or\n (\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n (process.args: (\"*Get-ChildItem*\", \"*Get-Item*\", \"*Get-ItemProperty*\") and\n process.args : (\"*HKLM*\", \"*HKCU*\", \"*HKEY_LOCAL_MACHINE*\", \"*HKEY_CURRENT_USER*\", \"*Registry::*\"))\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json deleted file mode 100644 index 26ca4b0e4fe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and (\n (process.name.caseless:\"reg.exe\" and process.args:\"query\") or \n (process.name.caseless:(\"powershell.exe\" or \"powershell_ise.exe\" or \"pwsh.exe\") and \n process.command_line.caseless:((*Get-ChildItem* or *Get-Item* or *Get-ItemProperty*) and \n (*HKCU* or *HKEY_CURRENT_USER* or *HKEY_LOCAL_MACHINE* or *HKLM* or *Registry\\:\\:*))))\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.command_line.caseless", "type": "unknown"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 102}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_103.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_103.json deleted file mode 100644 index 121b1f4e1a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-24h", "history_window_start": "now-7d", "index": ["logs-endpoint.events.process*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and\n (\n (process.name.caseless:\"reg.exe\" and process.args:\"query\") or\n (process.name.caseless:(\"powershell.exe\" or \"powershell_ise.exe\" or \"pwsh.exe\") and\n process.args:(\n (\"get-childitem\" or \"Get-ChildItem\" or \"gci\" or \"dir\" or \"ls\" or\n \"get-item\" or \"Get-Item\" or \"gi\" or\n \"get-itemproperty\" or \"Get-ItemProperty\" or \"gp\") and\n (\"hkcu\" or \"HKCU\" or \"hkey_current_user\" or \"HKEY_CURRENT_USER\" or\n \"hkey_local_machine\" or \"HKEY_LOCAL_MACHINE\" or\n \"hklm\" or \"HKLM\" or registry\\:\\:*)\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json deleted file mode 100644 index 150582d63ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-24h", "history_window_start": "now-7d", "index": ["logs-endpoint.events.process-*"], "interval": "24h", "language": "kuery", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "new_terms_fields": ["host.id", "user.id"], "query": "host.os.type:windows and event.category:process and event.type:start and\n (\n (process.name.caseless:\"reg.exe\" and process.args:\"query\") or\n (process.name.caseless:(\"powershell.exe\" or \"powershell_ise.exe\" or \"pwsh.exe\") and\n process.args:(\n (\"get-childitem\" or \"Get-ChildItem\" or \"gci\" or \"dir\" or \"ls\" or\n \"get-item\" or \"Get-Item\" or \"gi\" or\n \"get-itemproperty\" or \"Get-ItemProperty\" or \"gp\") and\n (\"hkcu\" or \"HKCU\" or \"hkey_current_user\" or \"HKEY_CURRENT_USER\" or\n \"hkey_local_machine\" or \"HKEY_LOCAL_MACHINE\" or\n \"hklm\" or \"HKLM\" or registry\\:\\:*)\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json b/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json deleted file mode 100644 index 163b17df683..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ded09d02-0137-4ccc-8005-c45e617e8d4c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Query Registry using Built-in Tools", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n(\n (\n process.name == \"reg.exe\" and process.args : \"query\" and\n not process.parent.executable : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\")\n ) or\n (\n process.name: (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") and\n (process.args: (\"*Get-ChildItem*\", \"*Get-Item*\", \"*Get-ItemProperty*\") and\n process.args : (\"*HKLM*\", \"*HKCU*\", \"*HKEY_LOCAL_MACHINE*\", \"*HKEY_CURRENT_USER*\", \"*Registry::*\"))\n )\n) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ded09d02-0137-4ccc-8005-c45e617e8d4c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1012", "name": "Query Registry", "reference": "https://attack.mitre.org/techniques/T1012/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ded09d02-0137-4ccc-8005-c45e617e8d4c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json deleted file mode 100644 index 464abcbe799..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.library-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image,\\nissuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image =\\nauthenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json deleted file mode 100644 index c5ebdce0ae1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json deleted file mode 100644 index 4a907716409..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json deleted file mode 100644 index a857f8aa99e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json deleted file mode 100644 index 3d42731c871..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json deleted file mode 100644 index c36393567c4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json b/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json deleted file mode 100644 index d4ba866f5b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df0fd41e-5590-4965-ad5e-cd079ec22fa9_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the load of a driver with an original file name and signature values that were observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.", "from": "now-9m", "history_window_start": "now-30d", "index": ["logs-endpoint.events.library-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen Driver Loaded", "new_terms_fields": ["dll.pe.original_file_name", "dll.code_signature.subject_name"], "note": "## Triage and analysis\n\n### Investigating First Time Seen Driver Loaded\n\nA driver is a software component that allows the operating system to communicate with hardware devices. It works at a high privilege level, the kernel level, having high control over the system's security and stability.\n\nAttackers may exploit known good but vulnerable drivers to execute code in their context because once an attacker can execute code in the kernel, security tools can no longer effectively protect the host. They can leverage these drivers to tamper, bypass and terminate security software, elevate privileges, create persistence mechanisms, and disable operating system protections and monitoring features. Attackers were seen in the wild conducting these actions before acting on their objectives, such as ransomware.\n\nRead the complete research on \"Stopping Vulnerable Driver Attacks\" done by Elastic Security Labs [here](https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks).\n\nThis rule identifies the load of a driver with an original file name and signature values observed for the first time during the last 30 days. This rule type can help baseline drivers installation within your environment.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the driver loaded to identify potentially suspicious characteristics. The following actions can help you gain context:\n - Identify the path that the driver was loaded from. If using Elastic Defend, this information can be found in the `dll.path` field.\n - Examine the digital signature of the driver, and check if it's valid.\n - Examine the creation and modification timestamps of the file:\n - On Elastic Defend, those can be found in the `dll.Ext.relative_file_creation_time` and `\"dll.Ext.relative_file_name_modify_time\"` fields, with the values being seconds.\n - Search for file creation events sharing the same file name as the `dll.name` field and identify the process responsible for the operation.\n - Investigate any other abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n - Use the driver SHA-256 (`dll.hash.sha256` field) hash value to search for the existence and reputation in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Use Osquery to investigate the drivers loaded into the system.\n - !{osquery{\"label\":\"Osquery - Retrieve All Non-Microsoft Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE NOT (provider == \\\"Microsoft\\\" AND signed == \\\"1\\\")\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve All Unsigned Drivers with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, class, description, directory, image, issuer_name, manufacturer, service, signed, subject_name FROM drivers JOIN authenticode ON drivers.image = authenticode.path JOIN hash ON drivers.image = hash.path WHERE signed == \\\"0\\\"\\n\"}}\n- Identify the driver's `Device Name` and `Service Name`.\n- Check for alerts from the rules specified in the `Related Rules` section.\n\n### False positive analysis\n\n- Matches derived from these rules are not inherently malicious. The security team should investigate them to ensure they are legitimate and needed, then include them in an allowlist only if required. The security team should address any vulnerable driver installation as it can put the user and the domain at risk.\n\n### Related Rules\n\n- Untrusted Driver Loaded - d8ab1ec1-feeb-48b9-89e7-c12e189448aa\n- Code Signing Policy Modification Through Registry - da7733b1-fe08-487e-b536-0a04c6d8b0cd\n- Code Signing Policy Modification Through Built-in tools - b43570de-a908-4f7f-8bdb-b2df6ffd8c80\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Disable and uninstall all suspicious drivers found in the system. This can be done via Device Manager. (Note that this step may require you to boot the system into Safe Mode)\n- Remove the related services and registry keys found in the system. Note that the service will probably not stop if the driver is still installed.\n - This can be done via PowerShell `Remove-Service` cmdlet.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Ensure that the Driver Signature Enforcement is enabled on the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:\"driver\" and host.os.type:windows and event.action:\"load\"\n", "references": ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-driver-attacks"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "df0fd41e-5590-4965-ad5e-cd079ec22fa9_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json deleted file mode 100644 index 3d253c9a4e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json deleted file mode 100644 index 8ab6fa3fab1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 101}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json deleted file mode 100644 index a4e91c68e42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 102}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json deleted file mode 100644 index 031793a02fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 103}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json deleted file mode 100644 index a39971e50b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 104}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_105.json b/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_105.json deleted file mode 100644 index 7ab37c63eff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df197323-72a8-46a9-a08e-3f5b04a4a97a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.", "false_positives": ["A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_windows_rare_metadata_user"], "name": "Unusual Windows User Calling the Metadata Service", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "df197323-72a8-46a9-a08e-3f5b04a4a97a", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Windows\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Windows Integration Setup\nThe Windows integration allows you to monitor the Windows OS, services, applications, and more.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"windows\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cWindows\u201d and select the integration to see more details about it.\n- Click \u201cAdd Windows\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cwindows\u201d to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}], "type": "machine_learning", "version": 105}, "id": "df197323-72a8-46a9-a08e-3f5b04a4a97a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json deleted file mode 100644 index 841c5e630fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Account Created", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "df26fd74-1baa-4479-b42e-48da84642330", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json b/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json deleted file mode 100644 index 5bbcb0ff68f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df26fd74-1baa-4479-b42e-48da84642330_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain persistence in their target's environment.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Account Created", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE\" and event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://azure.microsoft.com/en-in/blog/azure-automation-runbook-management/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "df26fd74-1baa-4479-b42e-48da84642330", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "df26fd74-1baa-4479-b42e-48da84642330_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json deleted file mode 100644 index 244909629d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "note": "## Triage and analysis\n\n### Investigating Dynamic Linker Copy\n\nThe Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. \n\nAdversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious.\n\nThe detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names \"cp\" or \"rsync\" that involve copying the dynamic linker binary (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\") and modifying the \"/etc/ld.so.preload\" file. Additionally, the rule checks for the creation of new files with the \"so\" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the dynamic linker that was copied or altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path = '/etc/ld.so.preload' OR path = '/lib64/ld-linux-x86-64.so.2' OR path =\\n'/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path = '/usr/lib64/ld-linux-x86-64.so.2' OR path =\\n'/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path = '/etc/ld.so.preload' OR path =\\n'/lib64/ld-linux-x86-64.so.2' OR path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR path =\\n'/usr/lib64/ld-linux-x86-64.so.2' OR path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee\n- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f\n- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name in (\"cp\", \"rsync\") and\n process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n )]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 109}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json deleted file mode 100644 index 8cf2c1fd88e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 102}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json deleted file mode 100644 index 83d7d88eec0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 103}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json deleted file mode 100644 index 0c38547ba88..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 104}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json deleted file mode 100644 index 053e3e82cd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 105}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json deleted file mode 100644 index 25dafbe5fbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name : (\"cp\", \"rsync\") and\n process.args : (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\")]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 106}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_107.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_107.json deleted file mode 100644 index a5d2ac6c396..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "note": "## Triage and analysis\n\n### Investigating Dynamic Linker Copy\n\nThe Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. \n\nAdversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious.\n\nThe detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names \"cp\" or \"rsync\" that involve copying the dynamic linker binary (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\") and modifying the \"/etc/ld.so.preload\" file. Additionally, the rule checks for the creation of new files with the \"so\" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the dynamic linker that was copied or altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee\n- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f\n- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name in (\"cp\", \"rsync\") and\n process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n )]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 107}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json b/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json deleted file mode 100644 index ed201f73657..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df6f62d9-caab-4b88-affa-044f4395a1e0_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the copying of the Linux dynamic loader binary and subsequent file creation for the purpose of creating a backup copy. This technique was seen recently being utilized by Linux malware prior to patching the dynamic loader in order to inject and preload a malicious shared object file. This activity should never occur and if it does then it should be considered highly suspicious or malicious.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Dynamic Linker Copy", "note": "## Triage and analysis\n\n### Investigating Dynamic Linker Copy\n\nThe Linux dynamic linker is responsible for loading shared libraries required by executables at runtime. It is a critical component of the Linux operating system and should not be tampered with. \n\nAdversaries may attempt to copy the dynamic linker binary and create a backup copy before patching it to inject and preload malicious shared object files. This technique has been observed in recent Linux malware attacks and is considered highly suspicious or malicious.\n\nThe detection rule 'Dynamic Linker Copy' is designed to identify such abuse by monitoring for processes with names \"cp\" or \"rsync\" that involve copying the dynamic linker binary (\"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\") and modifying the \"/etc/ld.so.preload\" file. Additionally, the rule checks for the creation of new files with the \"so\" extension on Linux systems. By detecting these activities within a short time span (1 minute), the rule aims to alert security analysts to potential malicious behavior.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the dynamic linker that was copied or altered.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path = '/etc/ld.so.preload' OR\\n path = '/lib64/ld-linux-x86-64.so.2' OR\\n path = '/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib64/ld-linux-x86-64.so.2' OR\\n path = '/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n- Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n- The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Modification of Dynamic Linker Preload Shared Object Inside A Container - 342f834b-21a6-41bf-878c-87d116eba3ee\n- Modification of Dynamic Linker Preload Shared Object - 717f82c2-7741-4f9b-85b8-d06aeb853f4f\n- Shared Object Created or Changed by Previously Unknown Process - aebaa51f-2a91-4f6a-850b-b601db2293f4\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id with maxspan=1m\n[process where host.os.type == \"linux\" and event.type == \"start\" and process.name in (\"cp\", \"rsync\") and\n process.args in (\n \"/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/etc/ld.so.preload\", \"/lib64/ld-linux-x86-64.so.2\",\n \"/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2\", \"/usr/lib64/ld-linux-x86-64.so.2\"\n )]\n[file where host.os.type == \"linux\" and event.action == \"creation\" and file.extension == \"so\"]\n", "references": ["https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "df6f62d9-caab-4b88-affa-044f4395a1e0", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/"}]}]}], "type": "eql", "version": 108}, "id": "df6f62d9-caab-4b88-affa-044f4395a1e0_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json deleted file mode 100644 index b73ed8f914d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostPID", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostPID", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json deleted file mode 100644 index 644e4926c9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_201.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostPID", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostPID", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 201}, "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_201", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json deleted file mode 100644 index 4b7f551e59a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_202.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostPID", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostPID", "type": "unknown"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "unknown"}], "risk_score": 47, "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 202}, "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_202", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json b/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json deleted file mode 100644 index aa7345dd59c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df7fda76-c92b-4943-bc68-04460a5ea5ba_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an attempt to create or modify a pod attached to the host PID namespace. HostPID allows a pod to access all the processes running on the host and could allow an attacker to take malicious action. When paired with ptrace this can be used to escalate privileges outside of the container. When paired with a privileged container, the pod can see all of the processes on the host. An attacker can enter the init system (PID 1) on the host. From there, they could execute a shell and continue to escalate privileges to root.", "false_positives": ["An administrator or developer may want to use a pod that runs as root and shares the hosts IPC, Network, and PID namespaces for debugging purposes. If something is going wrong in the cluster and there is no easy way to SSH onto the host nodes directly, a privileged pod of this nature can be useful for viewing things like iptable rules and network namespaces from the host's perspective. Add exceptions for trusted container images using the query field \"kubernetes.audit.requestObject.spec.container.image\""], "index": ["logs-kubernetes.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kubernetes Pod Created With HostPID", "note": "", "query": "event.dataset : \"kubernetes.audit_logs\"\n and kubernetes.audit.annotations.authorization_k8s_io/decision:\"allow\"\n and kubernetes.audit.objectRef.resource:\"pods\"\n and kubernetes.audit.verb:(\"create\" or \"update\" or \"patch\")\n and kubernetes.audit.requestObject.spec.hostPID:true\n and not kubernetes.audit.requestObject.spec.containers.image: (\"docker.elastic.co/beats/elastic-agent:8.4.0\")\n", "references": ["https://research.nccgroup.com/2021/11/10/detection-engineering-for-kubernetes-clusters/#part3-kubernetes-detections", "https://kubernetes.io/docs/concepts/security/pod-security-policy/#host-namespaces", "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"], "related_integrations": [{"package": "kubernetes", "version": "^1.4.1"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.annotations.authorization_k8s_io/decision", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.objectRef.resource", "type": "keyword"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.containers.image", "type": "text"}, {"ecs": false, "name": "kubernetes.audit.requestObject.spec.hostPID", "type": "boolean"}, {"ecs": false, "name": "kubernetes.audit.verb", "type": "keyword"}], "risk_score": 47, "rule_id": "df7fda76-c92b-4943-bc68-04460a5ea5ba", "setup": "The Kubernetes Fleet integration with Audit Logs enabled or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1610", "name": "Deploy Container", "reference": "https://attack.mitre.org/techniques/T1610/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "df7fda76-c92b-4943-bc68-04460a5ea5ba_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b.json b/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b.json deleted file mode 100644 index c867acc5a67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected group(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachGroupPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json b/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json deleted file mode 100644 index 63e57ceb7b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group."], "from": "now-10m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected group(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachGroupPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\"\n| where policyName == \"AdministratorAccess\"\n| keep @timestamp, aws.cloudtrail.user_identity.arn, aws.cloudtrail.user_identity.access_key_id, event.action, policyName, group.name, user_agent.original, source.address, source.geo.location\n| sort aws.cloudtrail.user_identity.arn\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_2.json b/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_2.json deleted file mode 100644 index f260b5711d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/df919b5e-a0f6-4fd8-8598-e3ce79299e3b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "An adversary with access to a set of compromised credentials may attempt to persist or escalate privileges by attaching additional permissions to user groups the compromised user account belongs to. This rule looks for use of the IAM `AttachGroupPolicy` API operation to attach the highly permissive `AdministratorAccess` AWS managed policy to an existing IAM user group.", "false_positives": ["While this can be normal behavior, it should be investigated to ensure validity. Verify whether the user identity should be using the IAM `AttachGroupPolicy` API operation to attach the `AdministratorAccess` policy to the user group."], "from": "now-6m", "language": "esql", "license": "Elastic License v2", "name": "AWS IAM AdministratorAccess Policy Attached to Group", "note": "## Triage and analysis\n\n### Investigating AWS IAM AdministratorAccess Policy Attached to Group\n\nThe AWS IAM `AdministratorAccess` managed policy provides full access to all AWS services and resources. \nWith access to the `iam:AttachGroupPolicy` permission, a set of compromised credentials could be used to attach\nthis policy to the current user's groups for privilege escalation or as a means of persistence. This rule uses [ES|QL](https://www.elastic.co/guide/en/security/master/rules-ui-create.html#create-esql-rule)\nto look for use of the `AttachGroupPolicy` operation along with request_parameters where the policyName is `AdministratorAccess`.\n\n\n#### Possible investigation steps\n\n- Identify the account and its role in the environment.\n- Review IAM permission policies for the user identity.\n- Identify the applications or users that should use this account.\n- Investigate other alerts associated with the account during the past 48 hours.\n- Investigate abnormal values in the `user_agent.original` field by comparing them with the intended and authorized usage and historical data. Suspicious user agent values include non-SDK, AWS CLI, custom user agents, etc.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the calling user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n - Determine what other API calls were made by the user.\n - Assess whether this behavior is prevalent in the environment by looking for similar occurrences involving other users.\n\n### False positive analysis\n\n- False positives may occur due to the intended usage of the IAM `AdministratorAccess` managed policy. Verify the `aws.cloudtrail.user_identity.arn` should have the `iam:AttachUserPolicy` permission and that the `target.userName` should be given full administrative access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n - Rotate user credentials\n - Remove the `AdministratorAccess` policy from the affected group(s)\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. \n - Rotate secrets or delete API keys as needed to revoke the attacker's access to the environment. \n - Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "from logs-aws.cloudtrail-*\n| where event.provider == \"iam.amazonaws.com\" and event.action == \"AttachGroupPolicy\" and event.outcome == \"success\"\n| dissect aws.cloudtrail.request_parameters \"{%{?policyArn}=%{?arn}:%{?aws}:%{?iam}::%{?aws}:%{?policy}/%{policyName},%{?groupName}=%{group.name}}\"\n| where policyName == \"AdministratorAccess\"\n", "references": ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html", "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html", "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"], "risk_score": 47, "rule_id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS IAM", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.003", "name": "Additional Cloud Roles", "reference": "https://attack.mitre.org/techniques/T1098/003/"}]}]}], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "df919b5e-a0f6-4fd8-8598-e3ce79299e3b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c.json b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c.json deleted file mode 100644 index 3e0c0533948..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential privilege escalation via CVE-2022-38028", "query": "file where host.os.type == \"windows\" and\n file.path : (\"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\",\n \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\")\n", "references": ["https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json deleted file mode 100644 index dbb747f429d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential privilege escalation via CVE-2022-38028", "query": "file where host.os.type == \"windows\" and\n file.path : (\"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\",\n \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\")\n", "references": ["https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_2.json b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_2.json deleted file mode 100644 index 2b149c29863..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential privilege escalation via CVE-2022-38028", "query": "file where host.os.type == \"windows\" and\n file.path : (\"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\",\n \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\")\n", "references": ["https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_3.json b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_3.json deleted file mode 100644 index aa2cc0c36e4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential privilege escalation via CVE-2022-38028", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.name : \"MPDW-constraints.js\" and\n file.path : (\n \"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\",\n \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\"\n )\n", "references": ["https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915.json b/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915.json deleted file mode 100644 index d44d474bda6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Delayed Execution via Ping", "query": "sequence by process.parent.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"ping.exe\" and\n process.args : \"-n\" and process.parent.name : \"cmd.exe\" and not user.id : \"S-1-5-18\"]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"cmd.exe\" and\n (\n process.name : (\n \"rundll32.exe\", \"powershell.exe\",\n \"mshta.exe\", \"msbuild.exe\",\n \"certutil.exe\", \"regsvr32.exe\",\n \"powershell.exe\", \"cscript.exe\",\n \"wscript.exe\", \"wmic.exe\",\n \"installutil.exe\", \"msxsl.exe\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"ieexec.exe\", \"iexpress.exe\",\n \"RegAsm.exe\", \"installutil.exe\",\n \"RegSvcs.exe\", \"RegAsm.exe\"\n ) or\n (process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*.exe\" and not process.code_signature.trusted == true)\n ) and\n\n not process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n not (process.name : (\"openssl.exe\", \"httpcfg.exe\", \"certutil.exe\") and process.parent.command_line : \"*ScreenConnectConfigurator.cmd*\") and\n not (process.pe.original_file_name : \"DPInst.exe\" and process.command_line : \"driver\\\\DPInst_x64 /f \") and\n not (process.name : \"powershell.exe\" and process.args : \"Write-Host ======*\") and\n not (process.name : \"wscript.exe\" and process.args : \"launchquiet_args.vbs\" and process.parent.args : \"?:\\\\Windows\\\\TempInst\\\\7z*\") and\n not (process.name : \"regsvr32.exe\" and process.args : (\"?:\\\\windows\\\\syswow64\\\\msxml?.dll\", \"msxml?.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\mschrt20.ocx\")) and \n not (process.name : \"wscript.exe\" and\n process.working_directory :\n (\"?:\\\\Windows\\\\TempInst\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\BackupBootstrapper\\\\Logs\\\\\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\QBTools\\\\\"))\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e00b8d49-632f-4dc6-94a5-76153a481915", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1216", "name": "System Script Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1216/"}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}, {"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}, {"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}, {"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/", "subtechnique": [{"id": "T1497.003", "name": "Time Based Evasion", "reference": "https://attack.mitre.org/techniques/T1497/003/"}]}]}], "type": "eql", "version": 3}, "id": "e00b8d49-632f-4dc6-94a5-76153a481915", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json b/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json deleted file mode 100644 index b0a18d1ba5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Delayed Execution via Ping", "query": "sequence by process.parent.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"ping.exe\" and\n process.args : \"-n\" and process.parent.name : \"cmd.exe\" and not user.id : \"S-1-5-18\"]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"cmd.exe\" and\n (\n process.name : (\n \"rundll32.exe\", \"powershell.exe\",\n \"mshta.exe\", \"msbuild.exe\",\n \"certutil.exe\", \"regsvr32.exe\",\n \"powershell.exe\", \"cscript.exe\",\n \"wscript.exe\", \"wmic.exe\",\n \"installutil.exe\", \"msxsl.exe\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"ieexec.exe\", \"iexpress.exe\",\n \"RegAsm.exe\", \"installutil.exe\",\n \"RegSvcs.exe\", \"RegAsm.exe\"\n ) or\n (process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*.exe\" and not process.code_signature.trusted == true)\n ) and\n\n not process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n not (process.name : (\"openssl.exe\", \"httpcfg.exe\", \"certutil.exe\") and process.parent.command_line : \"*ScreenConnectConfigurator.cmd*\") and\n not (process.pe.original_file_name : \"DPInst.exe\" and process.command_line : \"driver\\\\DPInst_x64 /f \") and\n not (process.name : \"powershell.exe\" and process.args : \"Write-Host ======*\") and\n not (process.name : \"wscript.exe\" and process.args : \"launchquiet_args.vbs\" and process.parent.args : \"?:\\\\Windows\\\\TempInst\\\\7z*\") and\n not (process.name : \"regsvr32.exe\" and process.args : (\"?:\\\\windows\\\\syswow64\\\\msxml?.dll\", \"msxml?.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\mschrt20.ocx\")) and \n not (process.name : \"wscript.exe\" and\n process.working_directory :\n (\"?:\\\\Windows\\\\TempInst\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\BackupBootstrapper\\\\Logs\\\\\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\QBTools\\\\\"))\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e00b8d49-632f-4dc6-94a5-76153a481915", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/", "subtechnique": [{"id": "T1497.003", "name": "Time Based Evasion", "reference": "https://attack.mitre.org/techniques/T1497/003/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}, {"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}, {"id": "T1216", "name": "System Script Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1216/"}, {"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 1}, "id": "e00b8d49-632f-4dc6-94a5-76153a481915_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_2.json b/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_2.json deleted file mode 100644 index d2e5488e55b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e00b8d49-632f-4dc6-94a5-76153a481915_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of commonly abused Windows utilities via a delayed Ping execution. This behavior is often observed during malware installation and is consistent with an attacker attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Delayed Execution via Ping", "query": "sequence by process.parent.entity_id with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and process.name : \"ping.exe\" and\n process.args : \"-n\" and process.parent.name : \"cmd.exe\" and not user.id : \"S-1-5-18\"]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.parent.name : \"cmd.exe\" and\n (\n process.name : (\n \"rundll32.exe\", \"powershell.exe\",\n \"mshta.exe\", \"msbuild.exe\",\n \"certutil.exe\", \"regsvr32.exe\",\n \"powershell.exe\", \"cscript.exe\",\n \"wscript.exe\", \"wmic.exe\",\n \"installutil.exe\", \"msxsl.exe\",\n \"Microsoft.Workflow.Compiler.exe\",\n \"ieexec.exe\", \"iexpress.exe\",\n \"RegAsm.exe\", \"installutil.exe\",\n \"RegSvcs.exe\", \"RegAsm.exe\"\n ) or\n (process.executable : \"?:\\\\Users\\\\*\\\\AppData\\\\*.exe\" and not process.code_signature.trusted == true)\n ) and\n\n not process.args : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\") and\n not (process.name : (\"openssl.exe\", \"httpcfg.exe\", \"certutil.exe\") and process.parent.command_line : \"*ScreenConnectConfigurator.cmd*\") and\n not (process.pe.original_file_name : \"DPInst.exe\" and process.command_line : \"driver\\\\DPInst_x64 /f \") and\n not (process.name : \"powershell.exe\" and process.args : \"Write-Host ======*\") and\n not (process.name : \"wscript.exe\" and process.args : \"launchquiet_args.vbs\" and process.parent.args : \"?:\\\\Windows\\\\TempInst\\\\7z*\") and\n not (process.name : \"regsvr32.exe\" and process.args : (\"?:\\\\windows\\\\syswow64\\\\msxml?.dll\", \"msxml?.dll\", \"?:\\\\Windows\\\\SysWOW64\\\\mschrt20.ocx\")) and \n not (process.name : \"wscript.exe\" and\n process.working_directory :\n (\"?:\\\\Windows\\\\TempInst\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\BackupBootstrapper\\\\Logs\\\\\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\QBTools\\\\\"))\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e00b8d49-632f-4dc6-94a5-76153a481915", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}, {"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": "https://attack.mitre.org/techniques/T1497/", "subtechnique": [{"id": "T1497.003", "name": "Time Based Evasion", "reference": "https://attack.mitre.org/techniques/T1497/003/"}]}, {"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.003", "name": "CMSTP", "reference": "https://attack.mitre.org/techniques/T1218/003/"}, {"id": "T1218.004", "name": "InstallUtil", "reference": "https://attack.mitre.org/techniques/T1218/004/"}, {"id": "T1218.005", "name": "Mshta", "reference": "https://attack.mitre.org/techniques/T1218/005/"}, {"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}, {"id": "T1216", "name": "System Script Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1216/"}, {"id": "T1220", "name": "XSL Script Processing", "reference": "https://attack.mitre.org/techniques/T1220/"}]}], "type": "eql", "version": 2}, "id": "e00b8d49-632f-4dc6-94a5-76153a481915_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json deleted file mode 100644 index 0a897b73c89..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": ["Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Firewall Policy Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json b/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json deleted file mode 100644 index be8a34cae32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade defenses and/or to eliminate barriers to their objective.", "false_positives": ["Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Firewall Policy Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "e02bd3ea-72c6-4181-ac2b-0f83d17ad969_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json deleted file mode 100644 index 2d48ce5d475..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "query": "iam where event.action == \"modified-user-account\" and event.code == \"4738\" and\n winlog.event_data.AllowedToDelegateTo : \"*krbtgt*\"\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json deleted file mode 100644 index cf0dba1edc9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "note": "", "query": "event.action:modified-user-account and host.os.type:windows and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json deleted file mode 100644 index ac69a4289f8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "note": "", "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json deleted file mode 100644 index 5e559f474d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "note": "", "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json deleted file mode 100644 index afb960022ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json deleted file mode 100644 index 7b3b3dac442..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "query": "event.action:modified-user-account and event.code:4738 and\n winlog.event_data.AllowedToDelegateTo:*krbtgt*\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_108.json b/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_108.json deleted file mode 100644 index bdebb2e1419..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e052c845-48d0-4f46-8a13-7d0aba05df82_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the msDS-AllowedToDelegateTo attribute to KRBTGT. Attackers can use this technique to maintain persistence to the domain by having the ability to request tickets for the KRBTGT service.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "KRBTGT Delegation Backdoor", "query": "iam where event.action == \"modified-user-account\" and event.code == \"4738\" and\n winlog.event_data.AllowedToDelegateTo : \"*krbtgt*\"\n", "references": ["https://skyblue.team/posts/delegate-krbtgt", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AllowedToDelegateTo", "type": "unknown"}], "risk_score": 73, "rule_id": "e052c845-48d0-4f46-8a13-7d0aba05df82", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e052c845-48d0-4f46-8a13-7d0aba05df82_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json deleted file mode 100644 index 0c5d1df8a7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and \n not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json deleted file mode 100644 index 7a5ebca687a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json deleted file mode 100644 index bf25a7cd8de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json deleted file mode 100644 index 209acd2b06c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json deleted file mode 100644 index 3d23c393f3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and \n not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_6.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_6.json deleted file mode 100644 index db14af10b5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and \n not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_7.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_7.json deleted file mode 100644 index 18f696cd7c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and \n not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_8.json b/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_8.json deleted file mode 100644 index 0aa76c1b7a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0881d20-54ac-457f-8733-fe0bc5d44c55_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects the usage of commonly used system service discovery techniques, which attackers may use during the reconnaissance phase after compromising a system in order to gain a better understanding of the environment and/or escalate privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "System Service Discovery through built-in Windows Utilities", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n ((process.name: \"net.exe\" or process.pe.original_file_name == \"net.exe\" or (process.name : \"net1.exe\" and \n not process.parent.name : \"net.exe\")) and process.args : (\"start\", \"use\") and process.args_count == 2) or\n ((process.name: \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and process.args: (\"query\", \"q*\")) or\n ((process.name: \"tasklist.exe\" or process.pe.original_file_name == \"tasklist.exe\") and process.args: \"/svc\") or\n (process.name : \"psservice.exe\" or process.pe.original_file_name == \"psservice.exe\")\n ) and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e0881d20-54ac-457f-8733-fe0bc5d44c55", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": "https://attack.mitre.org/techniques/T1007/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "e0881d20-54ac-457f-8733-fe0bc5d44c55_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json deleted file mode 100644 index 4a9d3f3a129..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json deleted file mode 100644 index d4c5254940e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 102}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json deleted file mode 100644 index 844fcf8874e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 103}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json deleted file mode 100644 index 9400e5d7467..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 104}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json deleted file mode 100644 index e62f11b445b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 105}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json deleted file mode 100644 index 405a2dd4a0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 106}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json deleted file mode 100644 index 02d704c8a7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "type": "threshold", "version": 207}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_208.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_208.json deleted file mode 100644 index c2578c8d579..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_209.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_209.json deleted file mode 100644 index 16385bc92b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "timestamp_override": "event.ingested", "type": "threshold", "version": 209}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_211.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_211.json deleted file mode 100644 index 4ed50d80d9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", "from": "now-180m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempts to Brute Force an Okta User Account", "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", "query": "event.dataset:okta.system and event.action:user.account.lock\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 3}, "timestamp_override": "event.ingested", "type": "threshold", "version": 211}, "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_311.json b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_311.json new file mode 100644 index 00000000000..bd3494b9ea4 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e08ccd49-0380-4b2b-8d71-8000377d6e49_311.json @@ -0,0 +1,82 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.", + "from": "now-180m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempts to Brute Force an Okta User Account", + "note": "## Triage and analysis\n\n### Investigating Attempts to Brute Force an Okta User Account\n\nBrute force attacks aim to guess user credentials through exhaustive trial-and-error attempts. In this context, Okta accounts are targeted.\n\nThis rule fires when an Okta user account has been locked out 3 times within a 3-hour window. This could indicate an attempted brute force or password spraying attack to gain unauthorized access to the user account. Okta's default authentication policy locks a user account after 10 failed authentication attempts.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.alternate_id` field in the alert. This should give the username of the account being targeted.\n- Review the `okta.event_type` field to understand the nature of the events that led to the account lockout.\n- Check the `okta.severity` and `okta.display_message` fields for more context around the lockout events.\n- Look for correlation of events from the same IP address. Multiple lockouts from the same IP address might indicate a single source for the attack.\n- If the IP is not familiar, investigate it. The IP could be a proxy, VPN, Tor node, cloud datacenter, or a legitimate IP turned malicious.\n- Determine if the lockout events occurred during the user's regular activity hours. Unusual timing may indicate malicious activity.\n- Examine the authentication methods used during the lockout events by checking the `okta.authentication_context.credential_type` field.\n\n### False positive analysis:\n\n- Determine whether the account owner or an internal user made repeated mistakes in entering their credentials, leading to the account lockout.\n- Ensure there are no known network or application issues that might cause these events.\n\n### Response and remediation:\n\n- Alert the user and your IT department immediately.\n- If unauthorized access is confirmed, initiate your incident response process.\n- Investigate the source of the attack. If a specific machine or network is compromised, additional steps may need to be taken to address the issue.\n- Require the affected user to change their password.\n- If the attack is ongoing, consider blocking the IP address initiating the brute force attack.\n- Implement account lockout policies to limit the impact of brute force attacks.\n- Encourage users to use complex, unique passwords and consider implementing multi-factor authentication.\n- Check if the compromised account was used to access or alter any sensitive data or systems.", + "query": "event.dataset:okta.system and event.action:user.account.lock\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e08ccd49-0380-4b2b-8d71-8000377d6e49", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0006", + "name": "Credential Access", + "reference": "https://attack.mitre.org/tactics/TA0006/" + }, + "technique": [ + { + "id": "T1110", + "name": "Brute Force", + "reference": "https://attack.mitre.org/techniques/T1110/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 3 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 311 + }, + "id": "e08ccd49-0380-4b2b-8d71-8000377d6e49_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89.json deleted file mode 100644 index 53adad91ba7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Suspicious Process Started via tmux or screen", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json deleted file mode 100644 index f34bd27475b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Suspicious Process Started via tmux or screen", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"whoami\", \"id\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json deleted file mode 100644 index 283dafc2306..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Suspicious Process Started via tmux or screen", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json deleted file mode 100644 index 7a47ddc96f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Suspicious Process Started via tmux or screen", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\") and event.type == \"start\" and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json b/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json deleted file mode 100644 index 61df58a7366..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of suspicious commands via screen and tmux. When launching a command and detaching directly, the commands will be executed in the background via its parent process. Attackers may leverage screen or tmux to execute commands while attempting to evade detection.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potentially Suspicious Process Started via tmux or screen", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.parent.name in (\"screen\", \"tmux\") and process.name : (\n \"nmap\", \"nc\", \"ncat\", \"netcat\", \"socat\", \"nc.openbsd\", \"ngrok\", \"ping\", \"java\", \"python*\", \"php*\", \"perl\", \"ruby\",\n \"lua*\", \"openssl\", \"telnet\", \"awk\", \"wget\", \"curl\", \"id\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e0cc3807-e108-483c-bf66-5a4fbe0d7e89_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json deleted file mode 100644 index 1bc22495122..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", "false_positives": ["Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", "https://azure.microsoft.com/en-in/services/event-hubs/", "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e0f36de1-0342-453d-95a9-a068b257b053", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json b/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json deleted file mode 100644 index dc04dea2fcc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e0f36de1-0342-453d-95a9-a068b257b053_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.", "false_positives": ["Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Event Hub Deletion", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE\" and event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", "https://azure.microsoft.com/en-in/services/event-hubs/", "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-features"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "e0f36de1-0342-453d-95a9-a068b257b053", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "e0f36de1-0342-453d-95a9-a068b257b053_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json deleted file mode 100644 index 9685ec16ff9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json deleted file mode 100644 index 30e1afb35b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json deleted file mode 100644 index 25f535d9d20..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json deleted file mode 100644 index 1e6ccb1c674..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json deleted file mode 100644 index b4b0602e110..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json b/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json deleted file mode 100644 index 8696f2482ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e12c0318-99b1-44f2-830c-3a38a43207ca_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been created.", "false_positives": ["Route Tables may be created by a system or network administrators. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Created", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and\nevent.outcome:success\n", "references": ["https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateRouteTable"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e12c0318-99b1-44f2-830c-3a38a43207ca", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e12c0318-99b1-44f2-830c-3a38a43207ca_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json deleted file mode 100644 index 1d5740bcd12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json deleted file mode 100644 index 1e3748cb309..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json deleted file mode 100644 index ca47df22730..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json deleted file mode 100644 index 5a6f5665040..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json b/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json deleted file mode 100644 index d3151001bcb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions.", "false_positives": ["Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Cluster Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(CreateDBCluster or CreateGlobalCluster) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-global-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateGlobalCluster.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json deleted file mode 100644 index 8c5bb818280..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and not cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\", \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\"\n )\n ]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 107}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json deleted file mode 100644 index c6f50690c0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 102}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json deleted file mode 100644 index 37b4d62eb76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 103}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json deleted file mode 100644 index e46817f4827..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 104}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json deleted file mode 100644 index 58c9e576fe4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 105}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json b/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json deleted file mode 100644 index 651820e5917..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e19e64ee-130e-4c07-961f-8a339f0b8362_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Telnet provides a command line interface for communication with a remote device or server. This rule identifies Telnet network connections to publicly routable IP addresses.", "false_positives": ["Telnet can be used for both benign or malicious purposes. Telnet is included by default in some Linux distributions, so its presence is not inherently suspicious. The use of Telnet to manage devices remotely has declined in recent years in favor of more secure protocols such as SSH. Telnet usage by non-automated tools or frameworks may be suspicious."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to External Network via Telnet", "query": "sequence by process.entity_id\n [process where host.os.type == \"linux\" and process.name == \"telnet\" and event.type == \"start\"]\n [network where host.os.type == \"linux\" and process.name == \"telnet\" and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\",\n \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\",\n \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\n \"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\")]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e19e64ee-130e-4c07-961f-8a339f0b8362", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "type": "eql", "version": 106}, "id": "e19e64ee-130e-4c07-961f-8a339f0b8362_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601.json deleted file mode 100644 index 583d7362f30..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", "name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "e1db8899-97c1-4851-8993-3a3265353601", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 4}, "id": "e1db8899-97c1-4851-8993-3a3265353601", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json deleted file mode 100644 index 469f5547a76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", "name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "e1db8899-97c1-4851-8993-3a3265353601", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 1}, "id": "e1db8899-97c1-4851-8993-3a3265353601_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_2.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_2.json deleted file mode 100644 index f0205a91a93..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", "name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "e1db8899-97c1-4851-8993-3a3265353601", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 2}, "id": "e1db8899-97c1-4851-8993-3a3265353601_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json b/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json deleted file mode 100644 index 858485d82be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e1db8899-97c1-4851-8993-3a3265353601_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular geo-location (by region name). Data transfers to geo-locations that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_geo_country_iso_code", "name": "Potential Data Exfiltration Activity to an Unusual ISO Code", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "e1db8899-97c1-4851-8993-3a3265353601", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 3}, "id": "e1db8899-97c1-4851-8993-3a3265353601_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json deleted file mode 100644 index 9e71b756a92..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and event.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json deleted file mode 100644 index d31ae36a540..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json deleted file mode 100644 index 152abb7197a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json deleted file mode 100644 index e053c817726..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json deleted file mode 100644 index 57c13a60460..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json b/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json deleted file mode 100644 index 51a4e8ddd25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2258f48-ba75-4248-951b-7c885edf18c2_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies service creation events of common mining services, possibly indicating the infection of a system with a cryptominer.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Mining Process Creation Event", "query": "file where host.os.type == \"linux\" and event.type == \"creation\" and\nevent.action : (\"creation\", \"file_create_event\") and \nfile.name : (\"aliyun.service\", \"moneroocean_miner.service\", \"c3pool_miner.service\", \"pnsd.service\", \"apache4.service\", \"pastebin.service\", \"xvf.service\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 47, "rule_id": "e2258f48-ba75-4248-951b-7c885edf18c2", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "e2258f48-ba75-4248-951b-7c885edf18c2_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json deleted file mode 100644 index 014f4ba3bf8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", "name": "Spike in Successful Logon Events from a Source IP", "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n- System\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n\n### System Integration Setup\nThe System integration allows you to collect system logs and metrics from your servers with Elastic Agent.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"system\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cSystem\u201d and select the integration to see more details about it.\n- Click \u201cAdd System\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201csystem\u201d to an existing or a new agent policy, and deploy the agent on your system from which system log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/system).\n", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 105}, "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json deleted file mode 100644 index be97286f031..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", "name": "Spike in Successful Logon Events from a Source IP", "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", "severity": "low", "tags": ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 102}, "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json deleted file mode 100644 index 6424ad8794f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", "name": "Spike in Successful Logon Events from a Source IP", "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 103}, "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json b/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json deleted file mode 100644 index 5b663338da4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26aed74-c816-40d3-a810-48d6fbd8b2fd_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job found an unusually large spike in successful authentication events from a particular source IP address. This can be due to password spraying, user enumeration or brute force activity.", "false_positives": ["Build servers and CI systems can sometimes trigger this alert. Security test cycles that include brute force or password spraying activities may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "auth_high_count_logon_events_for_a_source_ip", "name": "Spike in Successful Logon Events from a Source IP", "note": "## Triage and analysis\n\n### Investigating Spike in Successful Logon Events from a Source IP\n\nThis rule uses a machine learning job to detect a substantial spike in successful authentication events. This could indicate post-exploitation activities that aim to test which hosts, services, and other resources the attacker can access with the compromised credentials.\n\n#### Possible investigation steps\n\n- Identify the specifics of the involved assets, such as role, criticality, and associated users.\n- Check if the authentication comes from different sources.\n- Use the historical data available to determine if the same behavior happened in the past.\n- Investigate other alerts associated with the involved users during the past 48 hours.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n\n### False positive analysis\n\n- Understand the context of the authentications by contacting the asset owners. If this activity is related to a new business process or newly implemented (approved) technology, consider adding exceptions \u2014 preferably with a combination of user and source conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}], "risk_score": 21, "rule_id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}, {"id": "T1078.003", "name": "Local Accounts", "reference": "https://attack.mitre.org/techniques/T1078/003/"}]}]}], "type": "machine_learning", "version": 104}, "id": "e26aed74-c816-40d3-a810-48d6fbd8b2fd_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json deleted file mode 100644 index 0fe59f41b58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not powershell.file.script_block_text : (\n \"Microsoft.PowerShell.Workflow.ServiceCore\" and \"ExtractPluginProperties([string]$pluginDir\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 213}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json deleted file mode 100644 index 5f273149a2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json deleted file mode 100644 index 71c8af1aeb9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json deleted file mode 100644 index 43e285897e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json deleted file mode 100644 index 50e29d499c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json deleted file mode 100644 index 59b58d33e7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json deleted file mode 100644 index 3ed4aa60c29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and not \n powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and not \n (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n not file.name : \"PathFunctions.ps1\"\n )\n and not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_111.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_111.json deleted file mode 100644 index d81b34d025b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not file.path : C\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Monitoring?Agent\\\\\\\\Agent\\\\\\\\Health?Service?State\\\\\\\\Monitoring?Host?Temporary?Files*\\\\\\\\AvailabilityGroupMonitoring.ps1 and\n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json deleted file mode 100644 index a25e9feb841..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not file.path : C\\:\\\\\\\\Program?Files\\\\\\\\Microsoft?Monitoring?Agent\\\\\\\\Agent\\\\\\\\Health?Service?State\\\\\\\\Monitoring?Host?Temporary?Files*\\\\\\\\AvailabilityGroupMonitoring.ps1 and\n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json deleted file mode 100644 index 34e5728a699..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 212}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_213.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_213.json deleted file mode 100644 index fe3844a4674..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not powershell.file.script_block_text : (\n \"Microsoft.PowerShell.Workflow.ServiceCore\" and \"ExtractPluginProperties([string]$pluginDir\"\n ) and\n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 213}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_214.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_214.json deleted file mode 100644 index 07a87c67be9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_214.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not powershell.file.script_block_text : (\n \"Microsoft.PowerShell.Workflow.ServiceCore\" and \"ExtractPluginProperties([string]$pluginDir\"\n ) and \n \n not powershell.file.script_block_text : (\"reflection.assembly]::Load('System.\" or \"LoadWithPartialName('Microsoft.\" or \"::Load(\\\"Microsoft.\" or \"Microsoft.Build.Utilities.Core.dll\") and \n \n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 214}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_214", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_215.json b/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_215.json deleted file mode 100644 index 3825c047967..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e26f042e-c590-4e82-8e05-41e81bd822ad_215.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the use of Reflection.Assembly to load PEs and DLLs in memory in PowerShell scripts. Attackers use this method to load executables and DLLs without writing to the disk, bypassing security solutions.", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"file.path": {"case_insensitive": true, "value": "C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*\\\\AvailabilityGroupMonitoring.ps1"}}}}], "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious .NET Reflection via PowerShell", "note": "## Triage and analysis\n\n### Investigating Suspicious .NET Reflection via PowerShell\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks. This makes it available for use in various environments, and creates an attractive way for attackers to execute code.\n\nAttackers can use .NET reflection to load PEs and DLLs in memory. These payloads are commonly embedded in the script, which can circumvent file-based security protections.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine file or network events from the involved PowerShell process for suspicious behavior.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Evaluate whether the user needs to use PowerShell to complete tasks.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the script using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately outside engineering or IT business units. As long as the analyst did not identify malware or suspicious activity related to the user or host, this alert can be dismissed.\n\n### Related rules\n\n- PowerShell PSReflect Script - 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe\n- Potential Process Injection via PowerShell - 2e29e96a-b67c-455a-afe4-de6183431d0d\n- PowerShell Suspicious Payload Encoded and Compressed - 81fe9dc6-a2d7-4192-a2d8-eed98afc766a\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"[System.Reflection.Assembly]::Load\" or\n \"[Reflection.Assembly]::Load\"\n ) and\n not powershell.file.script_block_text : (\n (\"CommonWorkflowParameters\" or \"RelatedLinksHelpInfo\") and\n \"HelpDisplayStrings\"\n ) and\n not (powershell.file.script_block_text :\n (\"Get-SolutionFiles\" or \"Get-VisualStudio\" or \"Select-MSBuildPath\") and\n file.name : \"PathFunctions.ps1\"\n ) and\n not powershell.file.script_block_text : (\n \"Microsoft.PowerShell.Workflow.ServiceCore\" and \"ExtractPluginProperties([string]$pluginDir\"\n ) and \n \n not powershell.file.script_block_text : (\"reflection.assembly]::Load('System.\" or \"LoadWithPartialName('Microsoft.\" or \"::Load(\\\"Microsoft.\" or \"Microsoft.Build.Utilities.Core.dll\") and \n \n not user.id : \"S-1-5-18\"\n", "references": ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.load"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e26f042e-c590-4e82-8e05-41e81bd822ad", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1620", "name": "Reflective Code Loading", "reference": "https://attack.mitre.org/techniques/T1620/"}, {"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.001", "name": "Dynamic-link Library Injection", "reference": "https://attack.mitre.org/techniques/T1055/001/"}, {"id": "T1055.002", "name": "Portable Executable Injection", "reference": "https://attack.mitre.org/techniques/T1055/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 215}, "id": "e26f042e-c590-4e82-8e05-41e81bd822ad_215", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c.json b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c.json deleted file mode 100644 index ae357f53296..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Traffic Capture via CAP_NET_RAW", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_NET_RAW\" or process.thread.capabilities.permitted:\"CAP_NET_RAW\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e28b8093-833b-4eda-b877-0873d134cf3c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "e28b8093-833b-4eda-b877-0873d134cf3c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_1.json b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_1.json deleted file mode 100644 index 9b434c95bac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Traffic Capture via CAP_NET_RAW", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.action:\"exec\" and event.type:\"start\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_NET_RAW\" or process.thread.capabilities.permitted:\"CAP_NET_RAW\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e28b8093-833b-4eda-b877-0873d134cf3c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "e28b8093-833b-4eda-b877-0873d134cf3c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json deleted file mode 100644 index 033b24ab4a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Traffic Capture via CAP_NET_RAW", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_NET_RAW\" or process.thread.capabilities.permitted:\"CAP_NET_RAW\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e28b8093-833b-4eda-b877-0873d134cf3c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "e28b8093-833b-4eda-b877-0873d134cf3c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_3.json b/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_3.json deleted file mode 100644 index d3f47c06de1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e28b8093-833b-4eda-b877-0873d134cf3c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the ability of a process to be able to create RAW and PACKET socket types for the available network namespaces by a non-root user. A malicious process with this capability may exploit routing between hosts, bypass network access controls, and otherwise tamper with host networking if a firewall is not in place to limit the packet types and contents. The CAP_NET_RAW capability allows the process to bind to any address within the available namespaces, which allows network traffic sniffing by a non root user. The rule identifies previously unknown processes executing with CAP_NET_RAW capabilities through the use of the new terms rule type.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Network Traffic Capture via CAP_NET_RAW", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "event.category:\"process\" and host.os.type:\"linux\" and event.type:\"start\" and event.action:\"exec\" and process.name:* and\n(process.thread.capabilities.effective:\"CAP_NET_RAW\" or process.thread.capabilities.permitted:\"CAP_NET_RAW\") and\nnot user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e28b8093-833b-4eda-b877-0873d134cf3c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1040", "name": "Network Sniffing", "reference": "https://attack.mitre.org/techniques/T1040/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "e28b8093-833b-4eda-b877-0873d134cf3c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json deleted file mode 100644 index b28842d26c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful login to the AWS Management Console by the Root user.", "false_positives": ["It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Signin", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json deleted file mode 100644 index 11e8cf2ac8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful login to the AWS Management Console by the Root user.", "false_positives": ["It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json deleted file mode 100644 index 3c489af7ab5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful login to the AWS Management Console by the Root user.", "false_positives": ["It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json deleted file mode 100644 index 1f35b2dae4a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful login to the AWS Management Console by the Root user.", "false_positives": ["It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json b/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json deleted file mode 100644 index 8ea158c0730..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2a67480-3b79-403d-96e3-fdd2992c50ef_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a successful login to the AWS Management Console by the Root user.", "false_positives": ["It's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. Verify whether the IP address, location, and/or hostname should be logging in as root in your environment. Unfamiliar root logins should be investigated immediately. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Management Console Root Login", "note": "## Triage and analysis\n\n### Investigating AWS Management Console Root Login\n\nThe AWS root account is the one identity that has complete access to all AWS services and resources in the account, which is created when the AWS account is created. AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. AWS provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root).\n\nThis rule looks for attempts to log in to the AWS Management Console as the root user.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Examine whether this activity is common in the environment by looking for past occurrences on your logs.\n- Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user?\n- Examine the commands, API calls, and data management actions performed by the account in the last 24 hours.\n- Contact the account owner and confirm whether they are aware of this activity.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking access to servers,\nservices, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- The alert can be dismissed if this operation is done under change management and approved according to the organization's policy for performing a task that needs this privilege level.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Identify the services or servers involved criticality.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify if there are any regulatory or legal ramifications related to this activity.\n- Configure multi-factor authentication for the user.\n- Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.user_identity.type", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e2a67480-3b79-403d-96e3-fdd2992c50ef", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "e2a67480-3b79-403d-96e3-fdd2992c50ef_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444.json deleted file mode 100644 index b4d07ef843d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to get a listing of network connections to or from a compromised system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Network Connections Discovery", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name in (\"netstat\", \"lsof\", \"who\", \"w\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json deleted file mode 100644 index b011a97b432..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to get a listing of network connections to or from a compromised system.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Network Connections Discovery", "query": "process where event.type == \"start\" and\n process.name : (\"netstat\", \"lsof\", \"who\", \"w\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json b/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json deleted file mode 100644 index f42173b251e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may attempt to get a listing of network connections to or from a compromised system.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Network Connections Discovery", "query": "process where event.type == \"start\" and\n process.name : (\"netstat\", \"lsof\", \"who\", \"w\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": "https://attack.mitre.org/techniques/T1049/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json deleted file mode 100644 index a96d1af76af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json deleted file mode 100644 index 359f7a1aee8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_208.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_208.json deleted file mode 100644 index 07e56430b78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 208}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json deleted file mode 100644 index 1802688b4ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json deleted file mode 100644 index 9faeb9da3e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json deleted file mode 100644 index ae862430587..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_6.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_6.json deleted file mode 100644 index 64f2dff747b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json deleted file mode 100644 index 9442d759f10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_8.json b/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_8.json deleted file mode 100644 index 5777cc0a8de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2e0537d-7d8f-4910-a11d-559bcf61295a_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to enable the Windows Subsystem for Linux using Microsoft Dism utility. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Subsystem for Linux Enabled via Dism Utility", "note": "## Triage and analysis\n\n### Investigating Windows Subsystem for Linux Enabled via Dism Utility\n\nThe Windows Subsystem for Linux (WSL) lets developers install a Linux distribution (such as Ubuntu, OpenSUSE, Kali, Debian, Arch Linux, etc) and use Linux applications, utilities, and Bash command-line tools directly on Windows, unmodified, without the overhead of a traditional virtual machine or dualboot setup. Attackers may abuse WSL to avoid security protections on a Windows host and perform a wide range of attacks.\n\nThis rule identifies attempts to enable WSL using the Dism utility. It monitors for the execution of Dism and checks if the command line contains the string \"Microsoft-Windows-Subsystem-Linux\". \n\n### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This is a dual-use tool, meaning its usage is not inherently malicious. Analysts can dismiss the alert if the administrator is aware of the activity, no other suspicious activity was identified, and WSL is homologated and approved in the environment.\n\n### Related Rules\n\n- Execution via Windows Subsystem for Linux - db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd\n- Suspicious Execution via Windows Subsystem for Linux - 3e0eeb75-16e8-4f2f-9826-62461ca128b7\n- Host Files System Changes via Windows Subsystem for Linux - e88d1fe9-b2f4-48d4-bace-a026dc745d4b\n- Windows Subsystem for Linux Distribution Installed - a1699af0-8e1e-4ed0-8ec1-89783538a061\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type : \"start\" and\n (process.name : \"Dism.exe\" or ?process.pe.original_file_name == \"DISM.EXE\") and \n process.command_line : \"*Microsoft-Windows-Subsystem-Linux*\"\n", "references": ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2e0537d-7d8f-4910-a11d-559bcf61295a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "e2e0537d-7d8f-4910-a11d-559bcf61295a_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json deleted file mode 100644 index 87480971fc0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json deleted file mode 100644 index 3a19ddb835e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json deleted file mode 100644 index e1d4ed2bc2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json deleted file mode 100644 index 3390a152971..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating PsExec Network Connection\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json deleted file mode 100644 index 11151bab2c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json deleted file mode 100644 index 489f9048d34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json deleted file mode 100644 index 3aabd647baa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json deleted file mode 100644 index 8fccfd9c1ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json b/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json deleted file mode 100644 index 27997225b90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to evade detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Process Execution via Renamed PsExec Executable", "note": "## Triage and analysis\n\n### Investigating Suspicious Process Execution via Renamed PsExec Executable\n\nPsExec is a remote administration tool that enables the execution of commands with both regular and SYSTEM privileges on Windows systems. It operates by executing a service component `Psexecsvc` on a remote system, which then runs a specified process and returns the results to the local system. Microsoft develops PsExec as part of the Sysinternals Suite. Although commonly used by administrators, PsExec is frequently used by attackers to enable lateral movement and execute commands as SYSTEM to disable defenses and bypass security protections.\n\nThis rule identifies instances where the PsExec service component is executed using a custom name. This behavior can indicate an attempt to bypass security controls or detections that look for the default PsExec service component name.\n\n#### Possible investigation steps\n\n- Check if the usage of this tool complies with the organization's administration policy.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Identify the target computer and its role in the IT environment.\n- Investigate what commands were run, and assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. As long as the analyst did not identify suspicious activity related to the user or involved hosts, and the tool is allowed by the organization's policy, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - Prioritize cases involving critical servers and users.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.pe.original_file_name : \"psexesvc.exe\" and not process.name : \"PSEXESVC.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1569", "name": "System Services", "reference": "https://attack.mitre.org/techniques/T1569/", "subtechnique": [{"id": "T1569.002", "name": "Service Execution", "reference": "https://attack.mitre.org/techniques/T1569/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json deleted file mode 100644 index 7f768711e2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", "false_positives": ["Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Role Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/understanding-roles"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json b/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json deleted file mode 100644 index 34fdbd7acf0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e2fb5b18-e33c-4270-851e-c3d675c9afcd_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.", "false_positives": ["Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP IAM Role Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success\n", "references": ["https://cloud.google.com/iam/docs/understanding-roles"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": "https://attack.mitre.org/techniques/T1531/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e2fb5b18-e33c-4270-851e-c3d675c9afcd_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json deleted file mode 100644 index ec67aef4247..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json deleted file mode 100644 index d237652f549..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json deleted file mode 100644 index a7d386a0465..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json deleted file mode 100644 index 689e4a6e3e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json deleted file mode 100644 index 42a7fbb17cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json deleted file mode 100644 index ac9116ba570..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json deleted file mode 100644 index 017529d41b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json deleted file mode 100644 index 34ff9b3d78a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_111.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_111.json deleted file mode 100644 index 5eb4f213db7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_311.json b/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_311.json deleted file mode 100644 index f7329bac67a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3343ab9-4245-4715-b344-e11c56b0a47f_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. Adversaries may conceal malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe).", "false_positives": ["The HTML Help executable program (hh.exe) runs whenever a user clicks a compiled help (.chm) file or menu item that opens the help file inside the Help Viewer. This is not always malicious, but adversaries may abuse this technology to conceal malicious code."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Activity via Compiled HTML File", "note": "## Triage and analysis\n\n### Investigating Process Activity via Compiled HTML File\n\nCHM (Compiled HTML) files are a format for delivering online help files on Windows. CHM files are compressed compilations of various content, such as HTML documents, images, and scripting/web-related programming languages such as VBA, JScript, Java, and ActiveX.\n\nWhen users double-click CHM files, the HTML Help executable program (`hh.exe`) will execute them. `hh.exe` also can be used to execute code embedded in those files, PowerShell scripts, and executables. This makes it useful for attackers not only to proxy the execution of malicious payloads via a signed binary that could bypass security controls, but also to gain initial access to environments via social engineering methods.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the parent process to gain understanding of what triggered this behavior.\n - Retrieve `.chm`, `.ps1`, and other files that were involved to further examination.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executables, scripts and help files retrieved from the system using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"hh.exe\" and\n process.name : (\"mshta.exe\", \"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\", \"cscript.exe\", \"wscript.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3343ab9-4245-4715-b344-e11c56b0a47f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.001", "name": "Compiled HTML File", "reference": "https://attack.mitre.org/techniques/T1218/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "e3343ab9-4245-4715-b344-e11c56b0a47f_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json deleted file mode 100644 index 0b4742ccc42..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", "false_positives": ["A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e3c27562-709a-42bd-82f2-3ed926cced19", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json deleted file mode 100644 index 837995528ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", "false_positives": ["A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e3c27562-709a-42bd-82f2-3ed926cced19_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json deleted file mode 100644 index 56e49d8d7cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", "false_positives": ["A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e3c27562-709a-42bd-82f2-3ed926cced19_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json deleted file mode 100644 index baa6cb93e2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", "false_positives": ["A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e3c27562-709a-42bd-82f2-3ed926cced19_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json b/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json deleted file mode 100644 index 92901ae762c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c27562-709a-42bd-82f2-3ed926cced19_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when a Route53 private hosted zone has been associated with VPC.", "false_positives": ["A private hosted zone may be asssociated with a VPC by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route53 private hosted zone associated with a VPC", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and\nevent.outcome:success\n", "references": ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e3c27562-709a-42bd-82f2-3ed926cced19", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e3c27562-709a-42bd-82f2-3ed926cced19_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json deleted file mode 100644 index f3590a66dd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json deleted file mode 100644 index eda632e55d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_100.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "severity": "high", "tags": ["Elastic", "Elastic Endgame"], "type": "query", "version": 100}, "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac_100", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json deleted file mode 100644 index 78d82d0aedd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "type": "query", "version": 101}, "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_102.json b/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_102.json deleted file mode 100644 index 4663cafe690..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3c5d5cb-41d5-4206-805c-f30561eae3ac_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "from": "now-15m", "index": ["endgame-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "Ransomware - Prevented - Elastic Endgame", "query": "event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event)\n", "required_fields": [{"ecs": false, "name": "endgame.event_subtype_full", "type": "unknown"}, {"ecs": false, "name": "endgame.metadata.type", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 73, "rule_id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac", "severity": "high", "tags": ["Data Source: Elastic Endgame"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e3c5d5cb-41d5-4206-805c-f30561eae3ac_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json deleted file mode 100644 index d54a1d6b89c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json deleted file mode 100644 index 69fd8e20c0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "note": "", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json deleted file mode 100644 index f14c432cb0e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "note": "", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json deleted file mode 100644 index 54a9016920d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "note": "", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json deleted file mode 100644 index d7728bf8844..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json deleted file mode 100644 index a91da14f6fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json b/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json deleted file mode 100644 index b5ddfbedd4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies unusual processes connecting to domains using known free SSL certificates. Adversaries may employ a known encryption algorithm to conceal command and control traffic.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Connection to Commonly Abused Free SSL Certificate Providers", "query": "network where host.os.type == \"windows\" and network.protocol == \"dns\" and\n /* Add new free SSL certificate provider domains here */\n dns.question.name : (\"*letsencrypt.org\", \"*.sslforfree.com\", \"*.zerossl.com\", \"*.freessl.org\") and\n\n /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */\n process.executable : (\"C:\\\\Windows\\\\System32\\\\*.exe\",\n \"C:\\\\Windows\\\\System\\\\*.exe\",\n\t \"C:\\\\Windows\\\\SysWOW64\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\*.exe\",\n\t\t \"C:\\\\Windows\\\\explorer.exe\",\n\t\t \"C:\\\\Windows\\\\notepad.exe\") and\n\n /* Insert noisy false positives here */\n not process.name : (\"svchost.exe\", \"MicrosoftEdge*.exe\", \"msedge.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "dns.question.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1573", "name": "Encrypted Channel", "reference": "https://attack.mitre.org/techniques/T1573/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json deleted file mode 100644 index df6a6beb1d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\", \"executor\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json deleted file mode 100644 index 430aded0f2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json deleted file mode 100644 index 88dd542de1b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json deleted file mode 100644 index 3d98897abc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json deleted file mode 100644 index f1187d9c611..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json deleted file mode 100644 index 7f6f9db9187..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json deleted file mode 100644 index afcd0dae221..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_109.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_109.json deleted file mode 100644 index 05e4b63b67e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json deleted file mode 100644 index a550c9b6afc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop' OR\\n path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR\\n path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE '/root/.kde/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE '/home/%/.kde4/Autostart/%.desktop' OR\\n path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE '/root/.kde4/Autostart/%.desktop' OR\\n path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE '/home/%/.kde/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE '/root/.kde/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE '/home/%/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE '/root/.kde4/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE '/home/%/.local/share/autostart/%.desktop' OR\\n path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE '/root/.local/share/autostart/%.desktop' OR\\n path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE '/home/%/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE '/root/.config/autostart-scripts/%.desktop' OR\\n path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE '/etc/xdg/autostart/%.desktop' OR\\n path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_111.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_111.json deleted file mode 100644 index 0447536c2b0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_112.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_112.json deleted file mode 100644 index c157a65d80b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\", \"executor\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_113.json b/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_113.json deleted file mode 100644 index 3f6e027da2b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e3e904b3-0a8e-4e68-86a8-977a163e21d3_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation or modification of a K Desktop Environment (KDE) AutoStart script or desktop file that will execute upon each user logon. Adversaries may abuse this method for persistence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via KDE AutoStart Script or Desktop File Modification", "note": "## Triage and analysis\n\n### Investigating Persistence via KDE AutoStart Script or Desktop File Modification\n\nK Desktop Environment (KDE) is a popular graphical desktop environment for Linux systems. It supports AutoStart scripts and desktop files that execute automatically upon user logon.\n\nAdversaries may exploit this feature to maintain persistence on a compromised system by creating or modifying these files.\n\nThe detection rule 'Persistence via KDE AutoStart Script or Desktop File Modification' is designed to identify such activities by monitoring file events on Linux systems. It specifically targets the creation or modification of files with extensions \".sh\" or \".desktop\" in various AutoStart directories. By detecting these events, the rule helps security analysts identify potential abuse of KDE AutoStart functionality by malicious actors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n### Possible investigation steps\n\n- Investigate the file that was created or modified.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR path LIKE '/home/%/.config/autostart/%.desktop'\\nOR path LIKE '/root/.config/autostart/%.sh' OR path LIKE '/root/.config/autostart/%.desktop' OR path LIKE\\n'/home/%/.kde/Autostart/%.sh' OR path LIKE '/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh'\\nOR path LIKE '/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/home/%/.config/autostart/%.sh' OR\\npath LIKE '/home/%/.config/autostart/%.desktop' OR path LIKE '/root/.config/autostart/%.sh' OR path LIKE\\n'/root/.config/autostart/%.desktop' OR path LIKE '/home/%/.kde/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde/Autostart/%.desktop' OR path LIKE '/root/.kde/Autostart/%.sh' OR path LIKE\\n'/root/.kde/Autostart/%.desktop' OR path LIKE '/home/%/.kde4/Autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/Autostart/%.desktop' OR path LIKE '/root/.kde4/Autostart/%.sh' OR path LIKE\\n'/root/.kde4/Autostart/%.desktop' OR path LIKE '/home/%/.kde/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde/share/autostart/%.desktop' OR path LIKE '/root/.kde/share/autostart/%.sh' OR path LIKE\\n'/root/.kde/share/autostart/%.desktop' OR path LIKE '/home/%/.kde4/share/autostart/%.sh' OR path LIKE\\n'/home/%/.kde4/share/autostart/%.desktop' OR path LIKE '/root/.kde4/share/autostart/%.sh' OR path LIKE\\n'/root/.kde4/share/autostart/%.desktop' OR path LIKE '/home/%/.local/share/autostart/%.sh' OR path LIKE\\n'/home/%/.local/share/autostart/%.desktop' OR path LIKE '/root/.local/share/autostart/%.sh' OR path LIKE\\n'/root/.local/share/autostart/%.desktop' OR path LIKE '/home/%/.config/autostart-scripts/%.sh' OR path LIKE\\n'/home/%/.config/autostart-scripts/%.desktop' OR path LIKE '/root/.config/autostart-scripts/%.sh' OR path LIKE\\n'/root/.config/autostart-scripts/%.desktop' OR path LIKE '/etc/xdg/autostart/%.sh' OR path LIKE\\n'/etc/xdg/autostart/%.desktop' OR path LIKE '/usr/share/autostart/%.sh' OR path LIKE '/usr/share/autostart/%.desktop' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and event.type != \"deletion\" and\n file.extension in (\"sh\", \"desktop\") and\n file.path :\n (\n \"/home/*/.config/autostart/*\", \"/root/.config/autostart/*\",\n \"/home/*/.kde/Autostart/*\", \"/root/.kde/Autostart/*\",\n \"/home/*/.kde4/Autostart/*\", \"/root/.kde4/Autostart/*\",\n \"/home/*/.kde/share/autostart/*\", \"/root/.kde/share/autostart/*\",\n \"/home/*/.kde4/share/autostart/*\", \"/root/.kde4/share/autostart/*\",\n \"/home/*/.local/share/autostart/*\", \"/root/.local/share/autostart/*\",\n \"/home/*/.config/autostart-scripts/*\", \"/root/.config/autostart-scripts/*\",\n \"/etc/xdg/autostart/*\", \"/usr/share/autostart/*\"\n ) and\n not process.name in (\"yum\", \"dpkg\", \"install\", \"dnf\", \"teams\", \"yum-cron\", \"dnf-automatic\", \"docker\", \"dockerd\", \n \"rpm\", \"pacman\", \"podman\", \"nautilus\", \"remmina\", \"cinnamon-settings.py\", \"executor\")\n", "references": ["https://userbase.kde.org/System_Settings/Autostart", "https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/", "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "e3e904b3-0a8e-4e68-86a8-977a163e21d3_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d.json deleted file mode 100644 index 5f6d7375596..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", "from": "now-9m", "history_window_start": "now-7d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen NewCredentials Logon Process", "new_terms_fields": ["process.executable"], "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\Program?Files*\n", "references": ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json deleted file mode 100644 index 9a7794193ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", "from": "now-9m", "history_window_start": "now-7d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen NewCredentials Logon Process", "new_terms_fields": ["process.executable"], "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \")\n", "references": ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json deleted file mode 100644 index 17884c205a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", "from": "now-9m", "history_window_start": "now-7d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen NewCredentials Logon Process", "new_terms_fields": ["process.executable"], "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\Program?Files*\n", "references": ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_3.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_3.json deleted file mode 100644 index f1b68282dba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", "from": "now-9m", "history_window_start": "now-7d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen NewCredentials Logon Process", "new_terms_fields": ["process.executable"], "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\Program?Files*\n", "references": ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_4.json b/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_4.json deleted file mode 100644 index cbe7923e2d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e468f3f6-7c4c-45bb-846a-053738b3fe5d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.", "from": "now-9m", "history_window_start": "now-7d", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "First Time Seen NewCredentials Logon Process", "new_terms_fields": ["process.executable"], "query": "event.category:\"authentication\" and host.os.type:\"windows\" and winlog.logon.type:\"NewCredentials\" and winlog.event_data.LogonProcessName:(Advapi* or \"Advapi \") and not winlog.event_data.SubjectUserName:*$ and not process.executable :???\\\\Program?Files*\n", "references": ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.LogonProcessName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1134", "name": "Access Token Manipulation", "reference": "https://attack.mitre.org/techniques/T1134/", "subtechnique": [{"id": "T1134.001", "name": "Token Impersonation/Theft", "reference": "https://attack.mitre.org/techniques/T1134/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "e468f3f6-7c4c-45bb-846a-053738b3fe5d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json deleted file mode 100644 index 722c5bfa741..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json deleted file mode 100644 index 38df74ba850..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json deleted file mode 100644 index a6890d3fd77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json deleted file mode 100644 index da2285b98cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json deleted file mode 100644 index d109ccc2931..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json deleted file mode 100644 index b5cf4f63f60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_207.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_207.json deleted file mode 100644 index bc82b0802c5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_209.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_209.json deleted file mode 100644 index 4a61c0a7163..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Modify an Okta Network Zone", "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.007", "name": "Disable or Modify Cloud Firewall", "reference": "https://attack.mitre.org/techniques/T1562/007/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_309.json b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_309.json new file mode 100644 index 00000000000..29f616f9098 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e48236ca-b67a-4b4e-840c-fdc7782bc0c3_309.json @@ -0,0 +1,85 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to modify an Okta network zone. Okta network zones can be configured to limit or restrict access to a network based on IP addresses or geolocations. An adversary may attempt to modify, delete, or deactivate an Okta network zone in order to remove or weaken an organization's security controls.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if Oyour organization's Okta network zones are regularly modified." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Modify an Okta Network Zone", + "note": "## Triage and analysis\n\n### Investigating Attempt to Modify an Okta Network Zone\n\nThe modification of an Okta network zone is a critical event as it could potentially allow an adversary to gain unrestricted access to your network. This rule detects attempts to modify, delete, or deactivate an Okta network zone, which may suggest an attempt to remove or weaken an organization's security controls.\n\n#### Possible investigation steps:\n\n- Identify the actor related to the alert by reviewing `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, or `okta.actor.display_name` fields in the alert.\n- Review the `okta.client.user_agent.raw_user_agent` field to understand the device and software used by the actor.\n- Examine the `okta.outcome.reason` field for additional context around the modification attempt.\n- Check the `okta.outcome.result` field to confirm the network zone modification attempt.\n- Check if there are multiple network zone modification attempts from the same actor or IP address (`okta.client.ip`).\n- Check for successful logins immediately following the modification attempt.\n- Verify whether the actor's activity aligns with typical behavior or if any unusual activity took place around the time of the modification attempt.\n\n### False positive analysis:\n\n- Check if there were issues with the Okta system at the time of the modification attempt. This could indicate a system error rather than a genuine threat activity.\n- Check the geographical location (`okta.request.ip_chain.geographical_context`) and time of the modification attempt. If these match the actor's normal behavior, it might be a false positive.\n- Verify the actor's administrative rights to ensure they are correctly configured.\n\n### Response and remediation:\n\n- If unauthorized modification is confirmed, initiate the incident response process.\n- Immediately lock the affected actor account and require a password change.\n- Consider resetting MFA tokens for the actor and require re-enrollment.\n- Check if the compromised account was used to access or alter any sensitive data or systems.\n- If a specific modification technique was used, ensure your systems are patched or configured to prevent such techniques.\n- Assess the criticality of affected services and servers.\n- Work with your IT team to minimize the impact on users and maintain business continuity.\n- If multiple accounts are affected, consider a broader reset or audit of MFA tokens.\n- Implement security best practices [outlined](https://www.okta.com/blog/2019/10/9-admin-best-practices-to-keep-your-org-secure/) by Okta.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", + "query": "event.dataset:okta.system and event.action:(zone.update or network_zone.rule.disabled or zone.remove_blacklist)\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1562", + "name": "Impair Defenses", + "reference": "https://attack.mitre.org/techniques/T1562/", + "subtechnique": [ + { + "id": "T1562.007", + "name": "Disable or Modify Cloud Firewall", + "reference": "https://attack.mitre.org/techniques/T1562/007/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "e48236ca-b67a-4b4e-840c-fdc7782bc0c3_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json deleted file mode 100644 index 09333127696..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "type": "eql", "version": 106}, "id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json deleted file mode 100644 index 3300b28e1b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where host.os.type == \"windows\" and\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where host.os.type == \"windows\" and\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "type": "eql", "version": 103}, "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json deleted file mode 100644 index c93fe0ee14f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Credential Access", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "type": "eql", "version": 104}, "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json deleted file mode 100644 index 5a2719667e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "type": "eql", "version": 105}, "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_106.json b/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_106.json deleted file mode 100644 index 5d72330127e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e4e31051-ee01-4307-a6ee-b21b186958f4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, followed by a sevice creation from the same LogonId. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined user to local System privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Service Creation via Local Kerberos Authentication", "query": "sequence by winlog.computer_name with maxspan=5m\n [authentication where\n\n /* event 4624 need to be logged */\n event.action == \"logged-in\" and event.outcome == \"success\" and\n\n /* authenticate locally using relayed kerberos Ticket */\n winlog.event_data.AuthenticationPackageName :\"Kerberos\" and winlog.logon.type == \"Network\" and\n cidrmatch(source.ip, \"127.0.0.0/8\", \"::1\") and source.port > 0] by winlog.event_data.TargetLogonId\n\n [any where\n /* event 4697 need to be logged */\n event.action : \"service-installed\"] by winlog.event_data.SubjectLogonId\n", "references": ["https://github.com/Dec0ne/KrbRelayUp", "https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html", "https://github.com/cube0x0/KrbRelay", "https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AuthenticationPackageName", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.TargetLogonId", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 73, "rule_id": "e4e31051-ee01-4307-a6ee-b21b186958f4", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}], "type": "eql", "version": 106}, "id": "e4e31051-ee01-4307-a6ee-b21b186958f4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json deleted file mode 100644 index eaf7fe5a178..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json deleted file mode 100644 index a021841a867..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.code:4738 and host.os.type:windows and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json deleted file mode 100644 index 4ce1893c233..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json deleted file mode 100644 index 417f8bc531d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json deleted file mode 100644 index 3872381c23d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "The 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json deleted file mode 100644 index 62c61d72d3c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json deleted file mode 100644 index 7f8a7276abb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_111.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_111.json deleted file mode 100644 index 892f9b11b5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_112.json b/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_112.json deleted file mode 100644 index 0fe16249132..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e514d8cd-ed15-4011-84e2-d15147e059f1_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Kerberos Pre-authentication Disabled for User", "note": "## Triage and analysis\n\n### Investigating Kerberos Pre-authentication Disabled for User\n\nKerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' \u2013 Enabled` should not be enabled for user accounts because it weakens security for the account\u2019s Kerberos authentication.\n\nAS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Determine if the target account is sensitive or privileged.\n- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.\n\n### False positive analysis\n\n- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the target account's password if there is any risk of TGTs having been retrieved.\n- Re-enable the preauthentication option or disable the target account.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.code:4738 and winlog.api:\"wineventlog\" and message:\"'Don't Require Preauth' - Enabled\"\n", "references": ["https://harmj0y.medium.com/roasting-as-reps-e6179a65216b", "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "message", "type": "match_only_text"}, {"ecs": false, "name": "winlog.api", "type": "keyword"}], "risk_score": 47, "rule_id": "e514d8cd-ed15-4011-84e2-d15147e059f1", "setup": "## Setup\n\nThe 'Audit User Account Management' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nAccount Management >\nAudit User Account Management (Success,Failure)\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.004", "name": "AS-REP Roasting", "reference": "https://attack.mitre.org/techniques/T1558/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.002", "name": "Domain Accounts", "reference": "https://attack.mitre.org/techniques/T1078/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "e514d8cd-ed15-4011-84e2-d15147e059f1_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json deleted file mode 100644 index 9a3c883bbf3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "MFA Disabled for Google Workspace Organization", "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e555105c-ba6d-481f-82bb-9b633e7b4827", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json deleted file mode 100644 index ebe853de194..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_203.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "MFA Disabled for Google Workspace Organization", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 203}, "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_203", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json deleted file mode 100644 index 40360a882f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_204.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "MFA Disabled for Google Workspace Organization", "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 204}, "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_204", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json b/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json deleted file mode 100644 index 17b5968ca82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e555105c-ba6d-481f-82bb-9b633e7b4827_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when multi-factor authentication (MFA) is disabled for a Google Workspace organization. An adversary may attempt to modify a password policy in order to weaken an organization\u2019s security controls.", "false_positives": ["MFA settings may be modified by system administrators. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "MFA Disabled for Google Workspace Organization", "note": "## Triage and analysis\n\n### Investigating MFA Disabled for Google Workspace Organization\n\nMulti-factor authentication (MFA) is a process in which users are prompted for an additional form of identification, such as a code on their cell phone or a fingerprint scan, during the sign-in process.\n\nIf you only use a password to authenticate a user, it leaves an insecure vector for attack. If the users's password is weak or has been exposed elsewhere, an attacker could use it to gain access. Requiring a second form of authentication increases security because attackers cannot easily obtain or duplicate the additional authentication factor.\n\nFor more information about using MFA in Google Workspace, access the [official documentation](https://support.google.com/a/answer/175197).\n\nThis rule identifies when MFA enforcement is turned off in Google Workspace. This modification weakens account security and can lead to accounts and other assets being compromised.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if this operation was approved and performed according to the organization's change management policy.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Reactivate the multi-factor authentication enforcement.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://support.google.com/a/answer/7587183) by Google.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "event.dataset:google_workspace.admin and event.provider:admin and event.category:iam and event.action:(ENFORCE_STRONG_AUTHENTICATION or ALLOW_STRONG_AUTHENTICATION) and google_workspace.admin.new_value:false\n", "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "google_workspace.admin.new_value", "type": "keyword"}], "risk_score": 47, "rule_id": "e555105c-ba6d-481f-82bb-9b633e7b4827", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e555105c-ba6d-481f-82bb-9b633e7b4827_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json deleted file mode 100644 index 0ccd00a7c37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", "false_positives": ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Bash Shell Profile Modification", "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or\n launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or\n dnf-automatic or git or dpkg or platform-python)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", "references": ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json deleted file mode 100644 index f49e4192b4a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", "false_positives": ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Bash Shell Profile Modification", "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", "references": ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json deleted file mode 100644 index c4b3e2de445..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", "false_positives": ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Bash Shell Profile Modification", "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", "references": ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json b/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json deleted file mode 100644 index bf170b5607a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c1a552-7776-44ad-ae0f-8746cc07773c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user\u2019s shell.", "false_positives": ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."], "from": "now-9m", "index": ["logs-endpoint.events.*", "auditbeat-*"], "language": "kuery", "license": "Elastic License v2", "name": "Bash Shell Profile Modification", "query": "event.category:file and event.type:change and\n process.name:(* and not (sudo or\n vim or\n zsh or\n env or\n nano or\n bash or\n Terminal or\n xpcproxy or\n login or\n cat or\n cp or\n launchctl or\n java)) and\n not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and\n file.path:(/private/etc/rc.local or\n /etc/rc.local or\n /home/*/.profile or\n /home/*/.profile1 or\n /home/*/.bash_profile or\n /home/*/.bash_profile1 or\n /home/*/.bashrc or\n /Users/*/.bash_profile or\n /Users/*/.zshenv)\n", "references": ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e6c1a552-7776-44ad-ae0f-8746cc07773c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json deleted file mode 100644 index 07422caf3db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not (/Library/Security/SecurityAgentPlugins/KandjiPassport.bundle/* or /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*)) and\n not (process.name:shove and process.code_signature.trusted:true)\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json deleted file mode 100644 index 58f6679679d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json deleted file mode 100644 index 1d18ac317ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json deleted file mode 100644 index 50198a3a1fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json deleted file mode 100644 index b251593fe6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json b/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json deleted file mode 100644 index ddf4a9e09d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6c98d38-633d-4b3e-9387-42112cd5ac10_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Authorization Plugin Modification", "query": "event.category:file and host.os.type:macos and not event.type:deletion and\n file.path:(/Library/Security/SecurityAgentPlugins/* and\n not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and\n not process.name:shove and process.code_signature.trusted:true\n", "references": ["https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "e6c98d38-633d-4b3e-9387-42112cd5ac10_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json deleted file mode 100644 index 9628e259b9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json deleted file mode 100644 index 4f849a8a255..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json deleted file mode 100644 index d24efa0720d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json deleted file mode 100644 index 533af69496b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json deleted file mode 100644 index 4a080637f86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_206.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_206.json deleted file mode 100644 index 3f419e4d5d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_208.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_208.json deleted file mode 100644 index 7c20670277a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Possible Okta DoS Attack", "note": "", "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1498", "name": "Network Denial of Service", "reference": "https://attack.mitre.org/techniques/T1498/"}, {"id": "T1499", "name": "Endpoint Denial of Service", "reference": "https://attack.mitre.org/techniques/T1499/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_308.json b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_308.json new file mode 100644 index 00000000000..2f5223411a9 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e6e3ecff-03dd-48ec-acbd-54a04de10c68_308.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects possible Denial of Service (DoS) attacks against an Okta organization. An adversary may attempt to disrupt an organization's business operations by performing a DoS attack against its Okta service.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Possible Okta DoS Attack", + "note": "", + "query": "event.dataset:okta.system and event.action:(application.integration.rate_limit_exceeded or system.org.rate_limit.warning or system.org.rate_limit.violation or core.concurrency.org.limit.violation)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1498", + "name": "Network Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1498/" + }, + { + "id": "T1499", + "name": "Endpoint Denial of Service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "e6e3ecff-03dd-48ec-acbd-54a04de10c68_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json deleted file mode 100644 index b0f3db570d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host\n", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json deleted file mode 100644 index 8800bbc7ba2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json deleted file mode 100644 index 79dcbebf8f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json deleted file mode 100644 index f569205109a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json deleted file mode 100644 index 0ab66a7bcea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host\n\n", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json b/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json deleted file mode 100644 index d88a3a0683c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e6e8912f-283f-4d0d-8442-e0dcaf49944b_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Screensaver Plist File Modified by Unexpected Process", "note": "## Triage and analysis\n\n- Analyze the plist file modification event to identify whether the change was expected or not\n- Investigate the process that modified the plist file for malicious code or other suspicious behavior\n- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host\n\n", "query": "file where host.os.type == \"macos\" and event.type != \"deletion\" and\n file.name: \"com.apple.screensaver.*.plist\" and\n file.path : (\n \"/Users/*/Library/Preferences/ByHost/*\",\n \"/Library/Managed Preferences/*\",\n \"/System/Library/Preferences/*\"\n ) and\n (\n process.code_signature.trusted == false or\n process.code_signature.exists == false or\n\n /* common script interpreters and abused native macOS bins */\n process.name : (\n \"curl\",\n \"mktemp\",\n \"tail\",\n \"funzip\",\n \"python*\",\n \"osascript\",\n \"perl\"\n )\n ) and\n\n /* Filter OS processes modifying screensaver plist files */\n not process.executable : (\n \"/usr/sbin/cfprefsd\",\n \"/usr/libexec/xpcproxy\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor\",\n \"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient\"\n )\n", "references": ["https://posts.specterops.io/saving-your-access-d562bf5bf90b", "https://github.com/D00MFist/PersistentJXA"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e6e8912f-283f-4d0d-8442-e0dcaf49944b_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json deleted file mode 100644 index 2af32505639..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Default Cobalt Strike Team Server Certificate", "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", "query": "(event.dataset: network_traffic.tls or event.category: (network or network_traffic))\n and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83\n or tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C\n or tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", "references": ["https://attack.mitre.org/software/S0154/", "https://www.cobaltstrike.com/help-setup-collaboration", "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.md5", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha1", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha256", "type": "keyword"}], "risk_score": 99, "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", "severity": "critical", "tags": ["Tactic: Command and Control", "Threat: Cobalt Strike", "Use Case: Threat Detection", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e7075e8d-a966-458e-a183-85cd331af255", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json deleted file mode 100644 index d0523f6e9ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Default Cobalt Strike Team Server Certificate", "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", "query": "event.category:(network or network_traffic) and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", "references": ["https://attack.mitre.org/software/S0154/", "https://www.cobaltstrike.com/help-setup-collaboration", "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.md5", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha1", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha256", "type": "keyword"}], "risk_score": 99, "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", "severity": "critical", "tags": ["Command and Control", "Post-Execution", "Threat Detection", "Elastic", "Network", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e7075e8d-a966-458e-a183-85cd331af255_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json b/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json deleted file mode 100644 index 779809bdc1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7075e8d-a966-458e-a183-85cd331af255_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module configuration.", "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Default Cobalt Strike Team Server Certificate", "note": "## Threat intel\n\nWhile Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, so alerts should be investigated rapidly.", "query": "event.dataset: network_traffic.tls and (tls.server.hash.md5:950098276A495286EB2A2556FBAB6D83 or\n tls.server.hash.sha1:6ECE5ECE4192683D2D84E25B0BA7E04F9CB7EB7C or\n tls.server.hash.sha256:87F2085C32B6A2CC709B365F55873E207A9CAA10BFFECF2FD16D3CF9D94D390C)\n", "references": ["https://attack.mitre.org/software/S0154/", "https://www.cobaltstrike.com/help-setup-collaboration", "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.md5", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha1", "type": "keyword"}, {"ecs": true, "name": "tls.server.hash.sha256", "type": "keyword"}], "risk_score": 99, "rule_id": "e7075e8d-a966-458e-a183-85cd331af255", "severity": "critical", "tags": ["Tactic: Command and Control", "Threat: Cobalt Strike", "Use Case: Threat Detection", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/", "subtechnique": [{"id": "T1071.001", "name": "Web Protocols", "reference": "https://attack.mitre.org/techniques/T1071/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e7075e8d-a966-458e-a183-85cd331af255_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005.json b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005.json deleted file mode 100644 index a013d058f71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Memory Dump File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size >= 30000 and\n not\n\n (\n (\n process.name : \"System\" or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"C:\\\\Windows\\\\System32\\\\rdrleakdiag.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\",\n \"?:\\\\Windows\\\\CCM\\\\ccmdump.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e707a7be-cc52-41ac-8ab3-d34b38c20005", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e707a7be-cc52-41ac-8ab3-d34b38c20005", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json deleted file mode 100644 index d45f16857cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Memory Dump File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size >= 30000 and\n not\n\n (\n (\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e707a7be-cc52-41ac-8ab3-d34b38c20005", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e707a7be-cc52-41ac-8ab3-d34b38c20005_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json b/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json deleted file mode 100644 index 40b0827c11c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e707a7be-cc52-41ac-8ab3-d34b38c20005_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation or modification of a medium size memory dump file which can indicate an attempt to access credentials from a process memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Credential Access via Memory Dump File Creation", "query": "file where host.os.type == \"windows\" and event.type == \"creation\" and\n\n /* MDMP header */\n file.Ext.header_bytes : \"4d444d50*\" and file.size >= 30000 and\n not\n\n (\n (\n process.name : \"System\" or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\WerFaultSecure.exe\",\n \"?:\\\\Windows\\\\System32\\\\WUDFHost.exe\",\n \"C:\\\\Windows\\\\System32\\\\rdrleakdiag.exe\",\n \"?:\\\\Windows\\\\System32\\\\Taskmgr.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\Taskmgr.exe\",\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\SystemApps\\\\*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\bin\\\\zCrashReport64.exe\"\n ) and process.code_signature.trusted == true\n ) or\n (\n file.path : (\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\WER\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\WDF\\\\*\",\n \"?:\\\\ProgramData\\\\Alteryx\\\\ErrorLogs\\\\*\",\n \"?:\\\\ProgramData\\\\Goodix\\\\*\",\n \"?:\\\\Windows\\\\system32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Zoom\\\\logs\\\\zoomcrash*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\Crashpad\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\crashpaddb\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\HungReports\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\CrashDumps\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\*\\\\NativeCrashReporting\\\\*\"\n ) and (process.code_signature.trusted == true or process.executable == null)\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e707a7be-cc52-41ac-8ab3-d34b38c20005", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e707a7be-cc52-41ac-8ab3-d34b38c20005_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json deleted file mode 100644 index 54778a6e117..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 107}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json deleted file mode 100644 index 6dc3cea5d2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 103}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json deleted file mode 100644 index a61cae685b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 104}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json deleted file mode 100644 index edca9e37cbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 105}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json deleted file mode 100644 index 122a5c10381..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 106}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json b/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json deleted file mode 100644 index 9a179d4c236..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of suspicious persistent programs (scripts, rundll32, etc.) by looking at process lineage and command line usage.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Execution of Persistent Suspicious Program", "query": "/* userinit followed by explorer followed by early child process of explorer (unlikely to be launched interactively) within 1m */\nsequence by host.id, user.name with maxspan=1m\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"userinit.exe\" and process.parent.name : \"winlogon.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"explorer.exe\"]\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"explorer.exe\" and\n /* add suspicious programs here */\n process.pe.original_file_name in (\"cscript.exe\",\n \"wscript.exe\",\n \"PowerShell.EXE\",\n \"MSHTA.EXE\",\n \"RUNDLL32.EXE\",\n \"REGSVR32.EXE\",\n \"RegAsm.exe\",\n \"MSBuild.exe\",\n \"InstallUtil.exe\") and\n /* add potential suspicious paths here */\n process.args : (\"C:\\\\Users\\\\*\", \"C:\\\\ProgramData\\\\*\", \"C:\\\\Windows\\\\Temp\\\\*\", \"C:\\\\Windows\\\\Tasks\\\\*\", \"C:\\\\PerfLogs\\\\*\", \"C:\\\\Intel\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "type": "eql", "version": 107}, "id": "e7125cea-9fe1-42a5-9a05-b0792cf86f5a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643.json deleted file mode 100644 index 6cb47b786f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Event Subscription Created", "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Consumer", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json deleted file mode 100644 index b72e920e00a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Event Subscription Created", "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Consumer", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json deleted file mode 100644 index b3d01bc6b99..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Event Subscription Created", "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Consumer", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json deleted file mode 100644 index f77cf3f8c23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Event Subscription Created", "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Consumer", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json b/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json deleted file mode 100644 index 3b5e5e04238..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e72f87d0-a70e-4f8d-8443-a6407bc34643_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the creation of a WMI Event Subscription. Attackers can abuse this mechanism for persistence or to elevate to SYSTEM privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious WMI Event Subscription Created", "query": "any where event.dataset == \"windows.sysmon_operational\" and event.code == \"21\" and\n winlog.event_data.Operation : \"Created\" and winlog.event_data.Consumer : (\"*subscription:CommandLineEventConsumer*\", \"*subscription:ActiveScriptEventConsumer*\")\n", "references": ["https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Consumer", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.Operation", "type": "keyword"}], "risk_score": 47, "rule_id": "e72f87d0-a70e-4f8d-8443-a6407bc34643", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Sysmon Only"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.003", "name": "Windows Management Instrumentation Event Subscription", "reference": "https://attack.mitre.org/techniques/T1546/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e72f87d0-a70e-4f8d-8443-a6407bc34643_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7357fec-6e9c-41b9-b93d-6e4fc40c7d47.json b/packages/security_detection_engine/kibana/security_rule/e7357fec-6e9c-41b9-b93d-6e4fc40c7d47.json deleted file mode 100644 index cd52e64f359..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7357fec-6e9c-41b9-b93d-6e4fc40c7d47.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Windows Session Hijacking via CcmExec", "query": "library where host.os.type == \"windows\" and process.name : \"SCNotification.exe\" and\n (dll.Ext.relative_file_creation_time < 86400 or dll.Ext.relative_file_name_modify_time <= 500) and dll.code_signature.status != \"trusted\"\n", "references": ["https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec", "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de.json deleted file mode 100644 index a95e6602ac7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process For MSSQL Service Accounts", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.name : (\n \"SQLSERVERAGENT\", \"SQLAGENT$*\",\n \"MSSQLSERVER\", \"MSSQL$*\",\n \"MSSQLServerOLAPService\",\n \"ReportServer*\", \"MsDtsServer150\",\n \"MSSQLFDLauncher*\",\n \"SQLServer2005SQLBrowserUser$*\",\n \"SQLWriter\", \"winmgmt\"\n ) and user.domain : \"NT SERVICE\" and\n not (\n (\n process.name : (\n \"sqlceip.exe\", \"sqlservr.exe\", \"sqlagent.exe\",\n \"msmdsrv.exe\", \"ReportingServicesService.exe\",\n \"MsDtsSrvr.exe\", \"sqlbrowser.exe\", \"DTExec.exe\",\n \"SQLPS.exe\", \"fdhost.exe\", \"fdlauncher.exe\",\n \"SqlDumper.exe\", \"sqlsqm.exe\", \"DatabaseMail.exe\",\n \"ISServerExec.exe\", \"Microsoft.ReportingServices.Portal.WebHost.exe\",\n \"bcp.exe\", \"SQLCMD.exe\", \"DatabaseMail.exe\"\n ) or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n )\n ) and\n (\n process.code_signature.subject_name : (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true\n )\n ) and\n not (\n (process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\") or\n (process.name : \"cmd.exe\" and process.parent.name : \"forfiles.exe\" and process.command_line : \"/c echo *\")\n )\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e74d645b-fec6-431e-bf93-ca64a538e0de", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e74d645b-fec6-431e-bf93-ca64a538e0de", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json deleted file mode 100644 index 4d9d541f493..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process For MSSQL Service Accounts", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.name : (\n \"SQLSERVERAGENT\", \"SQLAGENT$*\",\n \"MSSQLSERVER\", \"MSSQL$*\",\n \"MSSQLServerOLAPService\",\n \"ReportServer*\", \"MsDtsServer150\",\n \"MSSQLFDLauncher*\",\n \"SQLServer2005SQLBrowserUser$*\",\n \"SQLWriter\", \"winmgmt\"\n ) and user.domain : \"NT SERVICE\" and\n not (\n process.name : (\n \"sqlceip.exe\", \"sqlservr.exe\", \"sqlagent.exe\",\n \"msmdsrv.exe\", \"ReportingServicesService.exe\",\n \"MsDtsSrvr.exe\", \"sqlbrowser.exe\"\n ) and (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n )\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e74d645b-fec6-431e-bf93-ca64a538e0de", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e74d645b-fec6-431e-bf93-ca64a538e0de_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json deleted file mode 100644 index 775b3dd02ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process For MSSQL Service Accounts", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.name : (\n \"SQLSERVERAGENT\", \"SQLAGENT$*\",\n \"MSSQLSERVER\", \"MSSQL$*\",\n \"MSSQLServerOLAPService\",\n \"ReportServer*\", \"MsDtsServer150\",\n \"MSSQLFDLauncher*\",\n \"SQLServer2005SQLBrowserUser$*\",\n \"SQLWriter\", \"winmgmt\"\n ) and user.domain : \"NT SERVICE\" and\n not (\n process.name : (\n \"sqlceip.exe\", \"sqlservr.exe\", \"sqlagent.exe\",\n \"msmdsrv.exe\", \"ReportingServicesService.exe\",\n \"MsDtsSrvr.exe\", \"sqlbrowser.exe\"\n ) and (process.code_signature.subject_name : \"Microsoft Corporation\" and process.code_signature.trusted == true)\n )\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e74d645b-fec6-431e-bf93-ca64a538e0de", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e74d645b-fec6-431e-bf93-ca64a538e0de_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json b/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json deleted file mode 100644 index f4833989c4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e74d645b-fec6-431e-bf93-ca64a538e0de_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies unusual process executions using MSSQL Service accounts, which can indicate the exploitation/compromise of SQL instances. Attackers may exploit exposed MSSQL instances for initial access or lateral movement.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Process For MSSQL Service Accounts", "query": "process where event.type == \"start\" and host.os.type == \"windows\" and\n user.name : (\n \"SQLSERVERAGENT\", \"SQLAGENT$*\",\n \"MSSQLSERVER\", \"MSSQL$*\",\n \"MSSQLServerOLAPService\",\n \"ReportServer*\", \"MsDtsServer150\",\n \"MSSQLFDLauncher*\",\n \"SQLServer2005SQLBrowserUser$*\",\n \"SQLWriter\", \"winmgmt\"\n ) and user.domain : \"NT SERVICE\" and\n not (\n (\n process.name : (\n \"sqlceip.exe\", \"sqlservr.exe\", \"sqlagent.exe\",\n \"msmdsrv.exe\", \"ReportingServicesService.exe\",\n \"MsDtsSrvr.exe\", \"sqlbrowser.exe\", \"DTExec.exe\",\n \"SQLPS.exe\", \"fdhost.exe\", \"fdlauncher.exe\",\n \"SqlDumper.exe\", \"sqlsqm.exe\", \"DatabaseMail.exe\"\n ) or\n process.executable : (\n \"?:\\\\Windows\\\\System32\\\\wermgr.exe\",\n \"?:\\\\Windows\\\\System32\\\\conhost.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFault.exe\"\n )\n ) and\n (\n process.code_signature.subject_name : (\"Microsoft Corporation\", \"Microsoft Windows\") and\n process.code_signature.trusted == true\n )\n ) and\n not (\n process.name : \"cmd.exe\" and process.parent.name : \"sqlservr.exe\"\n )\n", "references": ["https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", "https://learn.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver16"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e74d645b-fec6-431e-bf93-ca64a538e0de", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.001", "name": "SQL Stored Procedures", "reference": "https://attack.mitre.org/techniques/T1505/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e74d645b-fec6-431e-bf93-ca64a538e0de_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75.json b/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75.json deleted file mode 100644 index 22406c2b171..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Execution via Microsoft Common Console File", "note": "## Triage and analysis\n\n### Investigating Execution via Microsoft Common Console File\n\n- Investigate the source of the MSC file.\n- Investigate the process execution chain (all spawned child processes and their descendants).\n- Investigate the process and it's descendants network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and endswith~(process.parent.args, \".msc\") and\n not process.parent.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.genians.co.kr/blog/threat_intelligence/facebook"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "e760c72b-bb1f-44f0-9f0d-37d51744ee75", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e760c72b-bb1f-44f0-9f0d-37d51744ee75", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75_1.json b/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75_1.json deleted file mode 100644 index 38da2cd3590..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e760c72b-bb1f-44f0-9f0d-37d51744ee75_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a child process from a Microsoft Common Console file. Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Execution via Microsoft Common Console File", "note": "## Triage and analysis\n\n### Investigating Execution via Microsoft Common Console File\n\n- Investigate the source of the MSC file.\n- Investigate the process execution chain (all spawned child processes and their descendants).\n- Investigate the process and it's descendants network and file events.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.executable : \"?:\\\\Windows\\\\System32\\\\mmc.exe\" and endswith~(process.parent.args, \".msc\") and\n not process.parent.args : (\"?:\\\\Windows\\\\System32\\\\*.msc\", \"?:\\\\Windows\\\\SysWOW64\\\\*.msc\", \"?:\\\\Program files\\\\*.msc\", \"?:\\\\Program Files (x86)\\\\*.msc\")\n", "references": ["https://www.genians.co.kr/blog/threat_intelligence/facebook"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "e760c72b-bb1f-44f0-9f0d-37d51744ee75", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e760c72b-bb1f-44f0-9f0d-37d51744ee75_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json deleted file mode 100644 index b057e00478a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"unshadow\" and process.args_count >= 3\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json deleted file mode 100644 index ff4dc706e56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action == \"exec\" and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json deleted file mode 100644 index f13f22c3530..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "severity": "medium", "tags": ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json deleted file mode 100644 index 5e0afffaa86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json deleted file mode 100644 index 2d69e8cda1c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json deleted file mode 100644 index 1334b266b8b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json deleted file mode 100644 index 0549d863fab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and process.name == \"unshadow\" and\n event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and process.args_count >= 2\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json b/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json deleted file mode 100644 index 7d2b00f7bdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the unshadow utility which is part of John the Ripper, a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve the combined contents of the '/etc/shadow' and '/etc/password' files. Using the combined file generated from the utility, the malicious threat actors can use them as input for password-cracking utilities or prepare themselves for future operations by gathering credential information of the victim.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Unshadow", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"unshadow\" and process.args_count >= 3\n", "references": ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "reference": "https://attack.mitre.org/techniques/T1003/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e7cb3cfd-aaa3-4d7b-af18-23b89955062c_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json deleted file mode 100644 index b3cfad46b1f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Route53", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "e7cd5982-17c8-4959-874c-633acde7d426", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json deleted file mode 100644 index 080414a2394..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e7cd5982-17c8-4959-874c-633acde7d426_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json deleted file mode 100644 index b13e4c08fa6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e7cd5982-17c8-4959-874c-633acde7d426_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json deleted file mode 100644 index 0887846caef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e7cd5982-17c8-4959-874c-633acde7d426_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json deleted file mode 100644 index 704ecd5b53c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e7cd5982-17c8-4959-874c-633acde7d426_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json b/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json deleted file mode 100644 index 59722e4013c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e7cd5982-17c8-4959-874c-633acde7d426_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when an AWS Route Table has been modified or deleted.", "false_positives": ["Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Route Table Modified or Deleted", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(ReplaceRoute or ReplaceRouteTableAssociation or\nDeleteRouteTable or DeleteRoute or DisassociateRouteTable) and event.outcome:success\n", "references": ["https://github.com/easttimor/aws-incident-response#network-routing", "https://docs.datadoghq.com/security_platform/default_rules/aws-ec2-route-table-modified/", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ReplaceRouteTableAssociation", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRouteTable.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteRoute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DisassociateRouteTable.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e7cd5982-17c8-4959-874c-633acde7d426", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e7cd5982-17c8-4959-874c-633acde7d426_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json deleted file mode 100644 index fe6338a6132..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json deleted file mode 100644 index e174233f004..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json deleted file mode 100644 index 9d584cf87b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json deleted file mode 100644 index 799942dcf6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json deleted file mode 100644 index 8c0544b09cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json deleted file mode 100644 index e1af40b7ae0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json deleted file mode 100644 index 179ccd16cf9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}, {"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_109.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_109.json deleted file mode 100644 index 88efa347cf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_110.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_110.json deleted file mode 100644 index 51368f771be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_111.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_111.json deleted file mode 100644 index c6bf1c963cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_212.json b/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_212.json deleted file mode 100644 index dc31b72331c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8571d5f-bea1-46c2-9f56-998de2d3ed95_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies Service Control (sc.exe) spawning from script interpreter processes to create, modify, or start services. This can potentially indicate an attempt to elevate privileges or maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-system.security*", "winlogbeat-*", "logs-windows.forwarded*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Service Control Spawned via Script Interpreter", "note": "## Triage and analysis\n\n### Investigating Service Control Spawned via Script Interpreter\n\nWindows services are background processes that run with SYSTEM privileges and provide specific functionality or support to other applications and system components.\n\nThe `sc.exe` command line utility is used to manage and control Windows services on a local or remote computer. Attackers may use `sc.exe` to create, modify, and start services to elevate their privileges from administrator to SYSTEM.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Examine the command line, registry changes events, and Windows events related to service activities (for example, 4697 and/or 7045) for suspicious characteristics.\n - Examine the created and existent services, the executables or drivers referenced, and command line arguments for suspicious entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the referenced files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n\n### False positive analysis\n\n- This activity is not inherently malicious if it occurs in isolation. As long as the analyst did not identify suspicious activity related to the user, host, and service, such alerts can be dismissed.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service or restore it to the original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "/* This rule is not compatible with Sysmon due to user.id issues */\n\nprocess where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"sc.exe\" or ?process.pe.original_file_name == \"sc.exe\") and\n process.parent.name : (\"cmd.exe\", \"wscript.exe\", \"rundll32.exe\", \"regsvr32.exe\",\n \"wmic.exe\", \"mshta.exe\",\"powershell.exe\", \"pwsh.exe\") and\n process.args:(\"config\", \"create\", \"start\", \"delete\", \"stop\", \"pause\") and\n /* exclude SYSTEM SID - look for service creations by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}, {"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}, {"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "e8571d5f-bea1-46c2-9f56-998de2d3ed95_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json deleted file mode 100644 index bd16e024b02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json deleted file mode 100644 index 291742f3d8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json deleted file mode 100644 index 6b7eacd1bcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json deleted file mode 100644 index 5c4b6365b9f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json deleted file mode 100644 index 9c517312f3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "note": "", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json deleted file mode 100644 index bdc5ed22a5a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json deleted file mode 100644 index 614845806ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json deleted file mode 100644 index 57793b96cce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "query": "registry where host.os.type == \"windows\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_109.json b/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_109.json deleted file mode 100644 index 23cc112e1a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e86da94d-e54b-4fb5-b96c-cecff87e8787_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies registry modifications related to the Windows Security Support Provider (SSP) configuration. Adversaries may abuse this to establish persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Installation of Security Support Provider", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Security Packages*\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\OSConfig\\\\Security Packages*\"\n ) and\n not process.executable : (\"C:\\\\Windows\\\\System32\\\\msiexec.exe\", \"C:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "e86da94d-e54b-4fb5-b96c-cecff87e8787", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.005", "name": "Security Support Provider", "reference": "https://attack.mitre.org/techniques/T1547/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e86da94d-e54b-4fb5-b96c-cecff87e8787_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json deleted file mode 100644 index e2bf278d09f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json deleted file mode 100644 index 3c9be4437ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json deleted file mode 100644 index f0f4de05a57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json deleted file mode 100644 index 3b07f402537..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_5.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_5.json deleted file mode 100644 index d40045e22b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json deleted file mode 100644 index 9395cfb8275..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_7.json b/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_7.json deleted file mode 100644 index 0cd2a4f312f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e88d1fe9-b2f4-48d4-bace-a026dc745d4b_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects files creation and modification on the host system from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Host Files System Changes via Windows Subsystem for Linux", "query": "sequence by process.entity_id with maxspan=5m\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"dllhost.exe\" and \n /* Plan9FileSystem CLSID - WSL Host File System Worker */\n process.command_line : \"*{DFB65C4C-B34F-435D-AFE9-A86218684AA8}*\"]\n [file where host.os.type == \"windows\" and process.name : \"dllhost.exe\" and not file.path : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\"]\n", "references": ["https://github.com/microsoft/WSL"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1202", "name": "Indirect Command Execution", "reference": "https://attack.mitre.org/techniques/T1202/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "e88d1fe9-b2f4-48d4-bace-a026dc745d4b_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce.json deleted file mode 100644 index 302aa1363fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.", "false_positives": ["Legitimate changes to share an S3 bucket with an external account may be identified as false positive but are not best practice."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Bucket Policy Added to Share with External Account", "note": "## Triage and Analysis\n\n### Investigating AWS S3 Bucket Policy Change to Share with External Account\n\nThis rule detects when an AWS S3 bucket policy is changed to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account to exfiltrate data or provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the bucket policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the bucket policy change aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the bucket policy to remove any unauthorized permissions and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning bucket policy management and sharing permissions.\n- **Audit Bucket Policies and Permissions**: Conduct a comprehensive audit of all bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket policies and securing AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) and AWS best practices for security.\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutBucketPolicy\" and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"Effect=Allow\")\n and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)\n", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy/", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.recipient_account_id", "type": "keyword"}, {"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce", "setup": "## Setup\n\nS3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json deleted file mode 100644 index e09cfd12b96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS S3 bucket policy change to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account. This can be used to exfiltrate data or to provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.", "false_positives": ["Legitimate changes to share an S3 bucket with an external account may be identified as false positive but are not best practice."], "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS S3 Bucket Policy Added to Share with External Account", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Bucket Policy Change to Share with External Account\n\nThis rule detects when an AWS S3 bucket policy is changed to share permissions with an external account. Adversaries may attempt to backdoor an S3 bucket by sharing it with an external account to exfiltrate data or provide access to other adversaries. This rule identifies changes to a bucket policy via the `PutBucketPolicy` API call where the policy includes an `Effect=Allow` statement that does not contain the AWS account ID of the bucket owner.\n\n#### Possible Investigation Steps:\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Request Details**: Examine the `aws.cloudtrail.request_parameters` to understand the specific changes made to the bucket policy. Look for any unusual parameters that could suggest unauthorized or malicious modifications.\n- **Analyze the Source of the Request**: Investigate the `source.ip` and `source.geo` fields to determine the geographical origin of the request. An external or unexpected location might indicate compromised credentials or unauthorized access.\n- **Contextualize with Timestamp**: Use the `@timestamp` field to check when the change occurred. Modifications during non-business hours or outside regular maintenance windows might require further scrutiny.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n\n### False Positive Analysis:\n\n- **Legitimate Administrative Actions**: Confirm if the bucket policy change aligns with scheduled updates, development activities, or legitimate administrative tasks documented in change management systems.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n- **Verify through Outcomes**: Check the `aws.cloudtrail.response_elements` and the `event.outcome` to confirm if the change was successful and intended according to policy.\n\n### Response and Remediation:\n\n- **Immediate Review and Reversal if Necessary**: If the change was unauthorized, update the bucket policy to remove any unauthorized permissions and restore it to its previous state.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Educate and Train**: Provide additional training to users with administrative rights on the importance of security best practices concerning bucket policy management and sharing permissions.\n- **Audit Bucket Policies and Permissions**: Conduct a comprehensive audit of all bucket policies and associated permissions to ensure they adhere to the principle of least privilege.\n- **Incident Response**: If there's an indication of malicious intent or a security breach, initiate the incident response protocol to mitigate any damage and prevent future occurrences.\n\n### Additional Information:\n\nFor further guidance on managing S3 bucket policies and securing AWS environments, refer to the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) and AWS best practices for security.\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"s3.amazonaws.com\"\n and event.action == \"PutBucketPolicy\" and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"Effect=Allow\")\n and not stringContains(aws.cloudtrail.request_parameters, aws.cloudtrail.recipient_account_id)\n", "references": ["https://stratus-red-team.cloud/attack-techniques/AWS/aws.exfiltration.s3-backdoor-bucket-policy/", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketPolicy.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.recipient_account_id", "type": "keyword"}, {"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce", "setup": "\n## Setup\n\nS3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS S3", "Use Case: Threat Detection", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json deleted file mode 100644 index 0a801cb7426..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\nprocess.executable:(\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\n) and\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\nnot process.name:(\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\n or sudo or top or uptime or which or whoami or yum\n) and\nnot process.parent.executable:(\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json deleted file mode 100644 index c17befeba3a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["process.executable"], "query": "host.os.type : \"linux\" and event.category : \"process\" and \nevent.action : (\"exec\" or \"exec_event\" or \"fork\" or \"fork_event\") and \nprocess.executable : (\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*\n ) and process.args : (\n \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"ifconfig\" or \"netstat\" or \"route\" or \n \"ps\" or \"pwd\" or \"ls\"\n ) and not process.name : (\n \"sudo\" or \"which\" or \"whoami\" or \"id\" or \"hostname\" or \"uptime\" or \"top\" or \"netstat\" or \"ps\" or \n \"pwd\" or \"ls\" or \"apt\" or \"dpkg\" or \"yum\" or \"rpm\" or \"dnf\" or \"dockerd\" or \"snapd\" or \"snap\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json deleted file mode 100644 index a7a518efc2a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and \nprocess.executable:(\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) \n and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and \n not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or \n dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and\n not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 103}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json deleted file mode 100644 index 2462c0c2fba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and \nprocess.executable:(\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) \n and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and \n not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or \n dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and\n not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 104}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json deleted file mode 100644 index 856d349fddf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["host.id", "user.id", "process.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and \nprocess.executable:(\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) \n and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and \n not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or \n dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and\n not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 105}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_106.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_106.json deleted file mode 100644 index b7e74701c1a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and\nprocess.executable:(\n (/etc/crontab or /bin/* or /boot/* or /dev/shm/* or /etc/cron.*/* or /etc/init.d/* or /etc/rc*.d/* or\n /etc/update-motd.d/* or /home/*/.* or /tmp/* or /usr/bin/* or /usr/lib/update-notifier/* or\n /usr/share/* or /var/tmp/*) and not /tmp/go-build*\n) and\nprocess.args:(hostname or id or ifconfig or ls or netstat or ps or pwd or route or top or uptime or whoami) and\nnot process.name:(\n apt or dnf or docker or dockerd or dpkg or hostname or id or ls or netstat or ps or pwd or rpm or snap or snapd\n or sudo or top or uptime or which or whoami or yum\n) and\nnot process.parent.executable:(\n /opt/cassandra/bin/cassandra or /opt/nessus/sbin/nessusd or /opt/nessus_agent/sbin/nessus-agent-module or\n /opt/puppetlabs/puppet/bin/puppet or /opt/puppetlabs/puppet/bin/ruby or /usr/libexec/platform-python or\n /usr/local/cloudamize/bin/CCAgent or /usr/sbin/sshd or /bin/* or /etc/network/* or /opt/Elastic/* or\n /run/k3s/* or /tmp/newroot/* or /usr/bin/*\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 106}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json b/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json deleted file mode 100644 index 1242018bf0b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the execution of several commonly used system commands executed by a previously unknown executable located in commonly abused directories. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of unauthorized or suspicious processes attempting to run malicious code. Detecting and investigating such behavior can help identify and mitigate potential security threats, protecting the system and its data from potential compromise.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious System Commands Executed by Previously Unknown Executable", "new_terms_fields": ["process.executable"], "query": "host.os.type:linux and event.category:process and event.action:(exec or exec_event or fork or fork_event) and \nprocess.executable:(\n /bin/* or /usr/bin/* or /usr/share/* or /tmp/* or /var/tmp/* or /dev/shm/* or\n /etc/init.d/* or /etc/rc*.d/* or /etc/crontab or /etc/cron.*/* or /etc/update-motd.d/* or \n /usr/lib/update-notifier/* or /home/*/.* or /boot/* or /srv/* or /run/*) \n and process.args:(whoami or id or hostname or uptime or top or ifconfig or netstat or route or ps or pwd or ls) and \n not process.name:(sudo or which or whoami or id or hostname or uptime or top or netstat or ps or pwd or ls or apt or \n dpkg or yum or rpm or dnf or dockerd or docker or snapd or snap) and\n not process.parent.executable:(/bin/* or /usr/bin/* or /run/k3s/* or /etc/network/* or /opt/Elastic/*)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 21, "rule_id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "e9001ee6-2d00-4d2f-849e-b8b1fb05234c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json deleted file mode 100644 index fc17c5b0715..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json deleted file mode 100644 index 8e07468f30a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 102}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json deleted file mode 100644 index 3139139eab9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 103}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json deleted file mode 100644 index 1143bb125e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 104}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json deleted file mode 100644 index cf49f1f7c81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 105}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json deleted file mode 100644 index 93a92ea96c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 106}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json deleted file mode 100644 index 93b4b66ca76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "type": "threshold", "version": 207}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_208.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_208.json deleted file mode 100644 index 6887c7a18fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 208}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_209.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_209.json deleted file mode 100644 index 110b850d3fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 209}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_211.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_211.json deleted file mode 100644 index e55fd7462d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "@BenB196", "Austin Songer"], "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", "false_positives": ["The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule."], "from": "now-60m", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Okta User Password Reset or Unlock Attempts", "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "threshold": {"field": ["okta.actor.alternate_id"], "value": 5}, "timestamp_override": "event.ingested", "type": "threshold", "version": 211}, "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_311.json b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_311.json new file mode 100644 index 00000000000..7090e0d184d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/e90ee3af-45fc-432e-a850-4a58cf14a457_311.json @@ -0,0 +1,115 @@ +{ + "attributes": { + "author": [ + "Elastic", + "@BenB196", + "Austin Songer" + ], + "description": "Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection.", + "false_positives": [ + "The number of Okta user password reset or account unlock attempts will likely vary between organizations. To fit this rule to their organization, users can duplicate this rule and edit the schedule and threshold values in the new rule." + ], + "from": "now-60m", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Okta User Password Reset or Unlock Attempts", + "note": "## Triage and analysis\n\n### Investigating High Number of Okta User Password Reset or Unlock Attempts\n\nThis rule is designed to detect a suspiciously high number of password reset or account unlock attempts in Okta. Excessive password resets or account unlocks can be indicative of an attacker's attempt to gain unauthorized access to an account.\n\n#### Possible investigation steps:\n- Identify the actor associated with the excessive attempts. The `okta.actor.alternate_id` field can be used for this purpose.\n- Determine the client used by the actor. You can look at `okta.client.device`, `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.ip_chain.ip`, and `okta.client.geographical_context`.\n- Review the `okta.outcome.result` and `okta.outcome.reason` fields to understand the outcome of the password reset or unlock attempts.\n- Review the event actions associated with these attempts. Look at the `event.action` field and filter for actions related to password reset and account unlock attempts.\n- Check for other similar patterns of behavior from the same actor or IP address. If there is a high number of failed login attempts before the password reset or unlock attempts, this may suggest a brute force attack.\n- Also, look at the times when these attempts were made. If these were made during off-hours, it could further suggest an adversary's activity.\n\n### False positive analysis:\n- This alert might be a false positive if there are legitimate reasons for a high number of password reset or unlock attempts. This could be due to the user forgetting their password or account lockouts due to too many incorrect attempts.\n- Check the actor's past behavior. If this is their usual behavior and they have a valid reason for it, then it might be a false positive.\n\n### Response and remediation:\n- If unauthorized attempts are confirmed, initiate the incident response process.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Block the IP address or device used in the attempts, if they appear suspicious.\n- If the attack was facilitated by a particular technique, ensure your systems are patched or configured to prevent such techniques.\n- Consider a security review of your Okta policies and rules to ensure they follow security best practices.", + "query": "event.dataset:okta.system and\n event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or\n system.sms.send_account_unlock_message or system.sms.send_password_reset_message or\n system.voice.send_account_unlock_call or system.voice.send_password_reset_call or\n user.account.unlock_token)\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "e90ee3af-45fc-432e-a850-4a58cf14a457", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "threshold": { + "field": [ + "okta.actor.alternate_id" + ], + "value": 5 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 311 + }, + "id": "e90ee3af-45fc-432e-a850-4a58cf14a457_311", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json deleted file mode 100644 index 5a9c6000c2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", "false_positives": ["VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json deleted file mode 100644 index 7c5d6cb04b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", "false_positives": ["VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json deleted file mode 100644 index e7c9ce3e19c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", "false_positives": ["VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json deleted file mode 100644 index 162c247929c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", "false_positives": ["VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json b/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json deleted file mode 100644 index 985e518ef83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e919611d-6b6f-493b-8314-7ed6ac2e413b_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information.", "false_positives": ["VM exports may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. VM exports from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS EC2 VM Export Failure", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:CreateInstanceExportTask and event.outcome:failure\n", "references": ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "e919611d-6b6f-493b-8314-7ed6ac2e413b", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1005", "name": "Data from Local System", "reference": "https://attack.mitre.org/techniques/T1005/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "e919611d-6b6f-493b-8314-7ed6ac2e413b_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849.json deleted file mode 100644 index d90ba5ebc09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device_airdrop", "name": "Spike in Bytes Sent to an External Device via Airdrop", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e92c99b6-c547-4bb6-b244-2f27394bc849", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1011", "name": "Exfiltration Over Other Network Medium", "reference": "https://attack.mitre.org/techniques/T1011/"}]}], "type": "machine_learning", "version": 4}, "id": "e92c99b6-c547-4bb6-b244-2f27394bc849", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json deleted file mode 100644 index 0a214e13ed5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device_airdrop", "name": "Spike in Bytes Sent to an External Device via Airdrop", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "e92c99b6-c547-4bb6-b244-2f27394bc849", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1011", "name": "Exfiltration Over Other Network Medium", "reference": "https://attack.mitre.org/techniques/T1011/"}]}], "type": "machine_learning", "version": 1}, "id": "e92c99b6-c547-4bb6-b244-2f27394bc849_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_2.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_2.json deleted file mode 100644 index 497a53eac9a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device_airdrop", "name": "Spike in Bytes Sent to an External Device via Airdrop", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e92c99b6-c547-4bb6-b244-2f27394bc849", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1011", "name": "Exfiltration Over Other Network Medium", "reference": "https://attack.mitre.org/techniques/T1011/"}]}], "type": "machine_learning", "version": 2}, "id": "e92c99b6-c547-4bb6-b244-2f27394bc849_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json b/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json deleted file mode 100644 index e21d5515689..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e92c99b6-c547-4bb6-b244-2f27394bc849_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected high bytes of data written to an external device via Airdrop. In a typical operational setting, there is usually a predictable pattern or a certain range of data that is written to external devices. An unusually large amount of data being written is anomalous and can signal illicit data copying or transfer activities.", "from": "now-2h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_bytes_written_to_external_device_airdrop", "name": "Spike in Bytes Sent to an External Device via Airdrop", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e92c99b6-c547-4bb6-b244-2f27394bc849", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the Elastic Defend integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1011", "name": "Exfiltration Over Other Network Medium", "reference": "https://attack.mitre.org/techniques/T1011/"}]}], "type": "machine_learning", "version": 3}, "id": "e92c99b6-c547-4bb6-b244-2f27394bc849_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json deleted file mode 100644 index f522a598d3b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json deleted file mode 100644 index ee51082ed17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json deleted file mode 100644 index c6ae61d6d05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json deleted file mode 100644 index c75c3de3906..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json deleted file mode 100644 index ca4e79a0ee1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json deleted file mode 100644 index 3ee1dad42a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json deleted file mode 100644 index a02c7c1dc3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json deleted file mode 100644 index d8902c6fb2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json b/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json deleted file mode 100644 index d451c6daf86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e94262f2-c1e9-4d3f-a907-aeab16712e1a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an unexpected executable file being created or modified by a Windows system critical process, which may indicate activity related to remote code execution or other forms of exploitation.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Executable File Creation by a System Critical Process", "note": "## Triage and analysis\n\n### Investigating Unusual Executable File Creation by a System Critical Process\n\nWindows internal/system processes have some characteristics that can be used to spot suspicious activities. One of these characteristics is file operations.\n\nThis rule looks for the creation of executable files done by system-critical processes. This can indicate the exploitation of a vulnerability or a malicious process masquerading as a system-critical process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"exe\", \"dll\") and\n process.name : (\"smss.exe\",\n \"autochk.exe\",\n \"csrss.exe\",\n \"wininit.exe\",\n \"services.exe\",\n \"lsass.exe\",\n \"winlogon.exe\",\n \"userinit.exe\",\n \"LogonUI.exe\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1211", "name": "Exploitation for Defense Evasion", "reference": "https://attack.mitre.org/techniques/T1211/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "e94262f2-c1e9-4d3f-a907-aeab16712e1a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json deleted file mode 100644 index c1477ea8f6d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json deleted file mode 100644 index 9d662df395a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json deleted file mode 100644 index c44a91b3007..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json deleted file mode 100644 index a931b06b7e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json b/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json deleted file mode 100644 index 29dd2f909ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Adversaries can use the autostart mechanism provided by the Local Security Authority (LSA) authentication packages for privilege escalation or persistence by placing a reference to a binary in the Windows registry. The binary will then be executed by SYSTEM when the authentication packages are loaded.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential LSA Authentication Package Abuse", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Control\\\\Lsa\\\\Authentication Packages\"\n ) and\n /* exclude SYSTEM SID - look for changes by non-SYSTEM user */\n not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66.json deleted file mode 100644 index 924d5d1f471..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_count_remote_file_transfer", "name": "Spike in Remote File Transfers", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 4}, "id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json deleted file mode 100644 index 4dbf27babcf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_count_remote_file_transfer", "name": "Spike in Remote File Transfers", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", "setup": "The Lateral Movement Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 1}, "id": "e9b0902b-c515-413b-b80b-a8dcebc81a66_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_2.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_2.json deleted file mode 100644 index e5ba95a39bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_count_remote_file_transfer", "name": "Spike in Remote File Transfers", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", "setup": "The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 2}, "id": "e9b0902b-c515-413b-b80b-a8dcebc81a66_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json b/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json deleted file mode 100644 index e69c059bb03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9b0902b-c515-413b-b80b-a8dcebc81a66_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.", "from": "now-90m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "lmd_high_count_remote_file_transfer", "name": "Spike in Remote File Transfers", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/lmd", "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration", "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security"], "related_integrations": [{"package": "lmd", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "e9b0902b-c515-413b-b80b-a8dcebc81a66", "setup": "## Setup\n\nThe rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. \n\n### Lateral Movement Detection Setup\nThe Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.\n\n#### Prerequisite Requirements:\n- Fleet is required for Lateral Movement Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.\n- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.\n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your file events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Lateral Movement Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210/"}]}], "type": "machine_learning", "version": 3}, "id": "e9b0902b-c515-413b-b80b-a8dcebc81a66_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json deleted file mode 100644 index 537dde9fcd5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Webhook Created", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json b/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json deleted file mode 100644 index e8c6274c050..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An adversary may create a webhook in order to trigger a runbook that contains malicious code.", "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Automation Webhook Created", "note": "", "query": "event.dataset:azure.activitylogs and\n azure.activitylogs.operation_name:\n (\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION\" or\n \"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE\"\n ) and\n event.outcome:(Success or success)\n", "references": ["https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", "https://www.ciraltos.com/webhooks-and-azure-automation-runbooks/"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd.json deleted file mode 100644 index 299b5d8b924..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json deleted file mode 100644 index eb8f97602e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 1}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_2.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_2.json deleted file mode 100644 index bb14c3dec40..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 2}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json deleted file mode 100644 index efbb7b3a397..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 3}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json deleted file mode 100644 index ef0b9e38d4b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 4}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_5.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_5.json deleted file mode 100644 index 08b737fb01b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_6.json b/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_6.json deleted file mode 100644 index 9a2d10ce887..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea09ff26-3902-4c53-bb8e-24b7a5d029dd_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_rare_process_by_parent", "name": "Unusual Process Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 6}, "id": "ea09ff26-3902-4c53-bb8e-24b7a5d029dd_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json deleted file mode 100644 index 55b0eb11535..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 210}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json deleted file mode 100644 index 3376e172af9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "type": "threshold", "version": 105}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json deleted file mode 100644 index bdb496a5342..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "type": "threshold", "version": 106}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json deleted file mode 100644 index 4959a0b3250..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "type": "threshold", "version": 107}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json deleted file mode 100644 index a714a161ad7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "type": "threshold", "version": 208}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_209.json b/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_209.json deleted file mode 100644 index 7bfee9a27ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ea248a02-bc47-4043-8e94-2885b19b2636_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.", "from": "now-20m", "index": ["filebeat-*", "logs-aws*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS IAM Brute Force of Assume Role Policy", "note": "## Triage and analysis\n\n### Investigating AWS IAM Brute Force of Assume Role Policy\n\nAn IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.\n\nAttackers may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Verify if the `RoleName` parameter contains a unique value in all requests or if the activity is potentially a brute force attack.\n- Verify if the user account successfully updated a trust policy in the last 24 hours.\n- Examine whether this role existed in the environment by looking for past occurrences in your logs.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Consider the time of day. If the user is a human (not a program or script), did the activity take place during a normal time of day?\n- Examine the account's commands, API calls, and data management actions in the last 24 hours.\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- Verify the roles targeted in the failed attempts, and whether the subject role previously existed in the environment. If only one role was targeted in the requests and that role previously existed, it may be a false positive, since automations can continue targeting roles that existed in the environment in the past and cause false positives (FPs).\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and\n event.provider:iam.amazonaws.com and event.action:UpdateAssumeRolePolicy and\n aws.cloudtrail.error_code:MalformedPolicyDocumentException and event.outcome:failure\n", "references": ["https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.error_code", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ea248a02-bc47-4043-8e94-2885b19b2636", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/"}]}], "threshold": {"field": [], "value": 25}, "timestamp_override": "event.ingested", "type": "threshold", "version": 209}, "id": "ea248a02-bc47-4043-8e94-2885b19b2636_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json deleted file mode 100644 index 576c2691910..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_denies", "name": "Spike in Firewall Denies", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Network Packet Capture\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Network Packet Capture Integration Setup\nThe Network Packet Capture integration sniffs network packets on a host and dissects known protocols. Monitoring the network traffic is critical to gaining observability and securing your environment \u2014 ensuring high levels of performance and security. The Network Packet Capture integration captures the network traffic between your application servers, decodes common application layer protocols and records the interesting fields for each transaction.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"network_traffic\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cNetwork Packet Capture\u201d and select the integration to see more details about it.\n- Click \u201cAdd Network Packet Capture\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cnetwork_traffic\u201d to an existing or a new agent policy, and deploy the agent on your system from which network log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/network_traffic).\n", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 104}, "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json deleted file mode 100644 index 9bf8d9f76e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_denies", "name": "Spike in Firewall Denies", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", "severity": "low", "tags": ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning"], "type": "machine_learning", "version": 101}, "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json deleted file mode 100644 index c4907ac83b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_denies", "name": "Spike in Firewall Denies", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "risk_score": 21, "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 102}, "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_103.json b/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_103.json deleted file mode 100644 index 8815d108e21..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaa77d63-9679-4ce3-be25-3ba8b795e5fa_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.", "false_positives": ["A misconfgured network application or firewall may trigger this alert. Security scans or test cycles may trigger this alert."], "from": "now-30m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "high_count_network_denies", "name": "Spike in Firewall Denies", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa", "severity": "low", "tags": ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning"], "type": "machine_learning", "version": 103}, "id": "eaa77d63-9679-4ce3-be25-3ba8b795e5fa_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c.json deleted file mode 100644 index 612f2d5f59c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Network Connection", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n ) and not process.executable == \"/usr/bin/apt-listbugs\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 3}, "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json deleted file mode 100644 index 80d2fb00572..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Network Connection", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json deleted file mode 100644 index 7cebf48e601..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Network Connection", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 2}, "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_3.json b/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_3.json deleted file mode 100644 index 1d5d4a94e1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by the APT package manager, potentially indicating persistence through an APT backdoor. In Linux, APT (Advanced Package Tool) is a command-line utility used for handling packages on Debian-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor APT to gain persistence by injecting malicious code into scripts that APT runs, thereby ensuring continued unauthorized access or control each time APT is used for package management.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious APT Package Manager Network Connection", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"apt\" and process.args == \"-c\" and process.name in (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\" and not (\n destination.ip == null or destination.ip == \"0.0.0.0\" or cidrmatch(\n destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\",\n \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\",\n \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\",\n \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\", \"FE80::/10\",\n \"FF00::/8\", \"172.31.0.0/16\"\n )\n ) and not process.executable == \"/usr/bin/apt-listbugs\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 3}, "id": "eaef8a35-12e0-4ac0-bc14-81c72b6bd27c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json deleted file mode 100644 index 1d970d41a15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", "index": ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "External Alerts", "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", "rule_name_override": "message", "setup": "## Setup\n\nThis rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.\n\n**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.\n\nTo make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json deleted file mode 100644 index 0e252e15133..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", "index": ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "External Alerts", "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", "rule_name_override": "message", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["Elastic", "Network", "Windows", "APM", "macOS", "Linux"], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json b/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json deleted file mode 100644 index ed12eeebd78..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb079c62-4481-4d6e-9643-3ca499df7aaa_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.", "index": ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "language": "kuery", "license": "Elastic License v2", "max_signals": 10000, "name": "External Alerts", "query": "event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)\n", "required_fields": [{"ecs": true, "name": "event.kind", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}], "risk_score": 47, "risk_score_mapping": [{"field": "event.risk_score", "operator": "equals", "value": ""}], "rule_id": "eb079c62-4481-4d6e-9643-3ca499df7aaa", "rule_name_override": "message", "severity": "medium", "severity_mapping": [{"field": "event.severity", "operator": "equals", "severity": "low", "value": "21"}, {"field": "event.severity", "operator": "equals", "severity": "medium", "value": "47"}, {"field": "event.severity", "operator": "equals", "severity": "high", "value": "73"}, {"field": "event.severity", "operator": "equals", "severity": "critical", "value": "99"}], "tags": ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "eb079c62-4481-4d6e-9643-3ca499df7aaa_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43.json deleted file mode 100644 index 4035e3c4dc6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json deleted file mode 100644 index 9d584d11119..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json deleted file mode 100644 index 8dfdd3a4c68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 21, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json deleted file mode 100644 index 68c0ba737ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json deleted file mode 100644 index d6b9128712c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_5.json b/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_5.json deleted file mode 100644 index f2f1ea76a1e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb44611f-62a8-4036-a5ef-587098be6c43_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that can be used to record webcam video. Attackers can capture this information to extort or spy on victims.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Webcam Video Capture Capabilities", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"NewFrameEventHandler\" or\n \"VideoCaptureDevice\" or\n \"DirectX.Capture.Filters\" or\n \"VideoCompressors\" or\n \"Start-WebcamRecorder\" or\n (\n (\"capCreateCaptureWindowA\" or\n \"capCreateCaptureWindow\" or\n \"capGetDriverDescription\") and\n (\"avicap32.dll\" or \"avicap32\")\n )\n )\n", "references": ["https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/collection/WebcamRecorder.py"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "eb44611f-62a8-4036-a5ef-587098be6c43", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1125", "name": "Video Capture", "reference": "https://attack.mitre.org/techniques/T1125/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "eb44611f-62a8-4036-a5ef-587098be6c43_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json deleted file mode 100644 index 181f0104345..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json deleted file mode 100644 index 8787e345f82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json deleted file mode 100644 index c569cad8bbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json deleted file mode 100644 index 4be4c698d87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : \"S-1-5-18\"\n and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json deleted file mode 100644 index 6262abc31fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json deleted file mode 100644 index b5b6c0caaa5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_110.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_110.json deleted file mode 100644 index 5b0b1da83e3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json deleted file mode 100644 index 84628faf401..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_112.json b/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_112.json deleted file mode 100644 index 2ddf0da4643..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb610e70-f9e6-4949-82b9-f1c5bcd37c39_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is a common step in Kerberoasting toolkits to crack service accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Request", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Request\n\nPowerShell is one of the main tools system administrators use for automation, report routines, and other tasks, making it available for use in various environments, creating an attractive way for attackers to execute code.\n\nAccounts associated with a service principal name (SPN) are viable targets for Kerberoasting attacks, which use brute force to crack the user password, which is used to encrypt a Kerberos TGS ticket.\n\nAttackers can use PowerShell to request these Kerberos tickets, with the intent of extracting them from memory to perform Kerberoasting.\n\n#### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Validate if the account has an SPN associated with it.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Review event ID [4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769) related to this account and service name for additional information.\n\n### False positive analysis\n\n- A possible false positive can be identified if the script content is not malicious/harmful or does not request Kerberos tickets for user accounts, as computer accounts are not vulnerable to Kerberoasting due to complex password requirements and policy.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. Prioritize privileged accounts.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n KerberosRequestorSecurityToken\n ) and not user.id : (\"S-1-5-18\" or \"S-1-5-20\") and\n not powershell.file.script_block_text : (\n (\"sentinelbreakpoints\" and (\"Set-PSBreakpoint\" or \"Set-HookFunctionTabs\")) or\n (\"function global\" and \"\\\\windows\\\\sentinel\\\\4\")\n )\n", "references": ["https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/", "subtechnique": [{"id": "T1558.003", "name": "Kerberoasting", "reference": "https://attack.mitre.org/techniques/T1558/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "eb610e70-f9e6-4949-82b9-f1c5bcd37c39_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json deleted file mode 100644 index c96afe027a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and process.name == \"setenforce\" and process.args == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json deleted file mode 100644 index 3b29f364217..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json deleted file mode 100644 index 60e2cab3092..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json deleted file mode 100644 index db7f3f61a1d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json deleted file mode 100644 index 172e9bd7dff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json deleted file mode 100644 index baea90f03a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:setenforce and process.args:0\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json deleted file mode 100644 index c2d0685fb67..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "process where host.os.type == \"linux\" and event.type in (\"start\", \"process_started\") and\nprocess.name == \"setenforce\" and process.args == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json b/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json deleted file mode 100644 index 757e1d355b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential attempts to disable Security-Enhanced Linux (SELinux), which is a Linux kernel security feature to support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of SELinux", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and process.name == \"setenforce\" and process.args == \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json deleted file mode 100644 index 178998f400c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json deleted file mode 100644 index 8bbcad8a401..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json deleted file mode 100644 index d26e0efd316..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json deleted file mode 100644 index 463be3db42f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json deleted file mode 100644 index d8cfab31fbe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json deleted file mode 100644 index 289a0d2731f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json deleted file mode 100644 index 9960fea869c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_210.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_210.json deleted file mode 100644 index ec088d5708c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 210}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json b/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json deleted file mode 100644 index 50887ce2230..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the password log file from the default Mimikatz memssp module.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Mimikatz Memssp Log File Detected", "note": "## Triage and analysis\n\n### Investigating Mimikatz Memssp Log File Detected\n\n[Mimikatz](https://github.com/gentilkiwi/mimikatz) is an open-source tool used to collect, decrypt, and/or use cached credentials. This tool is commonly abused by adversaries during the post-compromise stage where adversaries have gained an initial foothold on an endpoint and are looking to elevate privileges and seek out additional authentication objects such as tokens/hashes/credentials that can then be used to laterally move and pivot across a network.\n\nThis rule looks for the creation of a file named `mimilsa.log`, which is generated when using the Mimikatz misc::memssp module, which injects a malicious Windows SSP to collect locally authenticated credentials, which includes the computer account password, running service credentials, and any accounts that logon.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Retrieve and inspect the log file contents.\n- Search for DLL files created in the same location as the log file, and retrieve unsigned DLLs.\n - Use the PowerShell Get-FileHash cmdlet to get the SHA-256 hash value of these files.\n - Search for the existence of these files in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Identify the process that created the DLL using file creation events.\n\n### False positive analysis\n\n- This file name `mimilsa.log` should not legitimately be created.\n\n### Related rules\n\n- Mimikatz Powershell Module Activity - ac96ceb8-4399-4191-af1d-4feeac1f1f46\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the host is a Domain Controller (DC):\n - Activate your incident response plan for total Active Directory compromise.\n - Review the privileges assigned to users that can access the DCs to ensure that the least privilege principle is being followed and reduce the attack surface.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Reboot the host to remove the injected SSP from memory.\n- Reimage the host operating system or restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and file.name : \"mimilsa.log\" and process.name : \"lsass.exe\"\n", "references": ["https://www.elastic.co/security-labs/detect-credential-access"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json deleted file mode 100644 index 968b899bbdc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json deleted file mode 100644 index e2280cede2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json deleted file mode 100644 index c2e527cfa90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json deleted file mode 100644 index c4701e25ee5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json deleted file mode 100644 index 84c600d72c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_108.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_108.json deleted file mode 100644 index 4b9b55583e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json deleted file mode 100644 index 9bc46b3dedf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json deleted file mode 100644 index 2e050210c45..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_111.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_111.json deleted file mode 100644 index 0dd69ec5a17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_311.json b/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_311.json deleted file mode 100644 index 6d4b6f03989..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebf1adea-ccf2-4943-8b96-7ab11ca173a5_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when Internet Information Services (IIS) HTTP Logging is disabled on a server. An attacker with IIS server access via a webshell or other mechanism can disable HTTP Logging as an effective anti-forensics measure.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "max_signals": 33, "name": "IIS HTTP Logging Disabled", "note": "## Triage and analysis\n\n### Investigating IIS HTTP Logging Disabled\n\nIIS (Internet Information Services) is a Microsoft web server software used to host websites and web applications on Windows. It provides features for serving dynamic and static content, and can be managed through a graphical interface or command-line tools.\n\nIIS logging is a data source that can be used for security monitoring, forensics, and incident response. It contains mainly information related to requests done to the web server, and can be used to spot malicious activities like webshells. Adversaries can tamper, clear, and delete this data to evade detection, cover their tracks, and slow down incident response.\n\nThis rule monitors commands that disable IIS logging.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Verify whether the logs stored in the `C:\\inetpub\\logs\\logfiles\\w3svc1` directory were deleted after this action.\n- Check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Re-enable affected logging components, services, and security monitoring.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"appcmd.exe\" or ?process.pe.original_file_name == \"appcmd.exe\") and\n process.args : \"/dontLog*:*True\" and\n not process.parent.name : \"iissetup.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.002", "name": "Disable Windows Event Logging", "reference": "https://attack.mitre.org/techniques/T1562/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "ebf1adea-ccf2-4943-8b96-7ab11ca173a5_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json deleted file mode 100644 index ca0ce08cadb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json deleted file mode 100644 index 0c3d59505ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json deleted file mode 100644 index 8eda9965521..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json deleted file mode 100644 index 841c5917a8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json deleted file mode 100644 index 0a1de3fdfc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\nprocess.executable : (\"C:\\\\PerfLogs\\\\*.exe\",\"C:\\\\Users\\\\Public\\\\*.exe\",\"C:\\\\Windows\\\\Tasks\\\\*.exe\",\"C:\\\\Intel\\\\*.exe\",\"C:\\\\AMD\\\\Temp\\\\*.exe\",\"C:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n\"C:\\\\Windows\\\\ServiceState\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\"C:\\\\Windows\\\\Branding\\\\*.exe\",\"C:\\\\Windows\\\\csc\\\\*.exe\",\n \"C:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\"C:\\\\Windows\\\\en-US\\\\*.exe\",\"C:\\\\Windows\\\\wlansvc\\\\*.exe\",\"C:\\\\Windows\\\\Prefetch\\\\*.exe\",\"C:\\\\Windows\\\\Fonts\\\\*.exe\",\n \"C:\\\\Windows\\\\diagnostics\\\\*.exe\",\"C:\\\\Windows\\\\TAPI\\\\*.exe\",\"C:\\\\Windows\\\\INF\\\\*.exe\",\"C:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\",\"C:\\\\windows\\\\tracing\\\\*.exe\",\n \"c:\\\\windows\\\\IME\\\\*.exe\",\"c:\\\\Windows\\\\Performance\\\\*.exe\",\"c:\\\\windows\\\\intel\\\\*.exe\",\"c:\\\\windows\\\\ms\\\\*.exe\",\"C:\\\\Windows\\\\dot3svc\\\\*.exe\",\n \"C:\\\\Windows\\\\panther\\\\*.exe\",\"C:\\\\Windows\\\\RemotePackages\\\\*.exe\",\"C:\\\\Windows\\\\OCR\\\\*.exe\",\"C:\\\\Windows\\\\appcompat\\\\*.exe\",\"C:\\\\Windows\\\\apppatch\\\\*.exe\",\"C:\\\\Windows\\\\addins\\\\*.exe\",\n \"C:\\\\Windows\\\\Setup\\\\*.exe\",\"C:\\\\Windows\\\\Help\\\\*.exe\",\"C:\\\\Windows\\\\SKB\\\\*.exe\",\"C:\\\\Windows\\\\Vss\\\\*.exe\",\"C:\\\\Windows\\\\Web\\\\*.exe\",\"C:\\\\Windows\\\\servicing\\\\*.exe\",\"C:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"C:\\\\Windows\\\\Logs\\\\*.exe\",\"C:\\\\Windows\\\\WaaS\\\\*.exe\",\"C:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\"C:\\\\Windows\\\\ShellComponents\\\\*.exe\",\"C:\\\\Windows\\\\PLA\\\\*.exe\",\n \"C:\\\\Windows\\\\Migration\\\\*.exe\",\"C:\\\\Windows\\\\debug\\\\*.exe\",\"C:\\\\Windows\\\\Cursors\\\\*.exe\",\"C:\\\\Windows\\\\Containers\\\\*.exe\",\"C:\\\\Windows\\\\Boot\\\\*.exe\",\"C:\\\\Windows\\\\bcastdvr\\\\*.exe\",\n \"C:\\\\Windows\\\\assembly\\\\*.exe\",\"C:\\\\Windows\\\\TextInput\\\\*.exe\",\"C:\\\\Windows\\\\security\\\\*.exe\",\"C:\\\\Windows\\\\schemas\\\\*.exe\",\"C:\\\\Windows\\\\SchCache\\\\*.exe\",\"C:\\\\Windows\\\\Resources\\\\*.exe\",\n \"C:\\\\Windows\\\\rescache\\\\*.exe\",\"C:\\\\Windows\\\\Provisioning\\\\*.exe\",\"C:\\\\Windows\\\\PrintDialog\\\\*.exe\",\"C:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\"C:\\\\Windows\\\\media\\\\*.exe\",\n \"C:\\\\Windows\\\\Globalization\\\\*.exe\",\"C:\\\\Windows\\\\L2Schemas\\\\*.exe\",\"C:\\\\Windows\\\\LiveKernelReports\\\\*.exe\",\"C:\\\\Windows\\\\ModemLogs\\\\*.exe\",\"C:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\") and\n not process.name : (\"SpeechUXWiz.exe\",\"SystemSettings.exe\",\"TrustedInstaller.exe\",\"PrintDialog.exe\",\"MpSigStub.exe\",\"LMS.exe\",\"mpam-*.exe\") and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json deleted file mode 100644 index 26e27826ec3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json deleted file mode 100644 index cf6bbd7ed65..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json deleted file mode 100644 index 88cedc46ccf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_111.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_111.json deleted file mode 100644 index cb687fa2e6a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_112.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_112.json deleted file mode 100644 index cae06507f37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_312.json b/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_312.json deleted file mode 100644 index b8e6f95f84e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ebfe1448-7fac-4d59-acea-181bd89b1f7f_312.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies process execution from suspicious default Windows directories. This is sometimes done by adversaries to hide malware in trusted paths.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Process Execution from an Unusual Directory", "note": "## Triage and analysis\n\n### Investigating Process Execution from an Unusual Directory\n\nThis rule identifies processes that are executed from suspicious default Windows directories. Adversaries may abuse this technique by planting malware in trusted paths, making it difficult for security analysts to discern if their activities are malicious or take advantage of exceptions that may apply to these paths.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes, examining their executable files for prevalence, location, and valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine arguments and working directory to determine the program's source or the nature of the tasks it is performing.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of executable and signature conditions.\n\n### Related Rules\n\n- Unusual Windows Path Activity - 445a342e-03fb-42d0-8656-0367eb2dead5\n- Execution from Unusual Directory - Command Line - cff92c41-2225-4763-b4ce-6f71e5bda5e6\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n /* add suspicious execution paths here */\n process.executable : (\n \"?:\\\\PerfLogs\\\\*.exe\", \"?:\\\\Users\\\\Public\\\\*.exe\", \"?:\\\\Windows\\\\Tasks\\\\*.exe\",\n \"?:\\\\Intel\\\\*.exe\", \"?:\\\\AMD\\\\Temp\\\\*.exe\", \"?:\\\\Windows\\\\AppReadiness\\\\*.exe\",\n \"?:\\\\Windows\\\\ServiceState\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\IdentityCRL\\\\*.exe\",\n \"?:\\\\Windows\\\\Branding\\\\*.exe\", \"?:\\\\Windows\\\\csc\\\\*.exe\", \"?:\\\\Windows\\\\DigitalLocker\\\\*.exe\",\n \"?:\\\\Windows\\\\en-US\\\\*.exe\", \"?:\\\\Windows\\\\wlansvc\\\\*.exe\", \"?:\\\\Windows\\\\Prefetch\\\\*.exe\",\n \"?:\\\\Windows\\\\Fonts\\\\*.exe\", \"?:\\\\Windows\\\\diagnostics\\\\*.exe\", \"?:\\\\Windows\\\\TAPI\\\\*.exe\",\n \"?:\\\\Windows\\\\INF\\\\*.exe\", \"?:\\\\Windows\\\\System32\\\\Speech\\\\*.exe\", \"?:\\\\windows\\\\tracing\\\\*.exe\",\n \"?:\\\\windows\\\\IME\\\\*.exe\", \"?:\\\\Windows\\\\Performance\\\\*.exe\", \"?:\\\\windows\\\\intel\\\\*.exe\",\n \"?:\\\\windows\\\\ms\\\\*.exe\", \"?:\\\\Windows\\\\dot3svc\\\\*.exe\", \"?:\\\\Windows\\\\panther\\\\*.exe\",\n \"?:\\\\Windows\\\\RemotePackages\\\\*.exe\", \"?:\\\\Windows\\\\OCR\\\\*.exe\", \"?:\\\\Windows\\\\appcompat\\\\*.exe\",\n \"?:\\\\Windows\\\\apppatch\\\\*.exe\", \"?:\\\\Windows\\\\addins\\\\*.exe\", \"?:\\\\Windows\\\\Setup\\\\*.exe\",\n \"?:\\\\Windows\\\\Help\\\\*.exe\", \"?:\\\\Windows\\\\SKB\\\\*.exe\", \"?:\\\\Windows\\\\Vss\\\\*.exe\",\n \"?:\\\\Windows\\\\Web\\\\*.exe\", \"?:\\\\Windows\\\\servicing\\\\*.exe\", \"?:\\\\Windows\\\\CbsTemp\\\\*.exe\",\n \"?:\\\\Windows\\\\Logs\\\\*.exe\", \"?:\\\\Windows\\\\WaaS\\\\*.exe\", \"?:\\\\Windows\\\\ShellExperiences\\\\*.exe\",\n \"?:\\\\Windows\\\\ShellComponents\\\\*.exe\", \"?:\\\\Windows\\\\PLA\\\\*.exe\", \"?:\\\\Windows\\\\Migration\\\\*.exe\",\n \"?:\\\\Windows\\\\debug\\\\*.exe\", \"?:\\\\Windows\\\\Cursors\\\\*.exe\", \"?:\\\\Windows\\\\Containers\\\\*.exe\",\n \"?:\\\\Windows\\\\Boot\\\\*.exe\", \"?:\\\\Windows\\\\bcastdvr\\\\*.exe\", \"?:\\\\Windows\\\\assembly\\\\*.exe\",\n \"?:\\\\Windows\\\\TextInput\\\\*.exe\", \"?:\\\\Windows\\\\security\\\\*.exe\", \"?:\\\\Windows\\\\schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\SchCache\\\\*.exe\", \"?:\\\\Windows\\\\Resources\\\\*.exe\", \"?:\\\\Windows\\\\rescache\\\\*.exe\",\n \"?:\\\\Windows\\\\Provisioning\\\\*.exe\", \"?:\\\\Windows\\\\PrintDialog\\\\*.exe\", \"?:\\\\Windows\\\\PolicyDefinitions\\\\*.exe\",\n \"?:\\\\Windows\\\\media\\\\*.exe\", \"?:\\\\Windows\\\\Globalization\\\\*.exe\", \"?:\\\\Windows\\\\L2Schemas\\\\*.exe\",\n \"?:\\\\Windows\\\\LiveKernelReports\\\\*.exe\", \"?:\\\\Windows\\\\ModemLogs\\\\*.exe\",\n \"?:\\\\Windows\\\\ImmersiveControlPanel\\\\*.exe\"\n ) and\n \n not process.name : (\n \"SpeechUXWiz.exe\", \"SystemSettings.exe\", \"TrustedInstaller.exe\",\n \"PrintDialog.exe\", \"MpSigStub.exe\", \"LMS.exe\", \"mpam-*.exe\"\n ) and\n not process.executable :\n (\"?:\\\\Intel\\\\Wireless\\\\WUSetupLauncher.exe\",\n \"?:\\\\Intel\\\\Wireless\\\\Setup.exe\",\n \"?:\\\\Intel\\\\Move Mouse.exe\",\n \"?:\\\\windows\\\\Panther\\\\DiagTrackRunner.exe\",\n \"?:\\\\Windows\\\\servicing\\\\GC64\\\\tzupd.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\RemoteLite.exe\",\n \"?:\\\\Users\\\\Public\\\\IBM\\\\ClientSolutions\\\\*.exe\",\n \"?:\\\\Users\\\\Public\\\\Documents\\\\syspin.exe\",\n \"?:\\\\Users\\\\Public\\\\res\\\\FileWatcher.exe\")\n", "references": ["https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 312}, "id": "ebfe1448-7fac-4d59-acea-181bd89b1f7f_312", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550.json b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550.json deleted file mode 100644 index caa4a082b58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "File Made Executable via Chmod Inside A Container", "query": "file where container.id: \"*\" and event.type in (\"change\", \"creation\") and\n\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n(process.name : \"chmod\" or process.args : \"chmod\") and \nprocess.args : (\"*x*\", \"777\", \"755\", \"754\", \"700\") and not process.args: \"-x\"\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ec604672-bed9-43e1-8871-cf591c052550", "severity": "medium", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ec604672-bed9-43e1-8871-cf591c052550", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json b/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json deleted file mode 100644 index e32b4a9ec8e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec604672-bed9-43e1-8871-cf591c052550_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "File Made Executable via Chmod Inside A Container", "query": "file where container.id: \"*\" and event.type in (\"change\", \"creation\") and\n\n/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/\n(process.name : \"chmod\" or process.args : \"chmod\") and \nprocess.args : (\"*x*\", \"777\", \"755\", \"754\", \"700\") and not process.args: \"-x\"\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ec604672-bed9-43e1-8871-cf591c052550", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Defense Evasion", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.002", "name": "Linux and Mac File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ec604672-bed9-43e1-8871-cf591c052550_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json deleted file mode 100644 index 53a3c462801..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Gary Blackwell", "Austin Songer"], "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", "false_positives": ["Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardAsAttachmentTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.RedirectTo", "type": "unknown"}], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json deleted file mode 100644 index b788780e3c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Gary Blackwell", "Austin Songer"], "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", "false_positives": ["Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardAsAttachmentTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.RedirectTo", "type": "unknown"}], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json deleted file mode 100644 index 9974f55dff9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Gary Blackwell", "Austin Songer"], "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", "false_positives": ["Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardAsAttachmentTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.RedirectTo", "type": "unknown"}], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json deleted file mode 100644 index dc5d938f12a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Gary Blackwell", "Austin Songer"], "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", "false_positives": ["Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardAsAttachmentTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.RedirectTo", "type": "unknown"}], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json b/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json deleted file mode 100644 index fe69f3dce36..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Gary Blackwell", "Austin Songer"], "description": "Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges.", "false_positives": ["Users and Administrators can create inbox rules for legitimate purposes. Verify if it complies with the company policy and done with the user's consent. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Inbox Forwarding Rule Created", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and\nevent.category:web and event.action:(\"New-InboxRule\" or \"Set-InboxRule\") and\n (\n o365.audit.Parameters.ForwardTo:* or\n o365.audit.Parameters.ForwardAsAttachmentTo:* or\n o365.audit.Parameters.RedirectTo:*\n )\n and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-outlook-rules-forms-attack?view=o365-worldwide", "https://raw.githubusercontent.com/PwC-IR/Business-Email-Compromise-Guide/main/Extractor%20Cheat%20Sheet.pdf"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardAsAttachmentTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.ForwardTo", "type": "unknown"}, {"ecs": false, "name": "o365.audit.Parameters.RedirectTo", "type": "unknown"}], "risk_score": 47, "rule_id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0009", "name": "Collection", "reference": "https://attack.mitre.org/tactics/TA0009/"}, "technique": [{"id": "T1114", "name": "Email Collection", "reference": "https://attack.mitre.org/techniques/T1114/", "subtechnique": [{"id": "T1114.003", "name": "Email Forwarding Rule", "reference": "https://attack.mitre.org/techniques/T1114/003/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_1.json deleted file mode 100644 index 50cf2a8807b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecc0cd54-608e-11ef-ab6d-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule identifies potentially malicious processes attempting to access the cloud service provider's instance metadata service (IMDS) API endpoint, which can be used to retrieve sensitive instance-specific information such as instance ID, public IP address, and even temporary security credentials if role's are assumed by that instance. The rule monitors for various tools and scripts like curl, wget, python, and perl that might be used to interact with the metadata API.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Instance Metadata Service (IMDS) API Request", "query": "sequence by host.id, process.parent.entity_id with maxspan=1s\n[process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name : (\n \"curl\", \"wget\", \"python*\", \"perl*\", \"php*\", \"ruby*\", \"lua*\", \"telnet\", \"pwsh\",\n \"openssl\", \"nc\", \"ncat\", \"netcat\", \"awk\", \"gawk\", \"mawk\", \"nawk\", \"socat\", \"node\"\n ) or process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/cron*\", \"/etc/update-motd.d/*\", \"/boot/*\", \"/srv/*\", \"/run/*\", \"/etc/rc.local\"\n ) or\n process.command_line: \"*169.254.169.254*\" and\n not process.working_directory: (\n \"/opt/rapid7*\",\n \"/opt/nessus*\",\n \"/snap/amazon-ssm-agent*\",\n \"/srv/snp/docker/overlay2*\",\n \"/var/log/amazon/ssm*\"\n )]\n[network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and destination.ip == \"169.254.169.254\"]\n", "references": ["https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.working_directory", "type": "keyword"}], "risk_score": 47, "rule_id": "ecc0cd54-608e-11ef-ab6d-f661ea17fbce", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Discovery", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": "https://attack.mitre.org/techniques/T1552/", "subtechnique": [{"id": "T1552.005", "name": "Cloud Instance Metadata API", "reference": "https://attack.mitre.org/techniques/T1552/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1580", "name": "Cloud Infrastructure Discovery", "reference": "https://attack.mitre.org/techniques/T1580/"}]}], "type": "eql", "version": 1}, "id": "ecc0cd54-608e-11ef-ab6d-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e.json b/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e.json deleted file mode 100644 index 53c7a1bd75e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types.", "from": "now-119m", "index": ["logs-endpoint.events.file-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Executable File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n\n /* MZ header or its common base64 equivalent TVqQ */\n file.Ext.header_bytes : (\"4d5a*\", \"54567151*\") and\n\n (\n /* common image file extensions */\n file.extension : (\"jpg\", \"jpeg\", \"emf\", \"tiff\", \"gif\", \"png\", \"bmp\", \"fpx\", \"eps\", \"svg\", \"inf\") or\n\n /* common audio and video file extensions */\n file.extension : (\"mp3\", \"wav\", \"avi\", \"mpeg\", \"flv\", \"wma\", \"wmv\", \"mov\", \"mp4\", \"3gp\") or\n\n /* common document file extensions */\n file.extension : (\"txt\", \"pdf\", \"doc\", \"docx\", \"rtf\", \"ppt\", \"pptx\", \"xls\", \"xlsx\", \"hwp\", \"html\")\n ) and\n not process.pid == 4 and\n not process.executable : \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Client Server Security Agent\\\\Ntrtscan.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "ecd4857b-5bac-455e-a7c9-a88b66e56a9e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ecd4857b-5bac-455e-a7c9-a88b66e56a9e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json b/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json deleted file mode 100644 index 1add0ede5b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the creation or modification of an executable file with an unexpected file extension. Attackers may attempt to evade detection by masquerading files using the file extension values used by image, audio, or document file types.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Executable File with Unusual Extension", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n\n /* MZ header or its common base64 equivalent TVqQ */\n file.Ext.header_bytes : (\"4d5a*\", \"54567151*\") and\n\n (\n /* common image file extensions */\n file.extension : (\"jpg\", \"jpeg\", \"emf\", \"tiff\", \"gif\", \"png\", \"bmp\", \"fpx\", \"eps\", \"svg\", \"inf\") or\n\n /* common audio and video file extensions */\n file.extension : (\"mp3\", \"wav\", \"avi\", \"mpeg\", \"flv\", \"wma\", \"wmv\", \"mov\", \"mp4\", \"3gp\") or\n\n /* common document file extensions */\n file.extension : (\"txt\", \"pdf\", \"doc\", \"docx\", \"rtf\", \"ppt\", \"pptx\", \"xls\", \"xlsx\", \"hwp\", \"html\")\n ) and\n not process.pid == 4 and\n not process.executable : \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Client Server Security Agent\\\\Ntrtscan.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}], "risk_score": 21, "rule_id": "ecd4857b-5bac-455e-a7c9-a88b66e56a9e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.008", "name": "Masquerade File Type", "reference": "https://attack.mitre.org/techniques/T1036/008/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ecd4857b-5bac-455e-a7c9-a88b66e56a9e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json deleted file mode 100644 index 12c78b31d28..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", "false_positives": ["Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json deleted file mode 100644 index 00b2a6f7784..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", "false_positives": ["Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json deleted file mode 100644 index c49789576ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", "false_positives": ["Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json deleted file mode 100644 index 963b870d6ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", "false_positives": ["Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json b/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json deleted file mode 100644 index f67fe3cf1c0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped.", "false_positives": ["Valid clusters or instances may be stopped by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Cluster or instance stoppages from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance/Cluster Stoppage", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(StopDBCluster or StopDBInstance) and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-instance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json deleted file mode 100644 index 0d571fb43c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", "false_positives": ["Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Global Administrator Role Addition to PIM User", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 73, "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json b/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json deleted file mode 100644 index 5b8bfe4f9a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM) user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in your Azure AD organization.", "false_positives": ["Global administrator additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Global administrator additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Global Administrator Role Addition to PIM User", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and\n azure.auditlogs.operation_name:(\"Add eligible member to role in PIM completed (permanent)\" or\n \"Add member to role in PIM completed (timebound)\") and\n azure.auditlogs.properties.target_resources.*.display_name:\"Global Administrator\" and\n event.outcome:(Success or success)\n", "references": ["https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.category", "type": "keyword"}, {"ecs": false, "name": "azure.auditlogs.properties.target_resources.*.display_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 73, "rule_id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json deleted file mode 100644 index 64e80487044..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json deleted file mode 100644 index 0e9754dbbcd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json deleted file mode 100644 index 05aaec71559..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json deleted file mode 100644 index 7ec88b64aca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json deleted file mode 100644 index 401703ba00b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json deleted file mode 100644 index ebf7149dfd7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_109.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_109.json deleted file mode 100644 index 8c859faa1c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json deleted file mode 100644 index 7b55d591259..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json deleted file mode 100644 index 382683f1096..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}, {"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_112.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_112.json deleted file mode 100644 index 9196ad77f25..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_113.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_113.json deleted file mode 100644 index 3851c406bf8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_313.json b/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_313.json deleted file mode 100644 index 4e710fa7bea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eda499b8-a073-4e35-9733-22ec71f57f3a_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "AdFind Command Activity", "note": "## Triage and analysis\n\n### Investigating AdFind Command Activity\n\n[AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) of this tool being adopted by ransomware and criminal groups and used in compromises.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Examine the command line to determine what information was retrieved by the tool.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- This rule has a high chance to produce false positives as it is a legitimate tool used by network administrators.\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines can be very telling.\n\n### Related rules\n\n- Windows Network Enumeration - 7b8bfc26-81d2-435e-965c-d722ee397ef1\n- Enumeration of Administrator Accounts - 871ea072-1b71-4def-b016-6278b505138d\n- Enumeration Command Spawned via WMIPrvSE - 770e0c4d-b998-41e5-a62e-c7901fd7f470\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"AdFind.exe\" or ?process.pe.original_file_name == \"AdFind.exe\") and\n process.args : (\"objectcategory=computer\", \"(objectcategory=computer)\",\n \"objectcategory=person\", \"(objectcategory=person)\",\n \"objectcategory=subnet\", \"(objectcategory=subnet)\",\n \"objectcategory=group\", \"(objectcategory=group)\",\n \"objectcategory=organizationalunit\", \"(objectcategory=organizationalunit)\",\n \"objectcategory=attributeschema\", \"(objectcategory=attributeschema)\",\n \"domainlist\", \"dcmodes\", \"adinfo\", \"dclist\", \"computers_pwnotreqd\", \"trustdmp\")\n", "references": ["http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "eda499b8-a073-4e35-9733-22ec71f57f3a", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}, {"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": "https://attack.mitre.org/techniques/T1482/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "eda499b8-a073-4e35-9733-22ec71f57f3a_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json deleted file mode 100644 index 343e7cd2693..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json deleted file mode 100644 index cab60ab274d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json deleted file mode 100644 index 776d0b9de90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json deleted file mode 100644 index ea30176187b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json deleted file mode 100644 index 2128d826e5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json deleted file mode 100644 index 465d72232c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_207.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_207.json deleted file mode 100644 index 413cca72157..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 207}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_209.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_209.json deleted file mode 100644 index 0f4f74f40cb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", "false_positives": ["Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Attempt to Deactivate an Okta Application", "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 21, "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1489", "name": "Service Stop", "reference": "https://attack.mitre.org/techniques/T1489/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_309.json b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_309.json new file mode 100644 index 00000000000..75f94c7e918 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_309.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects attempts to deactivate an Okta application. An adversary may attempt to modify, deactivate, or delete an Okta application in order to weaken an organization's security controls or disrupt their business operations.", + "false_positives": [ + "Consider adding exceptions to this rule to filter false positives if your organization's Okta applications are regularly deactivated and the behavior is expected." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Attempt to Deactivate an Okta Application", + "note": "## Triage and analysis\n\n### Investigating Attempt to Deactivate an Okta Application\n\nThis rule detects attempts to deactivate an Okta application. Unauthorized deactivation could lead to disruption of services and pose a significant risk to the organization.\n\n#### Possible investigation steps:\n- Identify the actor associated with the deactivation attempt by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.\n- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.\n- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.\n- Understand the context of the event from the `okta.debug_context.debug_data` and `okta.authentication_context` fields.\n- Check the `okta.outcome.result` and `okta.outcome.reason` fields to see if the attempt was successful or failed.\n- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.\n- Analyze the `okta.transaction.id` and `okta.transaction.type` fields to understand the context of the transaction.\n- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.\n\n### False positive analysis:\n- It might be a false positive if the action was part of a planned activity, performed by an authorized person, or if the `okta.outcome.result` field shows a failure.\n- An unsuccessful attempt might also indicate an authorized user having trouble rather than a malicious activity.\n\n### Response and remediation:\n- If unauthorized deactivation attempts are confirmed, initiate the incident response process.\n- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.\n- Reset the user's password and enforce MFA re-enrollment, if applicable.\n- Conduct a review of Okta policies and ensure they are in accordance with security best practices.\n- If the deactivated application was crucial for business operations, coordinate with the relevant team to reactivate it and minimize the impact.", + "query": "event.dataset:okta.system and event.action:application.lifecycle.deactivate\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "low", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0040", + "name": "Impact", + "reference": "https://attack.mitre.org/tactics/TA0040/" + }, + "technique": [ + { + "id": "T1489", + "name": "Service Stop", + "reference": "https://attack.mitre.org/techniques/T1489/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 309 + }, + "id": "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a_309", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json deleted file mode 100644 index 6b400f50558..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json deleted file mode 100644 index 91f5d61d9f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json deleted file mode 100644 index b19cbeaac7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json deleted file mode 100644 index aa8af444e19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json deleted file mode 100644 index 9dad73b9802..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json deleted file mode 100644 index 64a98534f02..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json deleted file mode 100644 index 01cc867ef56..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_110.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_110.json deleted file mode 100644 index 0a907a034db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json deleted file mode 100644 index 1733959497a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json deleted file mode 100644 index 01edc13b2d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_113.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_113.json deleted file mode 100644 index 9f19aec2fa9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_313.json b/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_313.json deleted file mode 100644 index db07f10a6f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edf8ee23-5ea7-4123-ba19-56b41e424ae3_313.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies abuse of the Windows Update Auto Update Client (wuauclt.exe) to load an arbitrary DLL. This behavior is used as a defense evasion technique to blend-in malicious activity with legitimate Windows software.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "ImageLoad via Windows Update Auto Update Client", "note": "## Triage and analysis\n\n### Investigating ImageLoad via Windows Update Auto Update Client\n\nThe Windows Update Auto Update Client (wuauclt.exe) is the component responsible for managing system updates. However, adversaries may abuse this process to load a malicious DLL and execute malicious code while blending into a legitimate system mechanism. \n\nThis rule identifies potential abuse for code execution by monitoring for specific process arguments (\"/RunHandlerComServer\" and \"/UpdateDeploymentProvider\") and common writable paths where the target DLL can be placed (e.g., \"C:\\Users\\*.dll\", \"C:\\ProgramData\\*.dll\", etc.).\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the command line and identify the DLL location.\n- Examine whether the DLL is signed.\n- Retrieve the DLL and determine if it is malicious:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (?process.pe.original_file_name == \"wuauclt.exe\" or process.name : \"wuauclt.exe\") and\n /* necessary windows update client args to load a dll */\n process.args : \"/RunHandlerComServer\" and process.args : \"/UpdateDeploymentProvider\" and\n /* common paths writeable by a standard user where the target DLL can be placed */\n process.args : (\"C:\\\\Users\\\\*.dll\", \"C:\\\\ProgramData\\\\*.dll\", \"C:\\\\Windows\\\\Temp\\\\*.dll\", \"C:\\\\Windows\\\\Tasks\\\\*.dll\")\n", "references": ["https://dtm.uk/wuauclt/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 313}, "id": "edf8ee23-5ea7-4123-ba19-56b41e424ae3_313", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json deleted file mode 100644 index dceb1b1ba17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json deleted file mode 100644 index 920afb0c436..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json deleted file mode 100644 index 0b79cc3b7fd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json deleted file mode 100644 index abaea6c737e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "setup": "\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json deleted file mode 100644 index 684e7056460..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_5.json b/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_5.json deleted file mode 100644 index 08579df3edf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/edfd5ca9-9d6c-44d9-b615-1e56b920219c_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies attempts to create new users. Attackers may add new users to establish persistence on a system.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Linux User Account Creation", "note": "## Triage and analysis\n\n### Investigating Linux User Account Creation\n\nThe `useradd` and `adduser` commands are used to create new user accounts in Linux-based operating systems.\n\nAttackers may create new accounts (both local and domain) to maintain access to victim systems.\n\nThis rule identifies the usage of `useradd` and `adduser` to create new accounts.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate whether the user was created succesfully.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Identify if the account was added to privileged groups or assigned special privileges after creation.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific Group\",\"query\":\"SELECT * FROM groups WHERE groupname = {{group.name}}\"}}\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- Account creation is a common administrative task, so there is a high chance of the activity being legitimate. Before investigating further, verify that this activity is not benign.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Delete the created account.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "iam where host.os.type == \"linux\" and (event.type == \"user\" and event.type == \"creation\") and\nprocess.name in (\"useradd\", \"adduser\") and user.name != null\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "edfd5ca9-9d6c-44d9-b615-1e56b920219c_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e.json deleted file mode 100644 index 426558efbe3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta FastPass Phishing Detection", "note": "", "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json deleted file mode 100644 index a670283b976..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta FastPass Phishing Detection", "note": "", "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_104.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_104.json deleted file mode 100644 index b2a01ffef89..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta FastPass Phishing Detection", "note": "", "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_106.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_106.json deleted file mode 100644 index 9e82ae9bc83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta FastPass Phishing Detection", "note": "", "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json deleted file mode 100644 index a8d6119c9b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Okta FastPass Phishing Detection", "note": "", "query": "event.dataset:okta.system and event.category:authentication and \n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": false, "name": "okta.event_type", "type": "keyword"}, {"ecs": false, "name": "okta.outcome.reason", "type": "keyword"}], "risk_score": 47, "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", "severity": "medium", "tags": ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_206.json b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_206.json new file mode 100644 index 00000000000..e10c14ae57e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_206.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "author": [ + "Austin Songer" + ], + "description": "Detects when Okta FastPass prevents a user from authenticating to a phishing website.", + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Okta FastPass Phishing Detection", + "note": "", + "query": "event.dataset:okta.system and event.category:authentication and\n okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:\"FastPass declined phishing attempt\"\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://sec.okta.com/fastpassphishingdetection", + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.outcome", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.event_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "okta.outcome.reason", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n\nThis rule requires Okta to have the following turned on:\n\nOkta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.", + "severity": "medium", + "tags": [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1566", + "name": "Phishing", + "reference": "https://attack.mitre.org/techniques/T1566/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 206 + }, + "id": "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e_206", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json deleted file mode 100644 index 7c466922b24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json deleted file mode 100644 index 062c880f5eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json deleted file mode 100644 index 44c9492a6ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json deleted file mode 100644 index 889ccf4f99d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json deleted file mode 100644 index 89a3419a01c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and\n (?process.Ext.token.integrity_level_name : \"System\" or\n ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\")\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_106.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_106.json deleted file mode 100644 index 9ef5ec0640b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json deleted file mode 100644 index bb336f968c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json deleted file mode 100644 index 4de9925b9e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_109.json b/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_109.json deleted file mode 100644 index 5992a04e519..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee5300a7-7e31-4a72-a258-250abb8b3aa1_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege escalation vulnerabilities related to the Printing Service on Windows.", "false_positives": ["Install or update of a legitimate printing driver. Verify the printer driver file metadata such as manufacturer and signature information."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Unusual Print Spooler Child Process", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"spoolsv.exe\" and process.command_line != null and \n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n\n /* exclusions for FP control below */\n not process.name : (\"splwow64.exe\", \"PDFCreator.exe\", \"acrodist.exe\", \"spoolsv.exe\", \"msiexec.exe\", \"route.exe\", \"WerFault.exe\") and\n not process.command_line : \"*\\\\WINDOWS\\\\system32\\\\spool\\\\DRIVERS*\" and\n not (process.name : \"net.exe\" and process.command_line : (\"*stop*\", \"*start*\")) and\n not (process.name : (\"cmd.exe\", \"powershell.exe\") and process.command_line : (\"*.spl*\", \"*\\\\program files*\", \"*route add*\")) and\n not (process.name : \"netsh.exe\" and process.command_line : (\"*add portopening*\", \"*rule name*\")) and\n not (process.name : \"regsvr32.exe\" and process.command_line : \"*PrintConfig.dll*\") and\n not process.executable : (\n \"?:\\\\Program Files (x86)\\\\CutePDF Writer\\\\CPWriter2.exe\",\n \"?:\\\\Program Files (x86)\\\\GPLGS\\\\gswin32c.exe\"\n )\n", "references": ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ee5300a7-7e31-4a72-a258-250abb8b3aa1_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c.json b/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c.json deleted file mode 100644 index 2f90c288d55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Shortcut File Written or Modified on Startup Folder", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension == \"lnk\" and\n file.path : (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\"\n ) and\n not (\n (process.name : \"ONENOTE.EXE\" and process.code_signature.status: \"trusted\" and file.name : \"*OneNote.lnk\") or\n (process.name : \"OktaVerifySetup.exe\" and process.code_signature.status: \"trusted\" and file.name : \"Okta Verify.lnk\") or\n (process.name : \"OneLaunch.exe\" and process.code_signature.status: \"trusted\" and file.name : \"OneLaunch*.lnk\") or\n (process.name : \"APPServerClient.exe\" and process.code_signature.status: \"trusted\" and file.name : \"Parallels Client.lnk\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ee53d67a-5f0c-423c-a53c-8084ae562b5c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ee53d67a-5f0c-423c-a53c-8084ae562b5c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json b/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json deleted file mode 100644 index 308b6bc2779..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ee53d67a-5f0c-423c-a53c-8084ae562b5c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies shortcut files written to or modified in the startup folder. Adversaries may use this technique to maintain persistence.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Shortcut File Written or Modified on Startup Folder", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.extension == \"lnk\" and\n file.path : (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\"\n ) and\n not (\n (process.name : \"ONENOTE.EXE\" and process.code_signature.status: \"trusted\" and file.name : \"Send to OneNote.lnk\") or\n (process.name: \"OktaVerifySetup.exe\" and process.code_signature.status: \"trusted\" and file.name : \"Okta Verify.lnk\")\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "ee53d67a-5f0c-423c-a53c-8084ae562b5c", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ee53d67a-5f0c-423c-a53c-8084ae562b5c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json deleted file mode 100644 index 3f260688191..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "eea82229-b002-470e-a9e1-00be38b14d32", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json deleted file mode 100644 index ba5609ced76..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "eea82229-b002-470e-a9e1-00be38b14d32_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json deleted file mode 100644 index 1a66df6688a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "eea82229-b002-470e-a9e1-00be38b14d32_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json deleted file mode 100644 index 9e03e3e6b09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "eea82229-b002-470e-a9e1-00be38b14d32_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json deleted file mode 100644 index 3ad2e08990b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "eea82229-b002-470e-a9e1-00be38b14d32_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json b/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json deleted file mode 100644 index 50af29b3b5f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/eea82229-b002-470e-a9e1-00be38b14d32_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privacy Control Bypass via TCCDB Modification", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"sqlite*\" and\n process.args : \"/*/Application Support/com.apple.TCC/TCC.db\" and\n not process.parent.executable : \"/Library/Bitdefender/AVP/product/bin/*\"\n", "references": ["https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/", "https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh", "https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "eea82229-b002-470e-a9e1-00be38b14d32", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "eea82229-b002-470e-a9e1-00be38b14d32_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json deleted file mode 100644 index 73cbafa56a7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable == \"/usr/sbin/tc\" and\nprocess.args == \"filter\" and process.args == \"add\" and process.args == \"bpf\" and\nnot process.parent.executable == \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json deleted file mode 100644 index 20e438be6d7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json deleted file mode 100644 index 2763e8651dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json deleted file mode 100644 index aa4e58dfbbd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json deleted file mode 100644 index de158f85af7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json b/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json deleted file mode 100644 index 0b704c5d9b7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef04a476-07ec-48fc-8f3d-5e1742de76d3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic. A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic. This technique is not at all common and should indicate abnormal, suspicious or malicious activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "BPF filter applied using TC", "query": "process where host.os.type == \"linux\" and event.type != \"end\" and process.executable : \"/usr/sbin/tc\" and process.args : \"filter\" and process.args : \"add\" and process.args : \"bpf\" and not process.parent.executable: \"/usr/sbin/libvirtd\"\n", "references": ["https://github.com/h3xduck/TripleCross/blob/master/src/helpers/deployer.sh", "https://man7.org/linux/man-pages/man8/tc.8.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ef04a476-07ec-48fc-8f3d-5e1742de76d3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json deleted file mode 100644 index c9c5f0a7181..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by host.id, process.parent.name with maxspan=1m\n [process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\")]\n [process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\"]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 7}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json deleted file mode 100644 index 2855c2d4d0a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 1}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json deleted file mode 100644 index cb21c62dc0c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 2}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json deleted file mode 100644 index a71449fe778..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 3}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json deleted file mode 100644 index a1d4ec7f12f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 4}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json deleted file mode 100644 index 1be18d5ffdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by process.parent.name,host.name with maxspan=1m\n[process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\") ]\n\n[process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\" ]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 5}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json b/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json deleted file mode 100644 index a0f6b0725e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of the mimipenguin exploit script which is linux adaptation of Windows tool mimikatz. Mimipenguin exploit script is used to dump clear text passwords from a currently logged-in user. The tool exploits a known vulnerability CVE-2018-20781. Malicious actors can exploit the cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Linux Credential Dumping via Proc Filesystem", "query": "sequence by host.id, process.parent.name with maxspan=1m\n [process where host.os.type == \"linux\" and process.name == \"ps\" and event.action == \"exec\"\n and process.args in (\"-eo\", \"pid\", \"command\")]\n [process where host.os.type == \"linux\" and process.name == \"strings\" and event.action == \"exec\"\n and process.args : \"/tmp/*\"]\n", "references": ["https://github.com/huntergregal/mimipenguin", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.007", "name": "Proc Filesystem", "reference": "https://attack.mitre.org/techniques/T1003/007/"}]}, {"id": "T1212", "name": "Exploitation for Credential Access", "reference": "https://attack.mitre.org/techniques/T1212/"}]}], "type": "eql", "version": 6}, "id": "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef65e82c-d8b4-4895-9824-5f6bc6166804.json b/packages/security_detection_engine/kibana/security_rule/ef65e82c-d8b4-4895-9824-5f6bc6166804.json deleted file mode 100644 index 962fef65fc7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef65e82c-d8b4-4895-9824-5f6bc6166804.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take advantage of this feature, which could be used for further privilege escalation and container escapes to the host machine.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "Potential Container Escape via Modified notify_on_release File", "query": "file where event.module == \"cloud_defend\" and event.action == \"open\" and \nevent.type == \"change\" and file.name : \"notify_on_release\"\n", "references": ["https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/", "https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.module", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}], "risk_score": 73, "rule_id": "ef65e82c-d8b4-4895-9824-5f6bc6166804", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1611", "name": "Escape to Host", "reference": "https://attack.mitre.org/techniques/T1611/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ef65e82c-d8b4-4895-9824-5f6bc6166804", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json deleted file mode 100644 index e26de1e5af0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json deleted file mode 100644 index 5a37ca55f09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json deleted file mode 100644 index 5655515bf9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json deleted file mode 100644 index 82a9c31383d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json deleted file mode 100644 index 284e15fb0ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n\n (/* scoped for whoami execution under system privileges */\n (user.domain : (\"NT AUTHORITY\", \"NT-AUTORIT\u00c4T\", \"AUTORITE NT\", \"IIS APPPOOL\") or user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\")) and\n\n not (process.parent.name : \"cmd.exe\" and\n process.parent.args : (\"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\")) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\")) or\n\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_109.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_109.json deleted file mode 100644 index 4ac79dda265..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json deleted file mode 100644 index 86b346da07f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json deleted file mode 100644 index b195a5bb599..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_112.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_112.json deleted file mode 100644 index af49c8afaf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_113.json b/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_113.json deleted file mode 100644 index f95c9d6ec87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef862985-3f13-4262-a686-5f357bbb9bc2_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious use of whoami.exe which displays user, group, and privileges information for the user who is currently logged on to the local system.", "false_positives": ["Some normal use of this program, at varying levels of frequency, may originate from scripts, automation tools and frameworks. Usage by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.*", "endgame-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Whoami Process Activity", "note": "## Triage and analysis\n\n### Investigating Whoami Process Activity\n\nAfter successfully compromising an environment, attackers may try to gain situational awareness to plan their next steps. This can happen by running commands to enumerate network resources, users, connections, files, and installed security software.\n\nThis rule looks for the execution of the `whoami` utility. Attackers commonly use this utility to measure their current privileges, discover the current user, determine if a privilege escalation was successful, etc.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal account behavior, such as command executions, file creations or modifications, and network connections.\n\n### False positive analysis\n\n- Discovery activities are not inherently malicious if they occur in isolation. As long as the analyst did not identify suspicious activity related to the user or host, such alerts can be dismissed.\n\n### Related rules\n\n- Account Discovery Command via SYSTEM Account - 2856446a-34e6-435b-9fb5-f8f040bfa7ed\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"whoami.exe\" and\n(\n (\n /* scoped for whoami execution under system privileges */\n (\n user.domain : (\"NT *\", \"* NT\", \"IIS APPPOOL\") and\n user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\", \"S-1-5-82-*\") and\n not ?winlog.event_data.SubjectUserName : \"*$\"\n ) and\n not (\n process.parent.name : \"cmd.exe\" and\n process.parent.args : (\n \"chcp 437>nul 2>&1 & C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"chcp 437>nul 2>&1 & %systemroot%\\\\system32\\\\whoami /user\",\n \"C:\\\\WINDOWS\\\\System32\\\\whoami.exe /groups\",\n \"*WINDOWS\\\\system32\\\\config\\\\systemprofile*\"\n )\n ) and\n not (process.parent.executable : \"C:\\\\Windows\\\\system32\\\\inetsrv\\\\appcmd.exe\" and process.parent.args : \"LIST\") and\n not process.parent.executable : (\n \"C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\n \"C:\\\\Program Files\\\\Cohesity\\\\cohesity_windows_agent_service.exe\"\n )\n ) or\n process.parent.name : (\"wsmprovhost.exe\", \"w3wp.exe\", \"wmiprvse.exe\", \"rundll32.exe\", \"regsvr32.exe\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.SubjectUserName", "type": "keyword"}], "risk_score": 21, "rule_id": "ef862985-3f13-4262-a686-5f357bbb9bc2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": "https://attack.mitre.org/techniques/T1033/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "ef862985-3f13-4262-a686-5f357bbb9bc2_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740.json deleted file mode 100644 index 24d3de293ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_port", "name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ef8cc01c-fc49-4954-a175-98569c646740", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 4}, "id": "ef8cc01c-fc49-4954-a175-98569c646740", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json deleted file mode 100644 index 8d01533afd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_port", "name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "ef8cc01c-fc49-4954-a175-98569c646740", "setup": "The Data Exfiltration Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 1}, "id": "ef8cc01c-fc49-4954-a175-98569c646740_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_2.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_2.json deleted file mode 100644 index 4779af966f3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_port", "name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ef8cc01c-fc49-4954-a175-98569c646740", "setup": "The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 2}, "id": "ef8cc01c-fc49-4954-a175-98569c646740_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json b/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json deleted file mode 100644 index 76beb5255df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ef8cc01c-fc49-4954-a175-98569c646740_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job has detected data exfiltration to a particular destination port. Data transfer patterns that are outside the normal traffic patterns of an organization could indicate exfiltration over command and control channels.", "from": "now-6h", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "ded_high_sent_bytes_destination_port", "name": "Potential Data Exfiltration Activity to an Unusual Destination Port", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/ded", "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration"], "related_integrations": [{"package": "ded", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ef8cc01c-fc49-4954-a175-98569c646740", "setup": "## Setup\n\nThe rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only). \n\n### Data Exfiltration Detection Setup\nThe Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature. \n\n#### Prerequisite Requirements:\n- Fleet is required for Data Exfiltration Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Network events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration.\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n\n#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.\n- Under Settings, click Install Data Exfiltration Detection assets and follow the prompts to install the assets.\n\n#### Anomaly Detection Setup\nBefore you can enable rules for Data Exfiltration Detection, you'll need to enable the corresponding Anomaly Detection jobs. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your network data. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/ded/kibana/ml_module/ded-ml.json) configuration file, you will see a card for Data Exfiltration Detection under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection jobs and datafeeds.\n", "severity": "low", "tags": ["Use Case: Data Exfiltration Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1041", "name": "Exfiltration Over C2 Channel", "reference": "https://attack.mitre.org/techniques/T1041/"}]}], "type": "machine_learning", "version": 3}, "id": "ef8cc01c-fc49-4954-a175-98569c646740_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json deleted file mode 100644 index e103db663b4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 108}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json deleted file mode 100644 index 64baf0341b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 103}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json deleted file mode 100644 index f7f54e399c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 104}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json deleted file mode 100644 index 76318491611..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 105}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json deleted file mode 100644 index f39a7edcfaa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 106}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json deleted file mode 100644 index 95800c93077..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 107}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json b/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json deleted file mode 100644 index 275f9a994bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f036953a-4615-4707-a1ca-dc53bf69dcd5_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies child processes of unusual instances of RunDLL32 where the command line parameters were suspicious. Misuse of RunDLL32 could indicate malicious activity.", "from": "now-60m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "interval": "30m", "language": "eql", "license": "Elastic License v2", "name": "Unusual Child Processes of RunDLL32", "note": "## Triage and analysis\n\n### Investigating Unusual Child Processes of RunDLL32\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity, such as masquerading and deserve further investigation.\n\nRunDLL32 is a legitimate Windows utility used to load and execute functions within dynamic-link libraries (DLLs). However, adversaries may abuse RunDLL32 to execute malicious code, bypassing security measures and evading detection. This rule identifies potential abuse by looking for an unusual process creation with no arguments followed by the creation of a child process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process, such as network connections, registry or file modifications, and any spawned child processes.\n- Investigate the behavior of child processes, such as network connections, registry or file modifications, and any spawned processes.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related Rules\n\n- Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence with maxspan=1h\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"rundll32.exe\" or process.pe.original_file_name == \"RUNDLL32.EXE\") and\n process.args_count == 1\n ] by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"rundll32.exe\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f036953a-4615-4707-a1ca-dc53bf69dcd5", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.011", "name": "Rundll32", "reference": "https://attack.mitre.org/techniques/T1218/011/"}]}]}], "type": "eql", "version": 108}, "id": "f036953a-4615-4707-a1ca-dc53bf69dcd5_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json deleted file mode 100644 index 91e8d1e1dc2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence.", "query": "sequence by user.id with maxspan=2m\n\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n\n /* Check for HTML files with high entropy and size */\n file.extension : (\"htm\", \"html\") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and\n\n /* Check for file paths in common download and temporary directories */\n file.path : (\n \"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\")]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n /* Check for browser processes opening HTML files with single argument */\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n\n /* Optionally, check for browser processes opening HTML files with two arguments */\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n\n /* Optionally, check for browser processes opening HTML files with URL argument */\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n /* Check for file paths in common download and temporary directories targeted in the process arguments */\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 108}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json deleted file mode 100644 index 09ecfdeb00a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 102}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json deleted file mode 100644 index 7d2419c7071..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 103}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json deleted file mode 100644 index 0252a83c594..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "note": "", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 104}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json deleted file mode 100644 index 05ec094453b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 105}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json deleted file mode 100644 index 5df48e0383e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 106}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_107.json b/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_107.json deleted file mode 100644 index 72a7e62c0c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0493cb4-9b15-43a9-9359-68c23a7f2cf3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious HTML File Creation", "query": "sequence by user.id with maxspan=5m\n [file where host.os.type == \"windows\" and event.action in (\"creation\", \"rename\") and\n file.extension : (\"htm\", \"html\") and\n file.path : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*\") and\n ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n (\n (process.name in (\"chrome.exe\", \"msedge.exe\", \"brave.exe\", \"whale.exe\", \"browser.exe\", \"dragon.exe\", \"vivaldi.exe\", \"opera.exe\")\n and process.args == \"--single-argument\") or\n (process.name == \"iexplore.exe\" and process.args_count == 2) or\n (process.name in (\"firefox.exe\", \"waterfox.exe\") and process.args == \"-url\")\n )\n and process.args : (\"?:\\\\Users\\\\*\\\\Downloads\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\Content.Outlook\\\\*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Temp?_*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\7z*.htm*\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\Rar$*.htm*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.entropy", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "file.size", "type": "long"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}, {"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": "https://attack.mitre.org/techniques/T1027/", "subtechnique": [{"id": "T1027.006", "name": "HTML Smuggling", "reference": "https://attack.mitre.org/techniques/T1027/006/"}]}]}], "type": "eql", "version": 107}, "id": "f0493cb4-9b15-43a9-9359-68c23a7f2cf3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json deleted file mode 100644 index 4cbfdda084a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json deleted file mode 100644 index 8e35579371a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json deleted file mode 100644 index ebc87ea8c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json deleted file mode 100644 index 8f1aa37e694..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json deleted file mode 100644 index 13fc0f7f7f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_206.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_206.json deleted file mode 100644 index 13880bb499f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_208.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_208.json deleted file mode 100644 index 3cc7d804921..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", "false_positives": ["Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Administrator Role Assigned to an Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", "references": ["https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_308.json b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_308.json new file mode 100644 index 00000000000..d358130775e --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f06414a6-f2a4-466d-8eba-10f85e8abf71_308.json @@ -0,0 +1,78 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies when an administrator role is assigned to an Okta user. An adversary may attempt to assign an administrator role to an Okta user in order to assign additional permissions to a user account and maintain access to their target's environment.", + "false_positives": [ + "Administrator roles may be assigned to Okta users by a Super Admin user. Verify that the behavior was expected. Exceptions can be added to this rule to filter expected behavior." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Administrator Role Assigned to an Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.privilege.grant\n", + "references": [ + "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", + "https://www.elastic.co/security-labs/okta-and-lapsus-what-you-need-to-know" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f06414a6-f2a4-466d-8eba-10f85e8abf71", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "f06414a6-f2a4-466d-8eba-10f85e8abf71_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json deleted file mode 100644 index 9053c88fe7f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "query": "file where event.action == \"extended_attributes_delete\" and host.os.type == \"macos\" and process.executable != null and\n(process.code_signature.trusted == false or process.code_signature.exists == false) and not\nprocess.executable : (\"/usr/bin/xattr\", \n \"/System/*\", \n \"/private/tmp/KSInstallAction.*/*/Install Google Software Update.app/Contents/Helpers/ksinstall\",\n \"/Applications/CEWE Fotoschau.app/Contents/MacOS/FotoPlus\",\n \"/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust\") and not\nfile.path : \"/private/var/folders/*\"\n", "references": ["https://nixhacker.com/security-protection-in-macos-1/", "https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json deleted file mode 100644 index 625bf6d11af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json deleted file mode 100644 index 07f22b826f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json deleted file mode 100644 index 456566fb4d9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json deleted file mode 100644 index f99cec6f017..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json deleted file mode 100644 index 69aa8ab7c37..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json deleted file mode 100644 index 38e481dd8b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Attempt to Remove File Quarantine Attribute", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and\n process.name : \"xattr\" and\n (\n (process.args : \"com.apple.quarantine\" and process.args : (\"-d\", \"-w\")) or\n (process.args : \"-c\") or\n (process.command_line : (\"/bin/bash -c xattr -c *\", \"/bin/zsh -c xattr -c *\", \"/bin/sh -c xattr -c *\"))\n ) and not process.args_count > 12\n", "references": ["https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", "https://ss64.com/osx/xattr.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.args_count", "type": "long"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_108.json b/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_108.json deleted file mode 100644 index 03530efa2eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Quarantine Attrib Removed by Unsigned or Untrusted Process", "query": "file where event.action == \"extended_attributes_delete\" and process.executable != null and\n(process.code_signature.trusted == false or process.code_signature.exists == false) and not\nprocess.executable : (\"/usr/bin/xattr\", \n \"/System/*\", \n \"/private/tmp/KSInstallAction.*/*/Install Google Software Update.app/Contents/Helpers/ksinstall\",\n \"/Applications/CEWE Fotoschau.app/Contents/MacOS/FotoPlus\",\n \"/Applications/.com.bomgar.scc.*/Remote Support Customer Client.app/Contents/MacOS/sdcust\") and not\nfile.path : \"/private/var/folders/*\"\n", "references": ["https://nixhacker.com/security-protection-in-macos-1/", "https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.exists", "type": "boolean"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json deleted file mode 100644 index 3c52b308278..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.", "false_positives": ["Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Alert Suppression Rule Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f0bc081a-2346-4744-a6a4-81514817e888", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json b/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json deleted file mode 100644 index d9ccced76c8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0bc081a-2346-4744-a6a4-81514817e888_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly configured, resulting in defense evasions and loss of security visibility.", "false_positives": ["Suppression Rules can be created legitimately by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Suppression Rules created by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "language": "kuery", "license": "Elastic License v2", "name": "Azure Alert Suppression Rule Created or Modified", "note": "", "query": "event.dataset:azure.activitylogs and azure.activitylogs.operation_name:\"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE\" and\nevent.outcome: \"success\"\n", "references": ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations", "https://docs.microsoft.com/en-us/rest/api/securitycenter/alerts-suppression-rules/update"], "related_integrations": [{"integration": "activitylogs", "package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.activitylogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 21, "rule_id": "f0bc081a-2346-4744-a6a4-81514817e888", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "f0bc081a-2346-4744-a6a4-81514817e888_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json deleted file mode 100644 index 72df5cf03ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.004", "name": "Elevated Execution with Prompt", "reference": "https://attack.mitre.org/techniques/T1548/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json deleted file mode 100644 index 68ad20353ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.004", "name": "Elevated Execution with Prompt", "reference": "https://attack.mitre.org/techniques/T1548/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json deleted file mode 100644 index c5235e672f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.004", "name": "Elevated Execution with Prompt", "reference": "https://attack.mitre.org/techniques/T1548/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json deleted file mode 100644 index aa0c0d2aab7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.004", "name": "Elevated Execution with Prompt", "reference": "https://attack.mitre.org/techniques/T1548/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json b/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json deleted file mode 100644 index cf8201bf1f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Execution with Explicit Credentials via Scripting", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:\"security_authtrampoline\" and\n process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)\n", "references": ["https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.004", "name": "Elevated Execution with Prompt", "reference": "https://attack.mitre.org/techniques/T1548/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json deleted file mode 100644 index df8342935d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\n \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\",\n \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and process.args : (\n \"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\", \"ls\", \"cd\", \"python*\", \"php*\", \"perl\",\n \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\", \"socat\"\n ) and not process.name == \"phpquery\"\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json deleted file mode 100644 index a65bd4fe69a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json deleted file mode 100644 index 3673b9f846b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json deleted file mode 100644 index 0d97d385b83..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\")\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json deleted file mode 100644 index 30e847e8cb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"*sh\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json deleted file mode 100644 index fb3bb8dc0d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json b/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json deleted file mode 100644 index 80343bc39ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious commands executed via a web server, which may suggest a vulnerability and remote shell access. Attackers may exploit a vulnerability in a web application to execute commands via a web server, or place a backdoor file that can be abused to gain code execution as a mechanism for persistence.", "false_positives": ["Network monitoring or management products may have a web server component that runs shell commands as part of normal behavior."], "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Remote Code Execution via Web Server", "note": "## Triage and analysis\n\n### Investigating Potential Remote Code Execution via Web Server\n\nAdversaries may backdoor web servers with web shells to establish persistent access to systems. A web shell is a malicious script, often embedded into a compromised web server, that grants an attacker remote access and control over the server. This enables the execution of arbitrary commands, data exfiltration, and further exploitation of the target network.\n\nThis rule detects a web server process spawning script and command line interface programs, potentially indicating attackers executing commands using the web shell.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Investigate abnormal behaviors by the subject process such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential reverse shells or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Investigate the process information for malicious or uncommon processes/process trees.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n - Investigate the process tree spawned from the user that is used to run the web application service. A user that is running a web application should not spawn other child processes.\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info for Webapp User\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes WHERE uid = {{process.user.id}}\"}}\n- Examine the command line to determine which commands or scripts were executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and\nevent.action in (\"exec\", \"exec_event\") and process.parent.executable : (\n \"/usr/sbin/nginx\", \"/usr/local/sbin/nginx\",\n \"/usr/sbin/apache\", \"/usr/local/sbin/apache\",\n \"/usr/sbin/apache2\", \"/usr/local/sbin/apache2\",\n \"/usr/sbin/php*\", \"/usr/local/sbin/php*\",\n \"/usr/sbin/lighttpd\", \"/usr/local/sbin/lighttpd\",\n \"/usr/sbin/hiawatha\", \"/usr/local/sbin/hiawatha\",\n \"/usr/local/bin/caddy\", \n \"/usr/local/lsws/bin/lswsctrl\",\n \"*/bin/catalina.sh\"\n) and\nprocess.name : (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"python*\", \"perl\", \"php*\", \"tmux\") and\nprocess.args : (\"whoami\", \"id\", \"uname\", \"cat\", \"hostname\", \"ip\", \"curl\", \"wget\", \"pwd\") and\nnot process.name == \"phpquery\"\n", "references": ["https://pentestlab.blog/tag/web-shell/", "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1505", "name": "Server Software Component", "reference": "https://attack.mitre.org/techniques/T1505/", "subtechnique": [{"id": "T1505.003", "name": "Web Shell", "reference": "https://attack.mitre.org/techniques/T1505/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee.json b/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee.json deleted file mode 100644 index d75efea181d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f18a474c-3632-427f-bcf5-363c994309ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the use of the setcap utility to set capabilities on a process. The setcap utility is used to set the capabilities of a binary to allow it to perform privileged operations without needing to run as root. This can be used by attackers to establish persistence by creating a backdoor, or escalate privileges by abusing a misconfiguration on a system.", "from": "now-9m", "index": ["logs-endpoint.events.process*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Process Capability Set via setcap Utility", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and\nprocess.name == \"setcap\" and not (\n process.parent.executable == null or\n process.parent.executable : (\"/var/lib/dpkg/*\", \"/var/lib/docker/*\", \"/tmp/newroot/*\", \"/var/tmp/newroot/*\") or \n process.parent.name in (\"jem\", \"vzctl\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f18a474c-3632-427f-bcf5-363c994309ee", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f18a474c-3632-427f-bcf5-363c994309ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json deleted file mode 100644 index 9757bce32f6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", "false_positives": ["To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Forwarded Google Workspace Security Alert", "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset: google_workspace.alert\n", "references": ["https://workspace.google.com/products/admin/alert-center/"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", "rule_name_override": "google_workspace.alert.type", "setup": "", "severity": "high", "severity_mapping": [{"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json deleted file mode 100644 index c74912240e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", "false_positives": ["To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Forwarded Google Workspace Security Alert", "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset: google_workspace.alert\n", "references": ["https://workspace.google.com/products/admin/alert-center/"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", "rule_name_override": "google_workspace.alert.type", "setup": "", "severity": "high", "severity_mapping": [{"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Elastic", "Cloud", "Google Workspace", "Log Auditing", "Threat Detection"], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json deleted file mode 100644 index 76adf0a479f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the occurrence of a security alert from the Google Workspace alerts center. Google Workspace's security alert center provides an overview of actionable alerts that may be affecting an organization's domain. An alert is a warning of a potential security issue that Google has detected.", "false_positives": ["To tune this rule, add exceptions to exclude any google_workspace.alert.type which should not trigger this rule.", "For additional tuning, severity exceptions for google_workspace.alert.metadata.severity can be added."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Forwarded Google Workspace Security Alert", "note": "## Triage and analysis\n\nThis is a promotion rule for Google Workspace security events, which are alertable events per the vendor.\nConsult vendor documentation on interpreting specific events.", "query": "event.dataset: google_workspace.alert\n", "references": ["https://workspace.google.com/products/admin/alert-center/"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 73, "rule_id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc", "rule_name_override": "google_workspace.alert.type", "setup": "", "severity": "high", "severity_mapping": [{"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "low", "value": "LOW"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "medium", "value": "MEDIUM"}, {"field": "google_workspace.alert.metadata.severity", "operator": "equals", "severity": "high", "value": "HIGH"}], "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69.json b/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69.json deleted file mode 100644 index daf031d80fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation.", "false_positives": ["Master password change is a legitimate means to regain access to a DB instance in the case of a lost password. Ensure that the instance should not be modified in this way before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance or Cluster Password Modified", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance or Cluster Password Modified\n\nThis rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.\n- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n- [Amazon RDS and Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"masterUserPassword=*\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f2015527-7c46-4bb9-80db-051657ddfb69", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f2015527-7c46-4bb9-80db-051657ddfb69", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_1.json b/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_1.json deleted file mode 100644 index 2fffc077225..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2015527-7c46-4bb9-80db-051657ddfb69_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the master password for an AWS RDS DB instance or cluster. DB instances may contain sensitive data that can be abused if accessed by unauthorized actors. Amazon RDS API operations never return the password, so this operation provides a means to regain access if the password is lost. Adversaries with the proper permissions can take advantage of this to evade defenses and gain unauthorized access to a DB instance or cluster to support persistence mechanisms or privilege escalation.", "false_positives": ["Master password change is a legitimate means to regain access to a DB instance in the case of a lost password. Ensure that the instance should not be modified in this way before taking action."], "from": "now-10m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance or Cluster Password Modified", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance or Cluster Password Modified\n\nThis rule identifies when an RDS DB instance or cluster password is modified. While changing the master password is a legitimate means to regain access in the case of a lost password, adversaries may exploit this feature to maintain persistence or evade defenses in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the masterUserPassword parameter was changed.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB Instance Identifier and any other modifications made to the instance.\n- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB or Cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, update the instance password. If the master user password was managed with AWS Secrets Manager, determine whether the `manageMasterUserPassword` attribute was changed to false and revert if necessary.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n- [Amazon RDS and Secrets Manager](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"masterUserPassword=*\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-rds-privesc#rds-modifydbinstance"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f2015527-7c46-4bb9-80db-051657ddfb69", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f2015527-7c46-4bb9-80db-051657ddfb69_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df.json deleted file mode 100644 index ea2a4db3709..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f243fe39-83a4-46f3-a3b6-707557a102df", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f243fe39-83a4-46f3-a3b6-707557a102df", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json deleted file mode 100644 index b8211ed47cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f243fe39-83a4-46f3-a3b6-707557a102df", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f243fe39-83a4-46f3-a3b6-707557a102df_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_2.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_2.json deleted file mode 100644 index 681d8b573bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.registry-*", "endgame-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f243fe39-83a4-46f3-a3b6-707557a102df", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f243fe39-83a4-46f3-a3b6-707557a102df_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_3.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_3.json deleted file mode 100644 index 8309368d866..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f243fe39-83a4-46f3-a3b6-707557a102df", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f243fe39-83a4-46f3-a3b6-707557a102df_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_4.json b/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_4.json deleted file mode 100644 index 575d32f23ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f243fe39-83a4-46f3-a3b6-707557a102df_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies attempts to modify a service path by an unusual process. Attackers may attempt to modify existing services for persistence or privilege escalation.", "from": "now-119m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Service Path Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKLM\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\",\n \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\*ControlSet*\\\\Services\\\\*\\\\ImagePath\"\n ) and not (\n process.executable : (\n \"?:\\\\Program Files\\\\*.exe\",\n \"?:\\\\Program Files (x86)\\\\*.exe\",\n \"?:\\\\Windows\\\\System32\\\\services.exe\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\"\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f243fe39-83a4-46f3-a3b6-707557a102df", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.003", "name": "Windows Service", "reference": "https://attack.mitre.org/techniques/T1543/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f243fe39-83a4-46f3-a3b6-707557a102df_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json deleted file mode 100644 index 06d1ace640a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json deleted file mode 100644 index 210e5792bb0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json deleted file mode 100644 index 47a6d8bdcdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json deleted file mode 100644 index 15f7fb7bc87..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "note": "", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json deleted file mode 100644 index 0421c5d37ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json b/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json deleted file mode 100644 index f40099e749b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f24bcae1-8980-4b30-b5dd-f851b055c9e7_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Creation of Hidden Login Item via Apple Script", "query": "process where host.os.type == \"macos\" and event.type in (\"start\", \"process_started\") and process.name : \"osascript\" and\n process.command_line : \"osascript*login item*hidden:true*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.002", "name": "AppleScript", "reference": "https://attack.mitre.org/techniques/T1059/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1647", "name": "Plist File Modification", "reference": "https://attack.mitre.org/techniques/T1647/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f24bcae1-8980-4b30-b5dd-f851b055c9e7_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json deleted file mode 100644 index 23212e24ede..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json deleted file mode 100644 index 95c78f8204d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json deleted file mode 100644 index 1f113562127..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json deleted file mode 100644 index 806c411f47d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "note": "", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json deleted file mode 100644 index 04d0436bef4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "note": "### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "This rule requires data coming in either from Elastic Defend, or Auditbeat integration.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json deleted file mode 100644 index ba7499bd101..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "\nThis rule requires data coming in either from Elastic Defend, or Auditbeat integration.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat for Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json deleted file mode 100644 index 17ffd1d509f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json b/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json deleted file mode 100644 index c8948921f18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f28e2be4-6eca-4349-bdd9-381573730c22_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a Secure Shell (SSH) client or server process creating or writing to a known SSH backdoor log file. Adversaries may modify SSH related binaries for persistence or credential access via patching sensitive functions to enable unauthorized access or to log SSH credentials for exfiltration.", "false_positives": ["Updates to approved and trusted SSH executables can trigger this rule."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential OpenSSH Backdoor Logging Activity", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and process.executable : (\"/usr/sbin/sshd\", \"/usr/bin/ssh\") and\n (\n (file.name : (\".*\", \"~*\", \"*~\") and not file.name : (\".cache\", \".viminfo\", \".bash_history\", \".google_authenticator\",\n \".jelenv\", \".csvignore\", \".rtreport\")) or\n file.extension : (\"in\", \"out\", \"ini\", \"h\", \"gz\", \"so\", \"sock\", \"sync\", \"0\", \"1\", \"2\", \"3\", \"4\", \"5\", \"6\", \"7\", \"8\", \"9\") or\n file.path :\n (\n \"/private/etc/*--\",\n \"/usr/share/*\",\n \"/usr/include/*\",\n \"/usr/local/include/*\",\n \"/private/tmp/*\",\n \"/private/var/tmp/*\",\n \"/usr/tmp/*\",\n \"/usr/share/man/*\",\n \"/usr/local/share/*\",\n \"/usr/lib/*.so.*\",\n \"/private/etc/ssh/.sshd_auth\",\n \"/usr/bin/ssd\",\n \"/private/var/opt/power\",\n \"/private/etc/ssh/ssh_known_hosts\",\n \"/private/var/html/lol\",\n \"/private/var/log/utmp\",\n \"/private/var/lib\",\n \"/var/run/sshd/sshd.pid\",\n \"/var/run/nscd/ns.pid\",\n \"/var/run/udev/ud.pid\",\n \"/var/run/udevd.pid\"\n )\n )\n", "references": ["https://github.com/eset/malware-ioc/tree/master/sshdoor", "https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f28e2be4-6eca-4349-bdd9-381573730c22", "setup": "## Setup\n\nThis rule requires data coming in from one of the following integrations:\n- Elastic Defend\n- Auditbeat\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditbeat Setup\nAuditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.\n\n#### The following steps should be executed in order to add the Auditbeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).\n- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).\n- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).\n- For complete \u201cSetup and Run Auditbeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).\n\n#### Custom Ingest Pipeline\nFor versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f28e2be4-6eca-4349-bdd9-381573730c22_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json deleted file mode 100644 index 3ecf9a0c126..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"Dll\", \"$Dll\") and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\" and\n not (process.name : \"msiexec.exe\" and registry.data.strings : \"mso.dll\") and\n not (process.name : \"regsvr32.exe\" and registry.data.strings == \"WINTRUST.DLL\")\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json deleted file mode 100644 index 2a95e89836f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json deleted file mode 100644 index 57954280123..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json deleted file mode 100644 index 787cd0fd4bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json deleted file mode 100644 index a30bdec03e7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json deleted file mode 100644 index 024b41320e0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type:\"change\" and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\"\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_108.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_108.json deleted file mode 100644 index 02e87724c05..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"Dll\", \"$Dll\") and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\" and\n not (process.name : \"msiexec.exe\" and registry.data.strings : \"mso.dll\") and\n not (process.name : \"regsvr32.exe\" and registry.data.strings == \"WINTRUST.DLL\")\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_109.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_109.json deleted file mode 100644 index fee75f55f08..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"Dll\", \"$Dll\") and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\" and\n not (process.name : \"msiexec.exe\" and registry.data.strings : \"mso.dll\") and\n not (process.name : \"regsvr32.exe\" and registry.data.strings == \"WINTRUST.DLL\")\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_309.json b/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_309.json deleted file mode 100644 index 23fed84e38f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2c7b914-eda3-40c2-96ac-d23ef91776ca_309.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications to the registered Subject Interface Package (SIP) providers. SIP providers are used by the Windows cryptographic system to validate file signatures on the system. This may be an attempt to bypass signature validation checks or inject code into critical processes.", "from": "now-9m", "index": ["logs-endpoint.events.registry-*", "endgame-*", "logs-windows.sysmon_operational-*", "winlogbeat-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "SIP Provider Modification", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"Dll\", \"$Dll\") and\n registry.path: (\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\OID\\\\EncodingType 0\\\\CryptSIPDllPutSignedDataMsg\\\\{*}\\\\Dll\",\n \"*\\\\SOFTWARE\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\",\n \"*\\\\SOFTWARE\\\\WOW6432Node\\\\Microsoft\\\\Cryptography\\\\Providers\\\\Trust\\\\FinalPolicy\\\\{*}\\\\$Dll\"\n ) and\n registry.data.strings:\"*.dll\" and\n not (process.name : \"msiexec.exe\" and registry.data.strings : \"mso.dll\") and\n not (process.name : \"regsvr32.exe\" and registry.data.strings == \"WINTRUST.DLL\")\n", "references": ["https://github.com/mattifestation/PoCSubjectInterfacePackage"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: Microsoft Defender for Endpoint", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": "https://attack.mitre.org/techniques/T1553/", "subtechnique": [{"id": "T1553.003", "name": "SIP and Trust Provider Hijacking", "reference": "https://attack.mitre.org/techniques/T1553/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 309}, "id": "f2c7b914-eda3-40c2-96ac-d23ef91776ca_309", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json deleted file mode 100644 index 93af63d55d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server Reporting Services\\\\SSRS\\\\ReportServer\\\\bin\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server Reporting Services\\\\SSRS\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : (\n \"?:\\\\Windows\\\\system32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n ) and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json deleted file mode 100644 index 145d9b42c90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json deleted file mode 100644 index 0c7b72902bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json deleted file mode 100644 index c0d30788daa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json deleted file mode 100644 index a8efe04f1ff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (process.executable : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\", \"?:\\\\Windows\\\\System32\\\\dllhost.exe\") and\n file.path : (\"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\")) and\n\n not (process.executable : \"?:\\\\WINDOWS\\\\system32\\\\WerFault.exe\" and\n file.path : \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\")\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json deleted file mode 100644 index f5bac7650c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json deleted file mode 100644 index 0ab24db1293..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json deleted file mode 100644 index d725d0a1252..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : \"?:\\\\Windows\\\\system32\\\\WerFault.exe\" and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_110.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_110.json deleted file mode 100644 index da52a87a2cc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : (\n \"?:\\\\Windows\\\\system32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n ) and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_111.json b/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_111.json deleted file mode 100644 index 9b672c5005c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f2f46686-6f3c-4724-bd7d-24e31c70f98f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of a Local Security Authority Subsystem Service (lsass.exe) default memory dump. This may indicate a credential access attempt via trusted system utilities such as Task Manager (taskmgr.exe) and SQL Dumper (sqldumper.exe) or known pentesting tools such as Dumpert and AndrewSpecial.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Memory Dump Creation", "note": "## Triage and analysis\n\n### Investigating LSASS Memory Dump Creation\n\nLocal Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.\n\nThis rule looks for the creation of memory dump files with file names compatible with credential dumping tools or that start with `lsass`.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process responsible for creating the dump file.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Any activity that triggered the alert and is not inherently malicious must be monitored by the security team.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and\n file.name : (\"lsass*.dmp\", \"dumpert.dmp\", \"Andrew.dmp\", \"SQLDmpr*.mdmp\", \"Coredump.dmp\") and\n\n not (\n process.executable : (\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\SqlDumper.exe\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server Reporting Services\\\\SSRS\\\\ReportServer\\\\bin\\\\SqlDumper.exe\",\n \"?:\\\\Windows\\\\System32\\\\dllhost.exe\"\n ) and\n file.path : (\n \"?:\\\\*\\\\Reporting Services\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server Reporting Services\\\\SSRS\\\\Logfiles\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\Shared\\\\ErrorDumps\\\\SQLDmpr*.mdmp\",\n \"?:\\\\Program Files\\\\Microsoft SQL Server\\\\*\\\\MSSQL\\\\LOG\\\\SQLDmpr*.mdmp\"\n )\n ) and\n\n not (\n process.executable : (\n \"?:\\\\Windows\\\\system32\\\\WerFault.exe\",\n \"?:\\\\Windows\\\\System32\\\\WerFaultSecure.exe\"\n ) and\n file.path : (\n \"?:\\\\Windows\\\\System32\\\\config\\\\systemprofile\\\\AppData\\\\Local\\\\CrashDumps\\\\lsass.exe.*.dmp\",\n \"?:\\\\Windows\\\\System32\\\\%LOCALAPPDATA%\\\\CrashDumps\\\\lsass.exe.*.dmp\"\n )\n )\n", "references": ["https://github.com/outflanknl/Dumpert", "https://github.com/hoangprod/AndrewSpecial"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timeline_id": "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", "timeline_title": "Comprehensive File Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f2f46686-6f3c-4724-bd7d-24e31c70f98f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json deleted file mode 100644 index 77b4dc9f993..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", "false_positives": ["A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json deleted file mode 100644 index c09a8202a53..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", "false_positives": ["A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json deleted file mode 100644 index 11e3095b3b3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", "false_positives": ["A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json deleted file mode 100644 index 17699aeae90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", "false_positives": ["A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json b/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json deleted file mode 100644 index 48c97e527bd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f30f3443-4fbb-4c27-ab89-c3ad49d62315_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance.", "false_positives": ["A database instance may be created by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS RDS Instance Creation", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:CreateDBInstance and event.outcome:success\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "f30f3443-4fbb-4c27-ab89-c3ad49d62315_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json deleted file mode 100644 index d85cb722a86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied to External Drive with App Consent", "note": "## Triage and analysis\n\n### Investigating Google Workspace Object Copied to External Drive with App Consent\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 5}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json deleted file mode 100644 index 3996a6bc83b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Resource Copied from External Drive", "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json deleted file mode 100644 index 4921a22d495..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}, {"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "unknown"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 2}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json deleted file mode 100644 index 253752c1f3f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "unknown"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 3}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json deleted file mode 100644 index d34c92ce65b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-130m", "index": ["filebeat-*", "logs-google_workspace*"], "interval": "10m", "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied from External Drive and Access Granted to Custom Application", "note": "## Triage and analysis\n\n### Investigating Google Workspace Resource Copied from External Drive and Access Granted to Custom Application\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 4}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_5.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_5.json deleted file mode 100644 index 44d5bfdfa5c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied to External Drive with App Consent", "note": "## Triage and analysis\n\n### Investigating Google Workspace Object Copied to External Drive with App Consent\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "unknown"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 5}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_6.json b/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_6.json deleted file mode 100644 index b5e06e815a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f33e68a4-bd19-11ed-b02f-f661ea17fbcc_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user copies a Google spreadsheet, form, document or script from an external drive. Sequence logic has been added to also detect when a user grants a custom Google application permission via OAuth shortly after. An adversary may send a phishing email to the victim with a Drive object link where \"copy\" is included in the URI, thus copying the object to the victim's drive. If a container-bound script exists within the object, execution will require permission access via OAuth in which the user has to accept.", "false_positives": ["Google Workspace users typically share Drive resources with a shareable link where parameters are edited to indicate when it is viewable or editable by the intended recipient. It is uncommon for a user in an organization to manually copy a Drive object from an external drive to their corporate drive. This may happen where users find a useful spreadsheet in a public drive, for example, and replicate it to their Drive. It is uncommon for the copied object to execute a container-bound script either unless the user was intentionally aware, suggesting the object uses container-bound scripts to accomplish a legitimate task."], "from": "now-9m", "index": ["filebeat-*", "logs-google_workspace*"], "language": "eql", "license": "Elastic License v2", "name": "Google Workspace Object Copied to External Drive with App Consent", "note": "## Triage and analysis\n\n### Investigating Google Workspace Object Copied to External Drive with App Consent\n\nGoogle Workspace users can share access to Drive objects such as documents, sheets, and forms via email delivery or a shared link. Shared link URIs have parameters like `view` or `edit` to indicate the recipient's permissions. The `copy` parameter allows the recipient to copy the object to their own Drive, which grants the object with the same privileges as the recipient. Specific objects in Google Drive allow container-bound scripts that run on Google's Apps Script platform. Container-bound scripts can contain malicious code that executes with the recipient's privileges if in their Drive.\n\nThis rule aims to detect when a user copies an external Drive object to their Drive storage and then grants permissions to a custom application via OAuth prompt.\n\n#### Possible investigation steps\n- Identify user account(s) associated by reviewing `user.name` or `source.user.email` in the alert.\n- Identify the name of the file copied by reviewing `file.name` as well as the `file.id` for triaging.\n- Identify the file type by reviewing `google_workspace.drive.file.type`.\n- With the information gathered so far, query across data for the file metadata to determine if this activity is isolated or widespread.\n- Within the OAuth token event, identify the application name by reviewing `google_workspace.token.app_name`.\n - Review the application ID as well from `google_workspace.token.client.id`.\n - This metadata can be used to report the malicious application to Google for permanent blacklisting.\n- Identify the permissions granted to the application by the user by reviewing `google_workspace.token.scope.data.scope_name`.\n - This information will help pivot and triage into what services may have been affected.\n- If a container-bound script was attached to the copied object, it will also exist in the user's drive.\n - This object should be removed from all users affected and investigated for a better understanding of the malicious code.\n\n### False positive analysis\n- Communicate with the affected user to identify if these actions were intentional\n- If a container-bound script exists, review code to identify if it is benign or malicious\n\n### Response and remediation\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n - Resetting passwords will revoke OAuth tokens which could have been stolen.\n- Reactivate multi-factor authentication for the user.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security defaults [provided by Google](https://cloud.google.com/security-command-center/docs/how-to-investigate-threats).\n- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n## Setup\n\n### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n - https://support.google.com/a/answer/7061566\n - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html", "query": "sequence by source.user.email with maxspan=3m\n[file where event.dataset == \"google_workspace.drive\" and event.action == \"copy\" and\n\n /* Should only match if the object lives in a Drive that is external to the user's GWS organization */\n google_workspace.drive.owner_is_team_drive == \"false\" and google_workspace.drive.copy_type == \"external\" and\n\n /* Google Script, Forms, Sheets and Document can have container-bound scripts */\n google_workspace.drive.file.type: (\"script\", \"form\", \"spreadsheet\", \"document\")]\n\n[any where event.dataset == \"google_workspace.token\" and event.action == \"authorize\" and\n\n /* Ensures application ID references custom app in Google Workspace and not GCP */\n google_workspace.token.client.id : \"*apps.googleusercontent.com\"]\n", "references": ["https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one", "https://developers.google.com/apps-script/guides/bound", "https://support.google.com/a/users/answer/13004165#share_make_a_copy_links"], "related_integrations": [{"package": "google_workspace", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.copy_type", "type": "unknown"}, {"ecs": false, "name": "google_workspace.drive.file.type", "type": "keyword"}, {"ecs": false, "name": "google_workspace.drive.owner_is_team_drive", "type": "boolean"}, {"ecs": false, "name": "google_workspace.token.client.id", "type": "keyword"}, {"ecs": true, "name": "source.user.email", "type": "keyword"}], "risk_score": 47, "rule_id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc", "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.002", "name": "Spearphishing Link", "reference": "https://attack.mitre.org/techniques/T1566/002/"}]}]}], "type": "eql", "version": 6}, "id": "f33e68a4-bd19-11ed-b02f-f661ea17fbcc_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4.json deleted file mode 100644 index d0c943e7e23..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 21, "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json deleted file mode 100644 index 2f12661bb07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "note": "", "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 21, "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "setup": "The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_2.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_2.json deleted file mode 100644 index 5424a71f2c6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 21, "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "setup": "The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json deleted file mode 100644 index 339bd2952fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 21, "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_4.json b/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_4.json deleted file mode 100644 index b9ae7988c49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3403393-1fd9-4686-8f6e-596c58bc00b4_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "A supervised machine learning model has identified a DNS question name that is predicted to be the result of a Domain Generation Algorithm (DGA), which could indicate command and control network activity.", "from": "now-10m", "index": ["logs-endpoint.events.*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Machine Learning Detected a DNS Request Predicted to be a DGA Domain", "query": "ml_is_dga.malicious_prediction:1 and not dns.question.registered_domain:avsvmcloud.com\n", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "dns.question.registered_domain", "type": "keyword"}, {"ecs": false, "name": "ml_is_dga.malicious_prediction", "type": "unknown"}], "risk_score": 21, "rule_id": "f3403393-1fd9-4686-8f6e-596c58bc00b4", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Configure the ingest pipeline**.\n```\n", "severity": "low", "tags": ["Domain: Network", "Domain: Endpoint", "Data Source: Elastic Defend", "Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/", "subtechnique": [{"id": "T1568.002", "name": "Domain Generation Algorithms", "reference": "https://attack.mitre.org/techniques/T1568/002/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "f3403393-1fd9-4686-8f6e-596c58bc00b4_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json deleted file mode 100644 index 501fe5f50dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\",\n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\",\n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 110}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json deleted file mode 100644 index f2a36ef1cd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"C:\\\\windows\\\\TEMP\\\\nessus_*.TMP\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 103}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json deleted file mode 100644 index fb5bfcaedc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 104}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json deleted file mode 100644 index dad947212c9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 105}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json deleted file mode 100644 index 9fea600719f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 106}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json deleted file mode 100644 index ad2ac92061f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not process.args : (\"C:\\\\windows\\\\temp\\\\nessus_*.txt\",\n \"*C:\\\\windows\\\\TEMP\\\\nessus_*.TMP*\",\n \"*C:\\\\Windows\\\\CCM\\\\SystemTemp\\\\*\",\n \"C:\\\\Windows\\\\CCM\\\\ccmrepair.exe\",\n \"C:\\\\Windows\\\\CCMCache\\\\*\",\n \"C:\\\\CCM\\\\Cache\\\\*\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 107}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json deleted file mode 100644 index 5cc07ae8dd9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and \n not process.Ext.token.integrity_level_name : \"system\" and not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and \n not process.executable : \n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\", \n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\", \n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\", \n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\", \n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and \n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 108}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json deleted file mode 100644 index 4a7ddd8c7ba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\",\n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\",\n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 109}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_110.json b/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_110.json deleted file mode 100644 index 68a0ef89314..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3475224-b179-4f78-8877-c2bd64c26b88_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies processes executed via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement, but could be noisy if administrators use WMI to remotely manage hosts.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "WMI Incoming Lateral Movement", "query": "sequence by host.id with maxspan = 2s\n\n /* Accepted Incoming RPC connection by Winmgmt service */\n\n [network where host.os.type == \"windows\" and process.name : \"svchost.exe\" and network.direction : (\"incoming\", \"ingress\") and\n source.ip != \"127.0.0.1\" and source.ip != \"::1\" and source.port >= 49152 and destination.port >= 49152\n ]\n\n /* Excluding Common FPs Nessus and SCCM */\n\n [process where host.os.type == \"windows\" and event.type == \"start\" and process.parent.name : \"WmiPrvSE.exe\" and\n not (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n not user.id : (\"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\") and\n not process.executable :\n (\"?:\\\\Program Files\\\\HPWBEM\\\\Tools\\\\hpsum_swdiscovery.exe\",\n \"?:\\\\Windows\\\\CCM\\\\Ccm32BitLauncher.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\mofcomp.exe\",\n \"?:\\\\Windows\\\\Microsoft.NET\\\\Framework*\\\\csc.exe\",\n \"?:\\\\Windows\\\\System32\\\\powercfg.exe\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\msiexec.exe\" and process.args : \"REBOOT=ReallySuppress\") and\n not (process.executable : \"?:\\\\Windows\\\\System32\\\\inetsrv\\\\appcmd.exe\" and process.args : \"uninstall\")\n ]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.direction", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "source.port", "type": "long"}, {"ecs": true, "name": "user.id", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 47, "rule_id": "f3475224-b179-4f78-8877-c2bd64c26b88", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "type": "eql", "version": 110}, "id": "f3475224-b179-4f78-8877-c2bd64c26b88_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json deleted file mode 100644 index 878bd463f6c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", "false_positives": ["This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudo Heap-Based Buffer Overflow Attempt", "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", "https://www.sudo.ws/alerts/unescape_overflow.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "threshold": {"field": ["host.hostname"], "value": 100}, "timestamp_override": "event.ingested", "type": "threshold", "version": 104}, "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json deleted file mode 100644 index 3ec285be345..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", "false_positives": ["This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudo Heap-Based Buffer Overflow Attempt", "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", "https://www.sudo.ws/alerts/unescape_overflow.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "severity": "high", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "threshold": {"field": ["host.hostname"], "value": 100}, "type": "threshold", "version": 101}, "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json deleted file mode 100644 index 14720f5e138..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", "false_positives": ["This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudo Heap-Based Buffer Overflow Attempt", "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", "https://www.sudo.ws/alerts/unescape_overflow.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "threshold": {"field": ["host.hostname"], "value": 100}, "type": "threshold", "version": 102}, "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json b/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json deleted file mode 100644 index de36e3ee500..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f37f3054-d40b-49ac-aa9b-a786c74c58b8_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems (CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.", "false_positives": ["This rule could generate false positives if the process arguments leveraged by the exploit are shared by custom scripts using the Sudo or Sudoedit binaries. Only Sudo versions 1.8.2 through 1.8.31p2 and 1.9.0 through 1.9.5p1 are affected; if those versions are not present on the endpoint, this could be a false positive."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sudo Heap-Based Buffer Overflow Attempt", "query": "event.category:process and event.type:start and\n process.name:(sudo or sudoedit) and\n process.args:(*\\\\ and (\"-i\" or \"-s\"))\n", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3156", "https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit", "https://www.bleepingcomputer.com/news/security/latest-macos-big-sur-also-has-sudo-root-privilege-escalation-flaw", "https://www.sudo.ws/alerts/unescape_overflow.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "threshold": {"field": ["host.hostname"], "value": 100}, "type": "threshold", "version": 103}, "id": "f37f3054-d40b-49ac-aa9b-a786c74c58b8_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87.json b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87.json deleted file mode 100644 index e326cbf8fea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Connection via systemd", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"systemd\" and process.name in (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f3818c85-2207-4b51-8a28-d70fb156ee87", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 2}, "id": "f3818c85-2207-4b51-8a28-d70fb156ee87", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json deleted file mode 100644 index 74cd09f029e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Connection via systemd", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and\n process.parent.name == \"systemd\" and process.name in (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f3818c85-2207-4b51-8a28-d70fb156ee87", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 1}, "id": "f3818c85-2207-4b51-8a28-d70fb156ee87_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json b/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json deleted file mode 100644 index 75f5aae5645..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3818c85-2207-4b51-8a28-d70fb156ee87_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects suspicious network events executed by systemd, potentially indicating persistence through a systemd backdoor. Systemd is a system and service manager for Linux operating systems, used to initialize and manage system processes. Attackers can backdoor systemd for persistence by creating or modifying systemd unit files to execute malicious scripts or commands, or by replacing legitimate systemd binaries with compromised ones, ensuring that their malicious code is automatically executed at system startup or during certain system events.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Network Connection via systemd", "query": "sequence by host.id with maxspan=5s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.parent.name == \"systemd\" and process.name in (\n \"python*\", \"php*\", \"perl\", \"ruby\", \"lua*\", \"openssl\", \"nc\", \"netcat\", \"ncat\", \"telnet\", \"awk\"\n )\n ] by process.entity_id\n [network where host.os.type == \"linux\" and event.action == \"connection_attempted\" and event.type == \"start\"\n ] by process.parent.entity_id\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f3818c85-2207-4b51-8a28-d70fb156ee87", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Command and Control", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/", "subtechnique": [{"id": "T1543.002", "name": "Systemd Service", "reference": "https://attack.mitre.org/techniques/T1543/002/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": []}], "type": "eql", "version": 2}, "id": "f3818c85-2207-4b51-8a28-d70fb156ee87_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json deleted file mode 100644 index ea10df67f71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 7}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json deleted file mode 100644 index 765803b15f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "query": "url.full:* or url.domain:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.domain", "type": "keyword"}, {"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.domain", "type": "mapping", "value": "threat.indicator.url.domain"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and (threat.indicator.url.full:* or threat.indicator.url.domain:*) and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 1}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json deleted file mode 100644 index a7eeacecd82..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 2}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json deleted file mode 100644 index c8b566213ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\nThis rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "This rule needs threat intelligence indicators to work. Threat intelligence indicators can be collected using an Elastic Agent integration, the Threat Intel module, or a custom integration.\n\nMore information can be found here.", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 3}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json deleted file mode 100644 index 122132fdf8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. \n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. \n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "type": "threat_match", "version": 4}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_5.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_5.json deleted file mode 100644 index aa244835f72..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 5}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json b/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json deleted file mode 100644 index 391e78a048d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f3e22c8b-ea47-45d1-b502-b57b6de950b3_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule is triggered when a URL indicator from the Threat Intel Filebeat module or integrations has a match against an event that contains URL data, like DNS events, network logs, etc.", "from": "now-65m", "index": ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"], "interval": "1h", "language": "kuery", "license": "Elastic License v2", "name": "Threat Intel URL Indicator Match", "note": "## Triage and Analysis\n\n### Investigating Threat Intel URL Indicator Match\n\nThreat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index.\n\nMatches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation.\n\nThis rule is triggered when a URL indicator from the Threat Intel Filebeat module or a threat intelligence integration matches against an event that contains URL data, like DNS events, network logs, etc.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field:\n - Identify the type of malicious activity related to the URL (phishing, malware, etc.).\n - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse.\n - If dealing with a phishing incident:\n - Contact the user to gain more information around the delivery method, information sent, etc.\n - Analyze whether the URL is trying to impersonate a legitimate address. Look for typosquatting, extra or unusual subdomains, or other anomalies that could lure the user.\n - Investigate the phishing page to identify which information may have been sent to the attacker by the user.\n- Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Retrieve the involved process executable and examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Using the data collected through the analysis, scope users targeted and other machines infected in the environment.\n\n### False Positive Analysis\n\n- False positives might occur after large and publicly written campaigns if curious employees interact with attacker infrastructure.\n- Some feeds may include internal or known benign addresses by mistake (e.g., 8.8.8.8, google.com, 127.0.0.1, etc.). Make sure you understand how blocking a specific domain or address might impact the organization or normal system functioning.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Consider reporting the address for abuse using the provided contact information.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "url.full:*\n", "references": ["https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", "https://www.elastic.co/guide/en/security/master/es-threat-intel-integrations.html", "https://www.elastic.co/security/tip"], "required_fields": [{"ecs": true, "name": "url.full", "type": "wildcard"}], "risk_score": 99, "rule_id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3", "setup": "## Setup\n\nThis rule needs threat intelligence indicators to work.\nThreat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),\nthe [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),\nor a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).\n\nMore information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).\n", "severity": "critical", "tags": ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"], "threat_filters": [{"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.category", "negate": false, "params": {"query": "threat"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "threat"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.kind", "negate": false, "params": {"query": "enrichment"}, "type": "phrase"}, "query": {"match_phrase": {"event.kind": "enrichment"}}}, {"$state": {"store": "appState"}, "meta": {"disabled": false, "key": "event.type", "negate": false, "params": {"query": "indicator"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "indicator"}}}], "threat_index": ["filebeat-*", "logs-ti_*"], "threat_indicator_path": "threat.indicator", "threat_language": "kuery", "threat_mapping": [{"entries": [{"field": "url.full", "type": "mapping", "value": "threat.indicator.url.full"}]}, {"entries": [{"field": "url.original", "type": "mapping", "value": "threat.indicator.url.original"}]}], "threat_query": "@timestamp >= \"now-30d/d\" and event.module:(threatintel or ti_*) and threat.indicator.url.full:* and not labels.is_ioc_transform_source:\"true\"", "timeline_id": "495ad7a7-316e-4544-8a0f-9c098daee76e", "timeline_title": "Generic Threat Match Timeline", "timestamp_override": "event.ingested", "type": "threat_match", "version": 6}, "id": "f3e22c8b-ea47-45d1-b502-b57b6de950b3_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d.json deleted file mode 100644 index 8cd96a55cf2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255 and \nnot process.parent.name in (\"cf-agent\", \"agent-run\", \"agent-check\", \"rudder\", \"agent-inventory\", \"cf-execd\") and\nnot process.args == \"/opt/rudder/bin/curl\"\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json deleted file mode 100644 index c75f457b692..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "Elastic Defend integration does not collect environment variable logging by default. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. To set up environment variable capture for an Elastic Agent policy: - Go to Security \u2192 Manage \u2192 Policies. - Select an Elastic Agent policy. - Click Show advanced settings. - Scroll down or search for linux.advanced.capture_env_vars. - Enter the names of env vars you want to capture, separated by commas. - For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\". - Click Save. After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. For more information on capturing environment variables refer to https://www.elastic.co/guide/en/security/current/environment-variable-capture.html", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json deleted file mode 100644 index fca03375871..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to Security \u2192 Manage \u2192 Policies.\n- Select an Elastic Agent policy.\n- Click Show advanced settings.\n- Scroll down or search for linux.advanced.capture_env_vars.\n- Enter the names of env vars you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click Save.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and\nthe rule will function properly.\nFor more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json deleted file mode 100644 index 3394a059e77..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_4.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_4.json deleted file mode 100644 index 2b9dc530b85..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255 and \nnot process.parent.name in (\"cf-agent\", \"agent-run\", \"rudder\", \"agent-inventory\", \"cf-execd\")\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json b/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json deleted file mode 100644 index cb425b96f3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f41296b4-9975-44d6-9486-514c6f635b2d_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be executed with and without the use of environment variables. For increased visibility, enable the collection of http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of this rule.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential curl CVE-2023-38545 Exploitation", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and process.name == \"curl\" \nand (\n process.args : (\"--socks5-hostname\", \"--proxy\", \"--preproxy\", \"socks5*\") or \n process.env_vars: (\"http_proxy=socks5h://*\", \"HTTPS_PROXY=socks5h://*\", \"ALL_PROXY=socks5h://*\")\n) and length(process.command_line) > 255 and \nnot process.parent.name in (\"cf-agent\", \"agent-run\", \"agent-check\", \"rudder\", \"agent-inventory\", \"cf-execd\") and\nnot process.args == \"/opt/rudder/bin/curl\"\n", "references": ["https://curl.se/docs/CVE-2023-38545.html", "https://daniel.haxx.se/blog/2023/10/11/curl-8-4-0/", "https://twitter.com/_JohnHammond/status/1711986412554531015"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.env_vars", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f41296b4-9975-44d6-9486-514c6f635b2d", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\nElastic Defend integration does not collect environment variable logging by default.\nIn order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.\n #### To set up environment variable capture for an Elastic Agent policy:\n- Go to \u201cSecurity \u2192 Manage \u2192 Policies\u201d.\n- Select an \u201cElastic Agent policy\u201d.\n- Click \u201cShow advanced settings\u201d.\n- Scroll down or search for \u201clinux.advanced.capture_env_vars\u201d.\n- Enter the names of environment variables you want to capture, separated by commas.\n- For this rule the linux.advanced.capture_env_vars variable should be set to \"http_proxy,HTTPS_PROXY,ALL_PROXY\".\n- Click \u201cSave\u201d.\nAfter saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.\nFor more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f41296b4-9975-44d6-9486-514c6f635b2d_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json deleted file mode 100644 index 969b66cc453..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json deleted file mode 100644 index 6155186448c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json deleted file mode 100644 index ce0b2c0b759..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json deleted file mode 100644 index 21fb591d879..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json deleted file mode 100644 index 06a4112afaf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "note": "", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json deleted file mode 100644 index 2b01e1f532e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json deleted file mode 100644 index 798a6eb8acb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json b/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json deleted file mode 100644 index 8bdc6795a2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.", "from": "now-9m", "index": ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistence via Microsoft Office AddIns", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n file.extension : (\"wll\",\"xll\",\"ppa\",\"ppam\",\"xla\",\"xlam\") and\n file.path :\n (\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Word\\\\Startup\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\AddIns\\\\*\",\n \"C:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Excel\\\\XLSTART\\\\*\"\n )\n", "references": ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": "https://attack.mitre.org/techniques/T1137/", "subtechnique": [{"id": "T1137.006", "name": "Add-ins", "reference": "https://attack.mitre.org/techniques/T1137/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987.json b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987.json deleted file mode 100644 index 44d133dc682..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Pluggable Authentication Module or Configuration", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and (\n (file.path : (\"/lib/security/*\", \"/lib64/security/*\", \"/usr/lib/security/*\", \"/usr/lib64/security/*\",\n \"/usr/lib/x86_64-linux-gnu/security/*\") and file.extension == \"so\") or\n (file.path : \"/etc/pam.d/*\" and file.extension == null) or \n (file.path : \"/etc/security/pam_*\" or file.path == \"/etc/pam.conf\")\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/pam-auth-update\",\n \"/usr/lib/systemd/systemd\", \"/usr/libexec/packagekitd\", \"/usr/bin/bsdtar\", \"/sbin/pam-auth-update\"\n ) or\n file.path : (\n \"/tmp/snap.rootfs_*/pam_*.so\", \"/tmp/newroot/lib/*/pam_*.so\", \"/tmp/newroot/usr/lib64/security/pam_*.so\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f48ecc44-7d02-437d-9562-b838d2c41987", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f48ecc44-7d02-437d-9562-b838d2c41987", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json b/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json deleted file mode 100644 index 99641bc6059..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f48ecc44-7d02-437d-9562-b838d2c41987_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the creation or modification of Pluggable Authentication Module (PAM) shared object files or configuration files. Attackers may create or modify these files to maintain persistence on a compromised system, or harvest account credentials.", "false_positives": ["Trusted system module updates or allowed Pluggable Authentication Module (PAM) daemon configuration changes."], "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Creation or Modification of Pluggable Authentication Module or Configuration", "query": "file where host.os.type == \"linux\" and event.action in (\"rename\", \"creation\") and \nprocess.executable != null and (\n (file.path : (\"/lib/security/*\", \"/lib64/security/*\", \"/usr/lib/security/*\", \"/usr/lib64/security/*\",\n \"/usr/lib/x86_64-linux-gnu/security/*\") and file.extension == \"so\") or\n (file.path : \"/etc/pam.d/*\" and file.extension == null) or \n (file.path : \"/etc/security/pam_*\" or file.path == \"/etc/pam.conf\")\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/sbin/pam-auth-update\",\n \"/usr/lib/systemd/systemd\", \"/usr/libexec/packagekitd\", \"/usr/bin/bsdtar\"\n ) or\n file.path : (\n \"/tmp/snap.rootfs_*/pam_*.so\", \"/tmp/newroot/lib/*/pam_*.so\", \"/tmp/newroot/usr/lib64/security/pam_*.so\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/lib/virtualbox/*\"\n ) or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://github.com/zephrax/linux-pam-backdoor", "https://github.com/eurialo/pambd", "http://0x90909090.blogspot.com/2016/06/creating-backdoor-in-pam-in-5-line-of.html", "https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f48ecc44-7d02-437d-9562-b838d2c41987", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1556", "name": "Modify Authentication Process", "reference": "https://attack.mitre.org/techniques/T1556/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f48ecc44-7d02-437d-9562-b838d2c41987_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json deleted file mode 100644 index 37d73bc1afb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json deleted file mode 100644 index 5a6317aec2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Authorization Policy Change\" and host.os.type:windows and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json deleted file mode 100644 index c311b13aa32..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json deleted file mode 100644 index 34adc9ece00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json deleted file mode 100644 index 01306e77c00..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 108}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json deleted file mode 100644 index 340254f7c70..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 109}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json deleted file mode 100644 index b979a4abf96..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 110}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_111.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_111.json deleted file mode 100644 index bc0fd6f7efe..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 111}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_112.json b/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_112.json deleted file mode 100644 index e4bee4fc9bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f494c678-3c33-43aa-b169-bb3d5198c41d_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the assignment of the SeEnableDelegationPrivilege sensitive \"user right\" to a user. The SeEnableDelegationPrivilege \"user right\" enables computer and user accounts to be trusted for delegation. Attackers can abuse this right to compromise Active Directory accounts and elevate their privileges.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Sensitive Privilege SeEnableDelegationPrivilege assigned to a User", "note": "## Triage and analysis\n\n### Investigating Sensitive Privilege SeEnableDelegationPrivilege assigned to a User\n\nKerberos delegation is an Active Directory feature that allows user and computer accounts to impersonate other accounts, act on their behalf, and use their privileges. Delegation (constrained and unconstrained) can be configured for user and computer objects.\n\nEnabling unconstrained delegation for a computer causes the computer to store the ticket-granting ticket (TGT) in memory at any time an account connects to the computer, so it can be used by the computer for impersonation when needed. Risk is heightened if an attacker compromises computers with unconstrained delegation enabled, as they could extract TGTs from memory and then replay them to move laterally on the domain. If the attacker coerces a privileged user to connect to the server, or if the user does so routinely, the account will be compromised and the attacker will be able to pass-the-ticket to privileged assets.\n\nSeEnableDelegationPrivilege is a user right that is controlled within the Local Security Policy of a domain controller and is managed through Group Policy. This setting is named **Enable computer and user accounts to be trusted for delegation**.\n\nIt is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to the system.\n\n#### Possible investigation steps\n\n- Investigate how the privilege was assigned to the user and who assigned it.\n- Investigate other potentially malicious activity that was performed by the user that assigned the privileges using the `user.id` and `winlog.activity_id` fields as a filter during the past 48 hours.\n- Investigate other alerts associated with the users/host during the past 48 hours.\n\n### False positive analysis\n\n- The SeEnableDelegationPrivilege privilege should not be assigned to users. If this rule is triggered in your environment legitimately, the security team should notify the administrators about the risks of using it.\n\n### Related rules\n\n- KRBTGT Delegation Backdoor - e052c845-48d0-4f46-8a13-7d0aba05df82\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Remove the privilege from the account.\n- Review the privileges of the administrator account that performed the action.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.action:\"Authorization Policy Change\" and event.code:4704 and\n winlog.event_data.PrivilegeList:\"SeEnableDelegationPrivilege\"\n", "references": ["https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_alert_active_directory_user_control.yml", "https://twitter.com/_nwodtuhs/status/1454049485080907776", "https://www.thehacker.recipes/ad/movement/kerberos/delegations", "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0105_windows_audit_authorization_policy_change.md"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.PrivilegeList", "type": "keyword"}], "risk_score": 73, "rule_id": "f494c678-3c33-43aa-b169-bb3d5198c41d", "setup": "## Setup\n\nThe 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policy Configuration >\nAudit Policies >\nPolicy Change >\nAudit Authorization Policy Change (Success,Failure)\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 112}, "id": "f494c678-3c33-43aa-b169-bb3d5198c41d_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c.json b/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c.json deleted file mode 100644 index 12863bccdb3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.action == \"BLOCKED\"\n| eval policy_violations = mv_count(gen_ai.policy.name)\n| where policy_violations > 1\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\n| sort total_unique_request_violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 21, "rule_id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "low", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1.json b/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1.json deleted file mode 100644 index 55c18e00dfa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.action == \"BLOCKED\"\n| eval policy_violations = mv_count(gen_ai.policy.name)\n| where policy_violations > 1\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\n| sort total_unique_request_violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 21, "rule_id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "low", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 1}, "id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2.json b/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2.json deleted file mode 100644 index c4d9c7b9830..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple violations of AWS Bedrock guardrails within a single request, resulting in a block action, increasing the likelihood of malicious intent. Multiple violations implies that a user may be intentionally attempting to cirvumvent security controls, access sensitive information, or possibly exploit a vulnerability in the system.", "false_positives": ["Legitimate misunderstanding by users or overly strict policies"], "from": "now-60m", "interval": "10m", "language": "esql", "license": "Elastic License v2", "name": "AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request", "query": "from logs-aws_bedrock.invocation-*\n| where gen_ai.policy.action == \"BLOCKED\"\n| eval policy_violations = mv_count(gen_ai.policy.name)\n| where policy_violations > 1\n| keep gen_ai.policy.action, policy_violations, user.id, gen_ai.request.model.id, cloud.account.id, user.id\n| stats total_unique_request_violations = count(*) by policy_violations, user.id, gen_ai.request.model.id, cloud.account.id\n| sort total_unique_request_violations desc\n", "references": ["https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html", "https://atlas.mitre.org/techniques/AML.T0051", "https://atlas.mitre.org/techniques/AML.T0054", "https://www.elastic.co/security-labs/elastic-advances-llm-security"], "risk_score": 21, "rule_id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c", "setup": "## Setup\n\nThis rule requires that guardrails are configured in AWS Bedrock. For more information, see the AWS Bedrock documentation:\n\nhttps://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-create.html\n", "severity": "low", "tags": ["Domain: LLM", "Data Source: AWS Bedrock", "Data Source: AWS S3", "Resources: Investigation Guide", "Use Case: Policy Violation", "Mitre Atlas: T0051", "Mitre Atlas: T0054"], "timestamp_override": "event.ingested", "type": "esql", "version": 2}, "id": "f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee.json b/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee.json deleted file mode 100644 index c724e91099c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "DPKG Package Installed by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\nprocess.args:(\"-i\" or \"--install\")\n", "references": ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1.json b/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1.json deleted file mode 100644 index c223f366dc1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the installation of a Debian package (dpkg) by an unusual parent process. The dpkg command is used to install, remove, and manage Debian packages on a Linux system. Attackers can abuse the dpkg command to install malicious packages on a system.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "DPKG Package Installed by Unusual Parent Process", "new_terms_fields": ["process.parent.executable"], "query": "host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.name:dpkg and\nprocess.args:(\"-i\" or \"--install\")\n", "references": ["https://www.makeuseof.com/how-deb-packages-are-backdoored-how-to-detect-it/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.016", "name": "Installer Packages", "reference": "https://attack.mitre.org/techniques/T1546/016/"}]}, {"id": "T1543", "name": "Create or Modify System Process", "reference": "https://attack.mitre.org/techniques/T1543/"}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1195", "name": "Supply Chain Compromise", "reference": "https://attack.mitre.org/techniques/T1195/", "subtechnique": [{"id": "T1195.002", "name": "Compromise Software Supply Chain", "reference": "https://attack.mitre.org/techniques/T1195/002/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json deleted file mode 100644 index 0c57dc240f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 6}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json deleted file mode 100644 index ef1b61c35e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 1}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json deleted file mode 100644 index 551b111b45f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 2}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json deleted file mode 100644 index 2432e58aef2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 3}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json deleted file mode 100644 index a822f3f8820..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 4}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json b/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json deleted file mode 100644 index 5d9af941d4c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when the openssl command-line utility is used to encrypt multiple files on a host within a short time window. Adversaries may encrypt data on a single or multiple systems in order to disrupt the availability of their target's data and may attempt to hold the organization's data to ransom for the purposes of extortion.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Data Encryption via OpenSSL Utility", "query": "sequence by host.id, user.name, process.parent.entity_id with maxspan=5s\n [ process where host.os.type == \"linux\" and event.action == \"exec\" and \n process.name == \"openssl\" and process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\", \"perl*\", \"php*\", \"python*\", \"xargs\") and\n process.args == \"-in\" and process.args == \"-out\" and\n process.args in (\"-k\", \"-K\", \"-kfile\", \"-pass\", \"-iv\", \"-md\") and\n /* excluding base64 encoding options and including encryption password or key params */\n not process.args in (\"-d\", \"-a\", \"-A\", \"-base64\", \"-none\", \"-nosalt\") ] with runs=10\n", "references": ["https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", "https://www.trendmicro.com/en_us/research/21/f/bash-ransomware-darkradiation-targets-red-hat--and-debian-based-linux-distributions.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1486", "name": "Data Encrypted for Impact", "reference": "https://attack.mitre.org/techniques/T1486/"}]}], "type": "eql", "version": 5}, "id": "f530ca17-153b-4a7a-8cd3-98dd4b4ddf73_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json deleted file mode 100644 index 2940c025549..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json deleted file mode 100644 index 2742486292b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json deleted file mode 100644 index 21519f7fd7d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json deleted file mode 100644 index 02b5ac81148..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json deleted file mode 100644 index 810ed8cd106..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json deleted file mode 100644 index 70f77ca7e49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109.json deleted file mode 100644 index 33a2e150f2e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json deleted file mode 100644 index f6f10c5d2cd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json deleted file mode 100644 index bda97dc4944..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112.json b/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112.json deleted file mode 100644 index 17e841da151..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Script Executing PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Script Executing PowerShell\n\nThe Windows Script Host (WSH) is an Windows automation technology, which is ideal for non-interactive scripting needs, such as logon scripting, administrative scripting, and machine automation.\n\nAttackers commonly use WSH scripts as their initial access method, acting like droppers for second stage payloads, but can also use them to download tools and utilities needed to accomplish their goals.\n\nThis rule looks for the spawn of the `powershell.exe` process with `cscript.exe` or `wscript.exe` as its parent process.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate commands executed by the spawned PowerShell process.\n- If unsigned files are found on the process tree, retrieve them and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Determine how the script file was delivered (email attachment, dropped by other processes, etc.).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n\n### False positive analysis\n\n- The usage of these script engines by regular users is unlikely. In the case of authorized benign true positives (B-TPs), exceptions can be added.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- If the malicious file was delivered via phishing:\n - Block the email sender from sending future emails.\n - Block the malicious web pages.\n - Remove emails from the sender from mailboxes.\n - Consider improvements to the security awareness program.\n- Reimage the host operating system and restore compromised files to clean versions.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : (\"cscript.exe\", \"wscript.exe\") and process.name : \"powershell.exe\" and\n not (\n process.parent.name : \"wscript.exe\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\IntuneDriveMapping-VBSHelper.vbs\" and\n process.parent.args : \"?:\\\\ProgramData\\\\intune-drive-mapping-generator\\\\DriveMapping.ps1\"\n )\n", "references": ["https://www.elastic.co/security-labs/operation-bleeding-bear"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1566", "name": "Phishing", "reference": "https://attack.mitre.org/techniques/T1566/", "subtechnique": [{"id": "T1566.001", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1566/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.005", "name": "Visual Basic", "reference": "https://attack.mitre.org/techniques/T1059/005/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828.json b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828.json deleted file mode 100644 index 9ba2b774c19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.", "false_positives": ["SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Connection Established Inside A Running Container", "query": "process where container.id: \"*\" and event.type == \"start\" and \n\n/* use of sshd to enter a container*/\nprocess.entry_leader.entry_meta.type: \"sshd\" and \n\n/* process is the initial process run in a container or start of a new session*/\n(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and \n\n/* interactive process*/\nprocess.interactive== true\n", "references": ["https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.session_leader.same_as_process", "type": "boolean"}], "risk_score": 73, "rule_id": "f5488ac1-099e-4008-a6cb-fb638a0f0828", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f5488ac1-099e-4008-a6cb-fb638a0f0828", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json b/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json deleted file mode 100644 index ac71d80c96d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5488ac1-099e-4008-a6cb-fb638a0f0828_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it to gain initial access or establish persistence within a compromised environment.", "false_positives": ["SSH usage may be legitimate depending on the environment. Access patterns and follow-on activity should be analyzed to distinguish between authorized and potentially malicious behavior."], "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Connection Established Inside A Running Container", "query": "process where container.id: \"*\" and event.type == \"start\" and \n\n/* use of sshd to enter a container*/\nprocess.entry_leader.entry_meta.type: \"sshd\" and \n\n/* process is the initial process run in a container or start of a new session*/\n(process.entry_leader.same_as_process== true or process.session_leader.same_as_process== true) and \n\n/* interactive process*/\nprocess.interactive== true\n", "references": ["https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/SSH%20server%20running%20inside%20container/"], "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.entry_meta.type", "type": "keyword"}, {"ecs": true, "name": "process.entry_leader.same_as_process", "type": "boolean"}, {"ecs": true, "name": "process.interactive", "type": "boolean"}, {"ecs": true, "name": "process.session_leader.same_as_process", "type": "boolean"}], "risk_score": 73, "rule_id": "f5488ac1-099e-4008-a6cb-fb638a0f0828", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access", "Lateral Movement", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1133", "name": "External Remote Services", "reference": "https://attack.mitre.org/techniques/T1133/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f5488ac1-099e-4008-a6cb-fb638a0f0828_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec.json deleted file mode 100644 index 23fe1e05e17..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json deleted file mode 100644 index d981a0e2586..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_108.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_108.json deleted file mode 100644 index 781782b9e59..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 108}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json deleted file mode 100644 index 704b58010ce..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json deleted file mode 100644 index 43ab5bebdda..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_6.json b/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_6.json deleted file mode 100644 index 37e9f9f40a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f580bf0a-2d23-43bb-b8e1-17548bb947ec_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects rare internet network connections via the SMB protocol. SMB is commonly used to leak NTLM credentials via rogue UNC path injection.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Rare SMB Connection to the Internet", "new_terms_fields": ["destination.ip"], "query": "event.category:network and host.os.type:windows and process.pid:4 and \n network.transport:tcp and destination.port:(139 or 445) and \n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n ) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n )\n", "references": ["https://www.securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "destination.port", "type": "long"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.transport", "type": "keyword"}, {"ecs": true, "name": "process.pid", "type": "long"}, {"ecs": true, "name": "source.ip", "type": "ip"}], "risk_score": 47, "rule_id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Exfiltration", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": "https://attack.mitre.org/techniques/T1048/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "f580bf0a-2d23-43bb-b8e1-17548bb947ec_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97.json deleted file mode 100644 index 595a4394d9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "host.os.type: \"windows\" and event.action : (\"Directory Service Access\" or \"object-operation-performed\") and\n event.code : \"4662\" and winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json deleted file mode 100644 index ce85c225ffa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "event.action:\"Directory Service Access\" and event.code:\"5136\" and\n winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Access (Success,Failure) ```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json deleted file mode 100644 index d010f1a230c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "event.action:\"Directory Service Access\" and event.code:\"5136\" and\n winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "The 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json deleted file mode 100644 index 179752bfa9d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "event.action:\"Directory Service Access\" and event.code:\"5136\" and\n winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_4.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_4.json deleted file mode 100644 index 7680c4b76aa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "host.os.type: \"windows\" and event.action : (\"Directory Service Access\" or \"object-operation-performed\") and\n event.code : \"4662\" and winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_5.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_5.json deleted file mode 100644 index dc055aa289c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "host.os.type: \"windows\" and event.action : (\"Directory Service Access\" or \"object-operation-performed\") and\n event.code : \"4662\" and winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_6.json b/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_6.json deleted file mode 100644 index 511d5b5bc7a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5861570-e39a-4b8a-9259-abd39f84cb97_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence.", "from": "now-119m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "WRITEDAC Access on Active Directory Object", "query": "host.os.type: \"windows\" and event.action : (\"Directory Service Access\" or \"object-operation-performed\") and\n event.code : \"4662\" and winlog.event_data.AccessMask:\"0x40000\"\n", "references": ["https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors.pdf"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AccessMask", "type": "unknown"}], "risk_score": 21, "rule_id": "f5861570-e39a-4b8a-9259-abd39f84cb97", "setup": "## Setup\n\nThe 'Audit Directory Service Access' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Access (Success,Failure)\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Rule Type: BBR", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/", "subtechnique": [{"id": "T1222.001", "name": "Windows File and Directory Permissions Modification", "reference": "https://attack.mitre.org/techniques/T1222/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "f5861570-e39a-4b8a-9259-abd39f84cb97_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798.json deleted file mode 100644 index 86e83dcd591..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\", \"/node:127.0.0.1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json deleted file mode 100644 index 072987ef8ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json deleted file mode 100644 index a734951203a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json deleted file mode 100644 index ccedf1b6ff5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_4.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_4.json deleted file mode 100644 index e6e2bbdb817..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\", \"/node:127.0.0.1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_5.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_5.json deleted file mode 100644 index 02b87401fbc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\", \"/node:127.0.0.1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_6.json b/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_6.json deleted file mode 100644 index 0949cd69827..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f59668de-caa0-4b84-94c1-3a1549e1e798_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement.", "from": "now-119m", "index": ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "winlogbeat-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "WMIC Remote Command", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : \"WMIC.exe\" and\n process.args : \"*node:*\" and\n process.args : (\"call\", \"set\", \"get\") and\n not process.args : (\"*/node:localhost*\", \"*/node:\\\"127.0.0.1\\\"*\", \"/node:127.0.0.1\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f59668de-caa0-4b84-94c1-3a1549e1e798", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend", "Rule Type: BBR", "Data Source: Sysmon", "Data Source: Elastic Endgame", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.006", "name": "Windows Remote Management", "reference": "https://attack.mitre.org/techniques/T1021/006/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1047", "name": "Windows Management Instrumentation", "reference": "https://attack.mitre.org/techniques/T1047/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f59668de-caa0-4b84-94c1-3a1549e1e798_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97.json deleted file mode 100644 index fe93534b5e5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "note": "## Triage and analysis\n\n### Investigating Setcap setuid/setgid Capability Set\n\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\n\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\n\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name in (\"jem\", \"vzctl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json deleted file mode 100644 index 3c1c9ee44b9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json deleted file mode 100644 index 9a79ac42507..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json deleted file mode 100644 index f3a2ab32570..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name : \"jem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_4.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_4.json deleted file mode 100644 index 363428ada8d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "note": "## Triage and analysis\n\n### Investigating Setcap setuid/setgid Capability Set\n\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\n\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\n\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name : \"jem\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json b/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json deleted file mode 100644 index 5f1ec649ade..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5c005d3-4e17-48b0-9cd7-444d48857f97_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap. Setuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group. Threat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Setcap setuid/setgid Capability Set", "note": "## Triage and analysis\n\n### Investigating Setcap setuid/setgid Capability Set\n\nSetuid (Set User ID) and setgid (Set Group ID) are Unix-like OS features that enable processes to run with elevated privileges, based on the file owner or group.\n\nThreat actors can exploit these attributes to achieve persistence by creating malicious binaries, allowing them to maintain control over a compromised system with elevated permissions.\n\nThis rule monitors for the addition of the cap_setuid+ep or cap_setgid+ep capabilities via setcap.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the file that was targeted by the addition of the setuid/setgid capability through OSQuery.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n - Cron jobs, services and other persistence mechanisms.\n - !{osquery{\"label\":\"Osquery - Retrieve Crontab Information\",\"query\":\"SELECT * FROM crontab\"}}\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator that performed these actions for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and \nprocess.name == \"setcap\" and process.args : \"cap_set?id+ep\" and not process.parent.name in (\"jem\", \"vzctl\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5c005d3-4e17-48b0-9cd7-444d48857f97", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.001", "name": "Setuid and Setgid", "reference": "https://attack.mitre.org/techniques/T1548/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f5c005d3-4e17-48b0-9cd7-444d48857f97_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0.json deleted file mode 100644 index d94f881c40b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json deleted file mode 100644 index 332dbc9ef71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 1}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2.json deleted file mode 100644 index 2b7ec8d5aba..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 2}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json deleted file mode 100644 index 9aa6b2457d3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 3}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json deleted file mode 100644 index 13f5e32680b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Under Settings, click Install Living off the Land Attack Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\n**Before you can enable this rule**, you'll need to enrich Windows process events with predictions from the Supervised LotL Attack Detection model. This is done via the ingest pipeline named `-problem_child_ingest_pipeline` installed with the LotL Attack Detection package.\n- If using an Elastic Beat such as Winlogbeat, add the LotL ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `winlogbeat.yml`.\n- If adding the LotL ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html). For example, you can check if your winlogbeat or Elastic Defend (the [default index pattern](https://docs.elastic.co/en/integrations/endpoint#logs) being `logs-endpoint*`) already has an ingest pipeline by navigating to `Data > Index Management`, finding the index (sometimes you need to toggle \"Include hidden indices\"), and checking the index's settings for a default or final [pipeline](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#set-default-pipeline).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the LotL ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"problemchild\": {\n \"properties\": {\n \"prediction\": {\n \"type\": \"long\"\n },\n \"prediction_probability\": {\n \"type\": \"float\"\n }\n }\n },\n \"blocklist_label\": {\n \"type\": \"long\"\n }\n }\n}\n```\n\n### Anomaly Detection Setup\n**Before you can enable this rule**, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched Windows process events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `winlogbeat-*` if you used Winlogbeat.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/problemchild/kibana/ml_module/problemchild-ml.json) configuration file, you will see a card for \"Living off the Land Attack Detection\" under \"Use preconfigured jobs\". Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data in winlogbeat has come in yet, _you won't be able to see this card yet_. If that is the case, try troubleshooting the ingest pipeline, and if any ProblemChild predictions have been populated yet.\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 4}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5.json deleted file mode 100644 index da487c26149..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 5}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6.json b/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6.json deleted file mode 100644 index 07b60f2daeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 75, "author": ["Elastic"], "description": "A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "problem_child_high_sum_by_parent", "name": "Suspicious Windows Process Cluster Spawned by a Parent Process", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"], "related_integrations": [{"package": "problemchild", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}], "risk_score": 21, "rule_id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0", "setup": "## Setup\n\nThe rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. \n\n### LotL Attack Detection Setup\nThe LotL Attack Detection integration detects living-off-the-land activity in Windows process events.\n\n#### Prerequisite Requirements:\n- Fleet is required for LotL Attack Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.\n\n#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Living off the Land Attack Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "type": "machine_learning", "version": 6}, "id": "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json deleted file mode 100644 index 71017c3f304..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json deleted file mode 100644 index e018acad1f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "note": "", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json deleted file mode 100644 index dcd045b0567..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "note": "", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json deleted file mode 100644 index 4d88cd4c5b2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "note": "", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json deleted file mode 100644 index c64bd4ba932..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json b/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json deleted file mode 100644 index 36197bc147a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f5fb4598-4f10-11ed-bdc3-0242ac120002_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rules identifies a process created from an executable with a space appended to the end of the filename. This may indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name so that the OS automatically executes the file when it's double-clicked.", "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Masquerading Space After Filename", "query": "process where host.os.type:(\"linux\",\"macos\") and\n event.type == \"start\" and\n (process.executable regex~ \"\"\"/[a-z0-9\\s_\\-\\\\./]+\\s\"\"\") and not\n process.name in (\"ls\", \"find\", \"grep\", \"xkbcomp\")\n", "references": ["https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f5fb4598-4f10-11ed-bdc3-0242ac120002", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.006", "name": "Space after Filename", "reference": "https://attack.mitre.org/techniques/T1036/006/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f5fb4598-4f10-11ed-bdc3-0242ac120002_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf.json deleted file mode 100644 index df00ff57959..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Account or Group Discovery via Built-In Tools", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and ( \n (process.name in (\"groups\", \"id\")) or \n (process.name == \"dscl\" and process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\")) or\n (process.name == \"dscacheutil\" and process.args in (\"user\", \"group\")) or\n (process.args in (\"/etc/passwd\", \"/etc/master.passwd\", \"/etc/sudoers\")) or\n (process.name == \"getent\" and process.args in (\"passwd\", \"group\"))\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json deleted file mode 100644 index df554f9b291..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Account or Group Discovery via Built-In Tools", "query": "process where event.type== \"start\" and event.action == \"exec\" and\n ( (process.name: (\"groups\",\"id\"))\n or (process.name : \"dscl\" and process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n or (process.name: \"dscacheutil\" and process.args:(\"user\", \"group\"))\n or process.args:(\"/etc/passwd\", \"/etc/master.passwd\", \"/etc/sudoers\")\n or (process.name: \"getent\" and process.args:(\"passwd\", \"group\"))\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json b/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json deleted file mode 100644 index 4c77a071b64..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Account or Group Discovery via Built-In Tools", "query": "process where event.type== \"start\" and event.action == \"exec\" and\n ( (process.name: (\"groups\",\"id\"))\n or (process.name : \"dscl\" and process.args : (\"/Active Directory/*\", \"/Users*\", \"/Groups*\"))\n or (process.name: \"dscacheutil\" and process.args:(\"user\", \"group\"))\n or process.args:(\"/etc/passwd\", \"/etc/master.passwd\", \"/etc/sudoers\")\n or (process.name: \"getent\" and process.args:(\"passwd\", \"group\"))\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": "https://attack.mitre.org/techniques/T1069/", "subtechnique": [{"id": "T1069.001", "name": "Local Groups", "reference": "https://attack.mitre.org/techniques/T1069/001/"}, {"id": "T1069.002", "name": "Domain Groups", "reference": "https://attack.mitre.org/techniques/T1069/002/"}]}, {"id": "T1087", "name": "Account Discovery", "reference": "https://attack.mitre.org/techniques/T1087/", "subtechnique": [{"id": "T1087.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1087/001/"}, {"id": "T1087.002", "name": "Domain Account", "reference": "https://attack.mitre.org/techniques/T1087/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f638a66d-3bbf-46b1-a52c-ef6f39fb6caf_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json deleted file mode 100644 index 102c68d153d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json deleted file mode 100644 index 0eef2ea447e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json deleted file mode 100644 index 3cddf3c41a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json deleted file mode 100644 index 97c7782c1fb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json deleted file mode 100644 index bbfd83e5afa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json deleted file mode 100644 index 2ac01a6eed7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json deleted file mode 100644 index b2882a19ff7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json deleted file mode 100644 index 771904ef934..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n (process.args : \"*-Enabled*\" and process.args : \"*False*\") and\n (process.args : \"*-All*\" or process.args : (\"*Public*\", \"*Domain*\", \"*Private*\"))\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_310.json b/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_310.json deleted file mode 100644 index 9d393ca82ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f63c8e3c-d396-404f-b2ea-0379d3942d73_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when the Windows Firewall is disabled using PowerShell cmdlets, which can help attackers evade network constraints, like internet and network lateral communication restrictions.", "false_positives": ["Windows Firewall can be disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Windows Firewall Disabled via PowerShell", "note": "## Triage and analysis\n\n### Investigating Windows Firewall Disabled via PowerShell\n\nWindows Defender Firewall is a native component that provides host-based, two-way network traffic filtering for a device and blocks unauthorized network traffic flowing into or out of the local device.\n\nAttackers can disable the Windows firewall or its rules to enable lateral movement and command and control activity.\n\nThis rule identifies patterns related to disabling the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Check whether the user is an administrator and is legitimately performing troubleshooting.\n- In case of an allowed benign true positive (B-TP), assess adding rules to allow needed traffic and re-enable the firewall.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Re-enable the firewall with its desired configurations.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.action == \"start\" and\n (process.name : (\"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or ?process.pe.original_file_name == \"PowerShell.EXE\") and\n process.args : \"*Set-NetFirewallProfile*\" and\n process.args : \"*-Enabled*\" and process.args : \"*False*\" and\n process.args : (\"*-All*\", \"*Public*\", \"*Domain*\", \"*Private*\")\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", "http://woshub.com/manage-windows-firewall-powershell/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "f63c8e3c-d396-404f-b2ea-0379d3942d73", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.004", "name": "Disable or Modify System Firewall", "reference": "https://attack.mitre.org/techniques/T1562/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "f63c8e3c-d396-404f-b2ea-0379d3942d73_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62.json b/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62.json deleted file mode 100644 index 9a9cc45a1d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment.", "false_positives": ["The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure that the instance should not be modified in this way before taking action."], "from": "now-6m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled\n\nThis rule identifies when the deletion protection feature is removed from an RDS DB instance or cluster. Removing deletion protection is a prerequisite for deleting a DB instance. Adversaries may exploit this feature to permanently delete data in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the deletionProtection parameter was changed.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB instance or cluster identifier and any other modifications made to the instance.\n- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB instance or cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, reset deletionProtection to true.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n- [Deleting AWS RDS DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"deletionProtection=false\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_1.json b/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_1.json deleted file mode 100644 index 562bbad57f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f6652fb5-cd8e-499c-8311-2ce2bb6cac62_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of an AWS RDS DB instance or cluster to remove the deletionProtection feature. Deletion protection is enabled automatically for instances set up through the console and can be used to protect them from unintentional deletion activity. If disabled an instance or cluster can be deleted, destroying sensitive or critical information. Adversaries with the proper permissions can take advantage of this to set up future deletion events against a compromised environment.", "false_positives": ["The deletionProtection feature must be disabled as a prerequisite for deletion of a DB instance or cluster. Ensure that the instance should not be modified in this way before taking action."], "from": "now-10m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "language": "eql", "license": "Elastic License v2", "name": "AWS RDS DB Instance or Cluster Deletion Protection Disabled", "note": "## Triage and Analysis\n\n### Investigating AWS RDS DB Instance or Cluster Deletion Protection Disabled\n\nThis rule identifies when the deletion protection feature is removed from an RDS DB instance or cluster. Removing deletion protection is a prerequisite for deleting a DB instance. Adversaries may exploit this feature to permanently delete data in a compromised environment.\n\n#### Possible Investigation Steps\n\n- **Identify the Actor**: Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` fields to identify who made the change. Verify if this actor typically performs such actions and if they have the necessary permissions.\n- **Review the Modification Event**: Identify the DB instance involved and review the event details. Look for `ModifyDBInstance` actions where the deletionProtection parameter was changed.\n - **Request and Response Parameters**: Check the `aws.cloudtrail.request_parameters` field in the CloudTrail event to identify the DB instance or cluster identifier and any other modifications made to the instance.\n- **Verify the Modified Instance**: Check the DB instance that was modified and its contents to determine the sensitivity of the data stored within it.\n- **Contextualize with Recent Changes**: Compare this modification event against recent changes in RDS DB instance or cluster configurations and deployments. Look for any other recent permissions changes or unusual administrative actions.\n- **Correlate with Other Activities**: Search for related CloudTrail events before and after this change to see if the same actor or IP address engaged in other potentially suspicious activities.\n- **Interview Relevant Personnel**: If the modification was initiated by a user, verify the intent and authorization for this action with the person or team responsible for managing DB instances.\n### False Positive Analysis\n\n- **Legitimate Instance Modification**: Confirm if the DB instance modification aligns with legitimate tasks.\n- **Consistency Check**: Compare the action against historical data of similar actions performed by the user or within the organization. If the action is consistent with past legitimate activities, it might indicate a false alarm.\n\n### Response and Remediation\n\n- **Immediate Review and Reversal**: If the change was unauthorized, reset deletionProtection to true.\n- **Enhance Monitoring and Alerts**: Adjust monitoring systems to alert on similar actions, especially those involving sensitive data or permissions.\n- **Audit Instances and Policies**: Conduct a comprehensive audit of all instances and associated policies to ensure they adhere to the principle of least privilege.\n- **Policy Update**: Review and possibly update your organization\u2019s policies on DB instance access to tighten control and prevent unauthorized access.\n- **Incident Response**: If malicious intent is confirmed, consider it a data breach incident and initiate the incident response protocol. This includes further investigation, containment, and recovery.\n\n### Additional Information:\n\nFor further guidance on managing DB instances and securing AWS environments, refer to the [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Managing.html) and AWS best practices for security. Additionally, consult the following resources for specific details on DB instance security:\n- [AWS RDS ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html)\n- [Deleting AWS RDS DB Instance](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html)\n", "query": "any where event.dataset == \"aws.cloudtrail\"\n and event.provider == \"rds.amazonaws.com\"\n and event.action in (\"ModifyDBInstance\", \"ModifyDBCluster\")\n and event.outcome == \"success\"\n and stringContains(aws.cloudtrail.request_parameters, \"deletionProtection=false\")\n", "references": ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html", "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS RDS", "Resources: Investigation Guide", "Use Case: Threat Detection", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1485", "name": "Data Destruction", "reference": "https://attack.mitre.org/techniques/T1485/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f6652fb5-cd8e-499c-8311-2ce2bb6cac62_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json deleted file mode 100644 index 7bb370fafb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json deleted file mode 100644 index c88bace4be8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json deleted file mode 100644 index 1755e5a3e9b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json deleted file mode 100644 index fb4848c8217..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json deleted file mode 100644 index caa47422612..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_108.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_108.json deleted file mode 100644 index 61d67940a7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json deleted file mode 100644 index f3699cde99b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_110.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_110.json deleted file mode 100644 index ce89269d42b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_310.json b/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_310.json deleted file mode 100644 index 15fff7a5528..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f675872f-6d85-40a3-b502-c0d2ef101e92_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Delete Volume USN Journal with Fsutil", "note": "## Triage and analysis\n\n### Investigating Delete Volume USN Journal with Fsutil\n\nThe Update Sequence Number (USN) Journal is a feature in the NTFS file system used by Microsoft Windows operating systems to keep track of changes made to files and directories on a disk volume. The journal records metadata for changes such as file creation, deletion, modification, and permission changes. It is used by the operating system for various purposes, including backup and recovery, file indexing, and file replication.\n\nThis artifact can provide valuable information in forensic analysis, such as programs executed (prefetch file operations), file modification events in suspicious directories, deleted files, etc. Attackers may delete this artifact in an attempt to cover their tracks, and this rule identifies the usage of the `fsutil.exe` utility to accomplish it.\n\nConsider using the Elastic Defend integration instead of USN Journal, as the Elastic Defend integration provides more visibility and context in the file operations it records.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - Verify if any other anti-forensics behaviors were observed.\n- Review file operation logs from Elastic Defend for suspicious activity the attacker tried to hide.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"fsutil.exe\" or ?process.pe.original_file_name == \"fsutil.exe\") and\n process.args : \"deletejournal\" and process.args : \"usn\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 21, "rule_id": "f675872f-6d85-40a3-b502-c0d2ef101e92", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/", "subtechnique": [{"id": "T1070.004", "name": "File Deletion", "reference": "https://attack.mitre.org/techniques/T1070/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "f675872f-6d85-40a3-b502-c0d2ef101e92_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json deleted file mode 100644 index 06628b539a0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "false_positives": ["Authorized SoftwareUpdate Settings Changes"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SoftwareUpdate Preferences Modification", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", "references": ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json deleted file mode 100644 index 8d0698f8723..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "false_positives": ["Authorized SoftwareUpdate Settings Changes"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SoftwareUpdate Preferences Modification", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", "references": ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "severity": "medium", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json deleted file mode 100644 index fe2417bc090..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "false_positives": ["Authorized SoftwareUpdate Settings Changes"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SoftwareUpdate Preferences Modification", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", "references": ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json deleted file mode 100644 index fadc7d22a7c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "false_positives": ["Authorized SoftwareUpdate Settings Changes"], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SoftwareUpdate Preferences Modification", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", "references": ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json b/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json deleted file mode 100644 index afce9ce9d71..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f683dcdf-a018-4801-b066-193d4ae6c8e5_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "false_positives": ["Authorized SoftwareUpdate Settings Changes"], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "SoftwareUpdate Preferences Modification", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.name:defaults and\n process.args:(write and \"-bool\" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))\n", "references": ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "f683dcdf-a018-4801-b066-193d4ae6c8e5_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e.json deleted file mode 100644 index eb02bfdf555..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools to read the contents of \\etc\\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system.", "from": "now-119m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Hosts File Access", "query": "process where event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nprocess.name in (\"vi\", \"nano\", \"cat\", \"more\", \"less\") and process.args == \"/etc/hosts\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json deleted file mode 100644 index 7ad50ec12a1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools to read the contents of \\etc\\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Hosts File Access", "query": "process where event.type == \"start\" and event.action == \"exec\" and\n (process.name:(\"vi\", \"nano\", \"cat\", \"more\", \"less\") and process.args : \"/etc/hosts\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json b/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json deleted file mode 100644 index d143689fe12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of built-in tools to read the contents of \\etc\\hosts on a local machine. Attackers may use this data to discover remote machines in an environment that may be used for Lateral Movement from the current system.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "System Hosts File Access", "query": "process where event.type == \"start\" and event.action == \"exec\" and\n (process.name:(\"vi\", \"nano\", \"cat\", \"more\", \"less\") and process.args : \"/etc/hosts\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": "https://attack.mitre.org/techniques/T1018/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f75f65cf-ed04-48df-a7ff-b02a8bfe636e_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json deleted file mode 100644 index b51a771ac18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.", "false_positives": ["Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Credentials Added", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", "references": ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Impact"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1496", "name": "Resource Hijacking", "reference": "https://attack.mitre.org/techniques/T1496/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f766ffaf-9568-4909-b734-75d19b35cbf4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json b/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json deleted file mode 100644 index 76dc6c7de98..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f766ffaf-9568-4909-b734-75d19b35cbf4_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.", "false_positives": ["Service principal credential additions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Credential additions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-25m", "index": ["filebeat-*", "logs-azure*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "Azure Service Principal Credentials Added", "note": "", "query": "event.dataset:azure.auditlogs and azure.auditlogs.operation_name:\"Add service principal credentials\" and event.outcome:(success or Success)\n", "references": ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"], "related_integrations": [{"package": "azure", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "azure.auditlogs.operation_name", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}], "risk_score": 47, "rule_id": "f766ffaf-9568-4909-b734-75d19b35cbf4", "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0040", "name": "Impact", "reference": "https://attack.mitre.org/tactics/TA0040/"}, "technique": [{"id": "T1496", "name": "Resource Hijacking", "reference": "https://attack.mitre.org/techniques/T1496/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "f766ffaf-9568-4909-b734-75d19b35cbf4_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json deleted file mode 100644 index a385a54f238..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 209}, "id": "f772ec8a-e182-483c-91d2-72058f76a44c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json deleted file mode 100644 index 934144fc126..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "f772ec8a-e182-483c-91d2-72058f76a44c_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json deleted file mode 100644 index 280e0ee30ec..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "f772ec8a-e182-483c-91d2-72058f76a44c_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json deleted file mode 100644 index 88ce03a93bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 107}, "id": "f772ec8a-e182-483c-91d2-72058f76a44c_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json b/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json deleted file mode 100644 index f8e5f421961..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f772ec8a-e182-483c-91d2-72058f76a44c_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS CloudWatch Alarm Deletion", "note": "## Triage and analysis\n\n### Investigating AWS CloudWatch Alarm Deletion\n\nAmazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of\nlogs, metrics, and events for resources and applications. This data can be used to detect anomalous behavior in your environments, set alarms, visualize\nlogs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your\napplications running smoothly.\n\nCloudWatch Alarms is a feature that allows you to watch CloudWatch metrics and to receive notifications when the metrics\nfall outside of the levels (high or low thresholds) that you configure.\n\nThis rule looks for the deletion of a alarm using the API `DeleteAlarms` action. Attackers can do this to cover their\ntracks and evade security defenses.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate other alerts associated with the user account during the past 48 hours.\n- Contact the account and resource owners and confirm whether they are aware of this activity.\n- Check if there is a justification for this behavior.\n- Considering the source IP address and geolocation of the user who issued the command:\n - Do they look normal for the user?\n - If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or is the source IP from an EC2 instance that's not under your control?\n - If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?\n- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and IP address conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Disable or limit the account during the investigation and response.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n - Identify the account role in the cloud environment.\n - Assess the criticality of affected services and servers.\n - Work with your IT team to identify and minimize the impact on users.\n - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n - Identify any regulatory or legal ramifications related to this activity.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.\n- Consider enabling multi-factor authentication for users.\n- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.\n- Implement security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS.\n- Take the actions needed to return affected systems, data, or services to their normal operational levels.\n- Identify the initial vector abused by the attacker and take action to prevent reinfection via the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "event.dataset:aws.cloudtrail and event.provider:monitoring.amazonaws.com and event.action:DeleteAlarms and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "f772ec8a-e182-483c-91d2-72058f76a44c", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "f772ec8a-e182-483c-91d2-72058f76a44c_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3.json b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3.json deleted file mode 100644 index 068d1f9884f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modified Inside a Container", "query": "file where container.id:\"*\" and\n event.type in (\"change\", \"creation\") and file.name: (\"authorized_keys\", \"authorized_keys2\", \"sshd_config\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f7769104-e8f9-4931-94a2-68fc04eadec3", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}, {"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f7769104-e8f9-4931-94a2-68fc04eadec3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json deleted file mode 100644 index 3e921fa75c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modified Inside a Container", "query": "file where container.id:\"*\" and\n event.type in (\"change\", \"creation\") and file.name: (\"authorized_keys\", \"authorized_keys2\", \"sshd_config\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f7769104-e8f9-4931-94a2-68fc04eadec3", "severity": "high", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lateral Movement", "Container"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f7769104-e8f9-4931-94a2-68fc04eadec3_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json b/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json deleted file mode 100644 index 23b3d6395b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7769104-e8f9-4931-94a2-68fc04eadec3_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects the creation or modification of an authorized_keys or sshd_config file inside a container. The Secure Shell (SSH) authorized_keys file specifies which users are allowed to log into a server using public key authentication. Adversaries may modify it to maintain persistence on a victim host by adding their own public key(s). Unexpected and unauthorized SSH usage inside a container can be an indicator of compromise and should be investigated.", "from": "now-6m", "index": ["logs-cloud_defend*"], "interval": "5m", "language": "eql", "license": "Elastic License v2", "name": "SSH Authorized Keys File Modified Inside a Container", "query": "file where container.id:\"*\" and\n event.type in (\"change\", \"creation\") and file.name: (\"authorized_keys\", \"authorized_keys2\", \"sshd_config\")\n", "related_integrations": [{"package": "cloud_defend", "version": "^1.0.5"}], "required_fields": [{"ecs": true, "name": "container.id", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f7769104-e8f9-4931-94a2-68fc04eadec3", "severity": "high", "tags": ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.004", "name": "SSH Authorized Keys", "reference": "https://attack.mitre.org/techniques/T1098/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1563", "name": "Remote Service Session Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/", "subtechnique": [{"id": "T1563.001", "name": "SSH Hijacking", "reference": "https://attack.mitre.org/techniques/T1563/001/"}]}, {"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.004", "name": "SSH", "reference": "https://attack.mitre.org/techniques/T1021/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f7769104-e8f9-4931-94a2-68fc04eadec3_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json deleted file mode 100644 index 74210312857..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Performance\n\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n /* Call attention to file extensions that may be used for malicious purposes */\n /* Optionally, Windows scripting engine processes targeting shortcut files */\n (\n file.extension : (\"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") or\n process.name : (\"wscript.exe\", \"cscript.exe\")\n ) and not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\"))\n\n /* Identify files created or changed in the startup folder */\n and file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json deleted file mode 100644 index 4859c012f15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json deleted file mode 100644 index 9d5c68fd4bf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json deleted file mode 100644 index 1cd394f4b7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json deleted file mode 100644 index 2318ae0d1ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json deleted file mode 100644 index 58e0dd71c68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json deleted file mode 100644 index c5a6d2767be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and user.domain != \"NT AUTHORITY\" and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json deleted file mode 100644 index d16794e548e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n file.extension : (\"lnk\", \"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") and\n not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\")) and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json deleted file mode 100644 index 012f5803a49..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n file.extension : (\"lnk\", \"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") and\n not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\")) and\n\n /* detect shortcuts created by wscript.exe or cscript.exe */\n (file.path : \"C:\\\\*\\\\Programs\\\\Startup\\\\*.lnk\" and\n process.name : (\"wscript.exe\", \"cscript.exe\")) or\n\n /* detect vbs or js files created by any process */\n file.path : (\"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbs\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.vbe\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsh\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.wsf\",\n \"C:\\\\*\\\\Programs\\\\Startup\\\\*.js\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_112.json b/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_112.json deleted file mode 100644 index a9f66ddaddb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c4dc5a-a58d-491d-9f14-9b66507121c0_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies script engines creating files in the Startup folder, or the creation of script files in the Startup folder. Adversaries may abuse this technique to maintain persistence in an environment.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Persistent Scripts in the Startup Directory", "note": "## Triage and analysis\n\n### Performance\n\nThis rule may have low to medium performance impact due to the generic nature of VBS and JS scripts being loaded by Windows script engines.\n\n### Investigating Persistent Scripts in the Startup Directory\n\nThe Windows Startup folder is a special folder in Windows. Programs added to this folder are executed during account logon, without user interaction, providing an excellent way for attackers to maintain persistence.\n\nThis rule looks for shortcuts created by wscript.exe or cscript.exe, or js/vbs scripts created by any process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate if the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the file using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Related rules\n\n- Suspicious Startup Shell Folder Modification - c8b150f0-0164-475b-a75e-74b47800a9ff\n- Startup Folder Persistence via Unsigned Process - 2fba96c0-ade5-4bce-b92f-a5df2509da3f\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and\n\n /* Call attention to file extensions that may be used for malicious purposes */\n /* Optionally, Windows scripting engine processes targeting shortcut files */\n (\n file.extension : (\"vbs\", \"vbe\", \"wsh\", \"wsf\", \"js\") or\n process.name : (\"wscript.exe\", \"cscript.exe\")\n ) and not (startsWith(user.domain, \"NT\") or endsWith(user.domain, \"NT\"))\n\n /* Identify files created or changed in the startup folder */\n and file.path : (\"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\*\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\*\")\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "user.domain", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [{"id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "reference": "https://attack.mitre.org/techniques/T1547/001/"}, {"id": "T1547.009", "name": "Shortcut Modification", "reference": "https://attack.mitre.org/techniques/T1547/009/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "f7c4dc5a-a58d-491d-9f14-9b66507121c0_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe.json b/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe.json deleted file mode 100644 index e56969547a3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Linux DAC permissions", "new_terms_fields": ["host.id", "process.command_line", "process.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c70f2e-4616-439c-85ac-5b98415042fe", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "f7c70f2e-4616-439c-85ac-5b98415042fe", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_1.json b/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_1.json deleted file mode 100644 index 842efc7f46b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Linux DAC permissions", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n(process.thread.capabilities.permitted: \"CAP_DAC_*\" or process.thread.capabilities.effective: \"CAP_DAC_*\") and\nprocess.command_line : (\"*sudoers*\", \"*passwd*\", \"*shadow*\", \"*/root/*\") and user.id != \"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c70f2e-4616-439c-85ac-5b98415042fe", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f7c70f2e-4616-439c-85ac-5b98415042fe_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json b/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json deleted file mode 100644 index e27f2cf4502..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f7c70f2e-4616-439c-85ac-5b98415042fe_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies potential privilege escalation exploitation of DAC (Discretionary access control) file permissions. The rule identifies exploitation of DAC checks on sensitive file paths via suspicious processes whose capabilities include CAP_DAC_OVERRIDE (where a process can bypass all read write and execution checks) or CAP_DAC_READ_SEARCH (where a process can read any file or perform any executable permission on the directories).", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Privilege Escalation via Linux DAC permissions", "new_terms_fields": ["host.id", "process.command_line", "process.executable"], "query": "event.category:process and host.os.type:linux and event.type:start and event.action:exec and\n(process.thread.capabilities.permitted:CAP_DAC_* or process.thread.capabilities.effective: CAP_DAC_*) and\nprocess.command_line:(*sudoers* or *passwd* or *shadow* or */root/*) and not user.id:\"0\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.thread.capabilities.effective", "type": "keyword"}, {"ecs": true, "name": "process.thread.capabilities.permitted", "type": "keyword"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "f7c70f2e-4616-439c-85ac-5b98415042fe", "setup": "## Setup\n\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "f7c70f2e-4616-439c-85ac-5b98415042fe_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json deleted file mode 100644 index b7574ac8a12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f81ee52c-297e-46d9-9205-07e66931df26", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json deleted file mode 100644 index ce415e0e73b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json deleted file mode 100644 index 4b8cbe92771..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json deleted file mode 100644 index f939dfacb70..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json deleted file mode 100644 index a05fa578a8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json deleted file mode 100644 index 44a75013883..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_107.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_107.json deleted file mode 100644 index 4e82626f23e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json deleted file mode 100644 index 0a889d4bb18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json b/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json deleted file mode 100644 index 137ebbf142b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f81ee52c-297e-46d9-9205-07e66931df26_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Exchange Worker Spawning Suspicious Processes", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.parent.name : \"w3wp.exe\" and process.parent.args : \"MSExchange*AppPool\" and\n (process.name : (\"cmd.exe\", \"powershell.exe\", \"pwsh.exe\", \"powershell_ise.exe\") or\n ?process.pe.original_file_name in (\"cmd.exe\", \"powershell.exe\", \"pwsh.dll\", \"powershell_ise.exe\"))\n", "references": ["https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 73, "rule_id": "f81ee52c-297e-46d9-9205-07e66931df26", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1190", "name": "Exploit Public-Facing Application", "reference": "https://attack.mitre.org/techniques/T1190/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}, {"id": "T1059.003", "name": "Windows Command Shell", "reference": "https://attack.mitre.org/techniques/T1059/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f81ee52c-297e-46d9-9205-07e66931df26_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json deleted file mode 100644 index aa0f8a2c4d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "false_positives": ["Trusted system or Adobe Acrobat Related processes."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", "references": ["https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 106}, "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json deleted file mode 100644 index e917e4de85a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "false_positives": ["Trusted system or Adobe Acrobat Related processes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", "references": ["https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "severity": "high", "tags": ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "CVE-2020-9615", "CVE-2020-9614", "CVE-2020-9613"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json deleted file mode 100644 index 1e458a77059..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "false_positives": ["Trusted system or Adobe Acrobat Related processes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", "references": ["https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json deleted file mode 100644 index 786bd389b91..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "false_positives": ["Trusted system or Adobe Acrobat Related processes."], "from": "now-9m", "index": ["auditbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", "references": ["https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json b/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json deleted file mode 100644 index 6a73046eea7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "false_positives": ["Trusted system or Adobe Acrobat Related processes."], "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "query": "event.category:process and host.os.type:macos and event.type:(start or process_started) and\n process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and\n user.name:root and\n not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or\n /usr/bin/codesign or\n /private/var/folders/zz/*/T/download/ARMDCHammer or\n /usr/sbin/pkgutil or\n /usr/bin/shasum or\n /usr/bin/perl* or\n /usr/sbin/spctl or\n /usr/sbin/installer or\n /usr/bin/csrutil)\n", "references": ["https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, for MacOS it is recommended to select \"Traditional Endpoints\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f86cd31c-5c7e-4481-99d7-6875a3e31309_1.json b/packages/security_detection_engine/kibana/security_rule/f86cd31c-5c7e-4481-99d7-6875a3e31309_1.json deleted file mode 100644 index b80c2b9ceeb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f86cd31c-5c7e-4481-99d7-6875a3e31309_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip parent process through the default printer user (lp). These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Printer User (lp) Shell Execution", "note": "## Triage and analysis\n\n### Investigating Printer User (lp) Shell Execution\n\nThis rule identifies potential exploitation attempts of several vulnerabilities in the CUPS printing system (CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, CVE-2024-47177). These vulnerabilities allow attackers to send crafted IPP requests or manipulate UDP packets to execute arbitrary commands or modify printer configurations. Attackers can exploit these flaws to inject malicious data, leading to Remote Code Execution (RCE) on affected systems.\n\n#### Possible Investigation Steps\n\n- Investigate the incoming IPP requests or UDP packets targeting port 631.\n- Examine the printer configurations on the system to determine if any unauthorized printers or URLs have been added.\n- Investigate the process tree to check if any unexpected processes were triggered as a result of IPP activity. Review the executable files for legitimacy.\n- Check for additional alerts related to the compromised system or user within the last 48 hours.\n- Investigate network traffic logs for suspicious outbound connections to unrecognized domains or IP addresses.\n- Check if any of the contacted domains or addresses are newly registered or have a suspicious reputation.\n- Retrieve any scripts or executables dropped by the attack for further analysis in a private sandbox environment:\n- Analyze potential malicious activity, including:\n - Attempts to communicate with external servers.\n - File access or creation of unauthorized executables.\n - Cron jobs, services, or other persistence mechanisms.\n\n### Related Rules\n- Cupsd or Foomatic-rip Shell Execution - 476267ff-e44f-476e-99c1-04c78cb3769d\n- Network Connection by Cups or Foomatic-rip Child - e80ee207-9505-49ab-8ca8-bc57d80e2cab\n- File Creation by Cups or Foomatic-rip Child - b9b14be7-b7f4-4367-9934-81f07d2f63c4\n- Suspicious Execution from Foomatic-rip or Cupsd Parent - 986361cd-3dac-47fe-afa1-5c5dd89f2fb4\n\n### False Positive Analysis\n\n- This activity is rarely legitimate. However, verify the context to rule out non-malicious printer configuration changes or legitimate IPP requests.\n\n### Response and Remediation\n\n- Initiate the incident response process based on the triage outcome.\n- Isolate the compromised host to prevent further exploitation.\n- If the investigation confirms malicious activity, search the environment for additional compromised hosts.\n- Implement network segmentation or restrictions to contain the attack.\n- Stop suspicious processes or services tied to CUPS exploitation.\n- Block identified Indicators of Compromise (IoCs), including IP addresses, domains, or hashes of involved files.\n- Review compromised systems for backdoors, such as reverse shells or persistence mechanisms like cron jobs.\n- Investigate potential credential exposure on compromised systems and reset passwords for any affected accounts.\n- Restore the original printer configurations or uninstall unauthorized printer entries.\n- Perform a thorough antimalware scan to identify any lingering threats or artifacts from the attack.\n- Investigate how the attacker gained initial access and address any weaknesses to prevent future exploitation.\n- Use insights from the incident to improve detection and response times in future incidents (MTTD and MTTR).\n", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and user.name == \"lp\" and\nprocess.parent.name in (\"cupsd\", \"foomatic-rip\", \"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nprocess.name in (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and\nnot process.command_line like (\"*/tmp/foomatic-*\", \"*-sDEVICE=ps2write*\")\n", "references": ["https://www.elastic.co/security-labs/cups-overflow", "https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/", "https://gist.github.com/stong/c8847ef27910ae344a7b5408d9840ee1", "https://github.com/RickdeJager/cupshax/blob/main/cupshax.py"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 73, "rule_id": "f86cd31c-5c7e-4481-99d7-6875a3e31309", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Use Case: Vulnerability", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1203", "name": "Exploitation for Client Execution", "reference": "https://attack.mitre.org/techniques/T1203/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f86cd31c-5c7e-4481-99d7-6875a3e31309_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json deleted file mode 100644 index 42e09e496ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"AmsiEnable\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json deleted file mode 100644 index 12d9c8968a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json deleted file mode 100644 index 54801747db0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json deleted file mode 100644 index 4431e608356..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json deleted file mode 100644 index 53c86154510..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json deleted file mode 100644 index e7584333c44..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json deleted file mode 100644 index a227ff05217..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json deleted file mode 100644 index 4230a7f5cb1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_111.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_111.json deleted file mode 100644 index d691385bc09..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_112.json b/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_112.json deleted file mode 100644 index 9dca0677d03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f874315d-5188-4b4a-8521-d1c73093a7e4_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies modifications of the AmsiEnable registry key to 0, which disables the Antimalware Scan Interface (AMSI). An adversary can modify this key to disable AMSI protections.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Modification of AmsiEnable Registry Key", "note": "## Triage and analysis\n\n### Investigating Modification of AmsiEnable Registry Key\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nSince AMSI is widely used across security products for increased visibility, attackers can disable it to evade detections that rely on it.\n\nThis rule monitors the modifications to the Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable registry key.\n\n#### Possible investigation steps\n\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Retrieve scripts or Microsoft Office files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Use process name, command line, and file hash to search for occurrences on other hosts.\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Related rules\n\n- Microsoft Windows Defender Tampering - fe794edd-487f-4a90-b285-3ee54f2af2d3\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Delete or set the key to its default value.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : \"AmsiEnable\" and\n registry.path : (\n \"HKEY_USERS\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"HKU\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\",\n \"\\\\REGISTRY\\\\USER\\\\*\\\\Software\\\\Microsoft\\\\Windows Script\\\\Settings\\\\AmsiEnable\"\n ) and\n registry.data.strings: (\"0\", \"0x00000000\")\n", "references": ["https://hackinparis.com/data/slides/2019/talks/HIP2019-Dominic_Chell-Cracking_The_Perimeter_With_Sharpshooter.pdf", "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 73, "rule_id": "f874315d-5188-4b4a-8521-d1c73093a7e4", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "f874315d-5188-4b4a-8521-d1c73093a7e4_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac.json b/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac.json deleted file mode 100644 index e66eadaf5fa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Active Directory Replication Account Backdoor", "note": "", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"nTSecurityDescriptor\" and\n winlog.event_data.AttributeValue : (\n (\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\n )\n )\n", "references": ["https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 47, "rule_id": "f8822053-a5d2-46db-8c96-d460b12c36ac", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f8822053-a5d2-46db-8c96-d460b12c36ac", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_1.json b/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_1.json deleted file mode 100644 index 365002ab954..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Active Directory Replication Account Backdoor", "note": "", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"nTSecurityDescriptor\" and\n winlog.event_data.AttributeValue : (\n (\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\n )\n )\n", "references": ["https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 47, "rule_id": "f8822053-a5d2-46db-8c96-d460b12c36ac", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "f8822053-a5d2-46db-8c96-d460b12c36ac_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_2.json b/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_2.json deleted file mode 100644 index 1b82af1efff..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Active Directory Replication Account Backdoor", "note": "", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"nTSecurityDescriptor\" and\n winlog.event_data.AttributeValue : (\n (\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\n )\n )\n", "references": ["https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 47, "rule_id": "f8822053-a5d2-46db-8c96-d460b12c36ac", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "f8822053-a5d2-46db-8c96-d460b12c36ac_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_3.json b/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_3.json deleted file mode 100644 index fa5709ae737..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f8822053-a5d2-46db-8c96-d460b12c36ac_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the modification of the nTSecurityDescriptor attribute in a domain object with rights related to DCSync to a user/computer account. Attackers can use this backdoor to re-obtain access to hashes of any user/computer.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "kuery", "license": "Elastic License v2", "name": "Potential Active Directory Replication Account Backdoor", "note": "", "query": "event.action:(\"Directory Service Changes\" or \"directory-service-object-modified\") and event.code:\"5136\" and\n winlog.event_data.AttributeLDAPDisplayName:\"nTSecurityDescriptor\" and\n winlog.event_data.AttributeValue : (\n (\n *1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-* and\n *89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-*\n )\n )\n", "references": ["https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-all", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes", "https://learn.microsoft.com/en-us/windows/win32/adschema/r-ds-replication-get-changes-in-filtered-set"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.code", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.AttributeLDAPDisplayName", "type": "unknown"}, {"ecs": false, "name": "winlog.event_data.AttributeValue", "type": "unknown"}], "risk_score": 47, "rule_id": "f8822053-a5d2-46db-8c96-d460b12c36ac", "setup": "The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nPolicies >\nWindows Settings >\nSecurity Settings >\nAdvanced Audit Policies Configuration >\nAudit Policies >\nDS Access >\nAudit Directory Service Changes (Success,Failure)\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Use Case: Active Directory Monitoring", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.006", "name": "DCSync", "reference": "https://attack.mitre.org/techniques/T1003/006/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "f8822053-a5d2-46db-8c96-d460b12c36ac_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211.json b/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211.json deleted file mode 100644 index aaace453063..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new PAT was used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "new_terms_fields": ["user.name", "github.hashed_token"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.hashed_token:* and user.name:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f94e898e-94f1-4545-8923-03e4b2866211", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "f94e898e-94f1-4545-8923-03e4b2866211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_1.json b/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_1.json deleted file mode 100644 index 1cb31653727..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "A new PAT was used for a GitHub user not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", "new_terms_fields": ["user.name", "github.hashed_token"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.hashed_token:* and user.name:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f94e898e-94f1-4545-8923-03e4b2866211", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Persistence", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": "https://attack.mitre.org/techniques/T1098/", "subtechnique": [{"id": "T1098.001", "name": "Additional Cloud Credentials", "reference": "https://attack.mitre.org/techniques/T1098/001/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "f94e898e-94f1-4545-8923-03e4b2866211_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_103.json b/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_103.json new file mode 100644 index 00000000000..3d5b96de254 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f94e898e-94f1-4545-8923-03e4b2866211_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "A new PAT was used for a GitHub user not previously seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of Personal Access Token (PAT) Use For a GitHub User", + "new_terms_fields": [ + "user.name", + "github.hashed_token" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.hashed_token:* and user.name:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.hashed_token", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + }, + { + "ecs": true, + "name": "user.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "f94e898e-94f1-4545-8923-03e4b2866211", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Persistence", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1098", + "name": "Account Manipulation", + "reference": "https://attack.mitre.org/techniques/T1098/", + "subtechnique": [ + { + "id": "T1098.001", + "name": "Additional Cloud Credentials", + "reference": "https://attack.mitre.org/techniques/T1098/001/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "f94e898e-94f1-4545-8923-03e4b2866211_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json deleted file mode 100644 index 56d8a642849..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_configuration_discovery"], "name": "Unusual Linux Network Configuration Discovery", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "setup": "## Setup\n\nThis rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:\n- Elastic Defend\n- Auditd Manager\n\n### Anomaly Detection Setup\n\nOnce the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the \"Definition\" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration to your system:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" to your system:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\n- For this detection rule no additional audit rules are required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "type": "machine_learning", "version": 105}, "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json deleted file mode 100644 index bbaaf73666b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_configuration_discovery"], "name": "Unusual Linux System Network Configuration Discovery", "risk_score": 21, "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "type": "machine_learning", "version": 101}, "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json deleted file mode 100644 index 399b9103d81..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_configuration_discovery"], "name": "Unusual Linux Network Configuration Discovery", "risk_score": 21, "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "type": "machine_learning", "version": 102}, "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json deleted file mode 100644 index 5d5665f781f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_configuration_discovery"], "name": "Unusual Linux Network Configuration Discovery", "risk_score": 21, "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "type": "machine_learning", "version": 103}, "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json b/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json deleted file mode 100644 index c6db4168162..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9590f47-6bd5-4a49-bd49-a2f886476fb9_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 25, "author": ["Elastic"], "description": "Looks for commands related to system network configuration discovery from an unusual user context. This can be due to uncommon troubleshooting activity or due to a compromised account. A compromised account may be used by a threat actor to engage in system network configuration discovery in order to increase their understanding of connected networks and hosts. This information may be used to shape follow-up behaviors such as lateral movement or additional discovery.", "false_positives": ["Uncommon user command activity can be due to an engineer logging onto a server instance in order to perform manual troubleshooting or reconfiguration."], "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": ["v3_linux_network_configuration_discovery"], "name": "Unusual Linux Network Configuration Discovery", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}, {"package": "endpoint", "version": "^8.2.0"}], "risk_score": 21, "rule_id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": "https://attack.mitre.org/techniques/T1016/"}]}], "type": "machine_learning", "version": 104}, "id": "f9590f47-6bd5-4a49-bd49-a2f886476fb9_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json deleted file mode 100644 index 13b386be6e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "note": "## Triage and analysis\n\n### Investigating Ingress Transfer via Windows BITS\n\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\n\nThis rule identifies such abuse by monitoring for file renaming events involving \"svchost.exe\" and \"BIT*.tmp\" on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Gain context into the BITS transfer.\n - Try to determine the process that initiated the BITS transfer.\n - Search `bitsadmin.exe` processes and examine their command lines.\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\n - Try to determine the origin of the file.\n - Inspect network connections initiated by `svchost.exe`.\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\n - Check if the domain is newly registered or unexpected.\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\n- Examine the details of the dropped file, and whether it was executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved executables using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\n\n### Related Rules\n\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\AcroServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json deleted file mode 100644 index 8de8b8cbbef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json deleted file mode 100644 index 7430288da7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json deleted file mode 100644 index 9d865972512..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n\nprocess.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension :(\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json deleted file mode 100644 index 1b3f4f5464c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_6.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_6.json deleted file mode 100644 index 506c2915ea9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "note": "## Triage and analysis\n\n### Investigating Ingress Transfer via Windows BITS\n\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\n\nThis rule identifies such abuse by monitoring for file renaming events involving \"svchost.exe\" and \"BIT*.tmp\" on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Gain context into the BITS transfer.\n - Try to determine the process that initiated the BITS transfer.\n - Search `bitsadmin.exe` processes and examine their command lines.\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\n - Try to determine the origin of the file.\n - Inspect network connections initiated by `svchost.exe`.\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\n - Check if the domain is newly registered or unexpected.\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\n- Examine the details of the dropped file, and whether it was executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved executables using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\n\n### Related Rules\n\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\AcroServicesUpdater2_x64.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json b/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json deleted file mode 100644 index fd7737219e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f95972d3-c23b-463b-89a8-796b3f369b49_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies downloads of executable and archive files via the Windows Background Intelligent Transfer Service (BITS). Adversaries could leverage Windows BITS transfer jobs to download remote payloads.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Ingress Transfer via Windows BITS", "note": "## Triage and analysis\n\n### Investigating Ingress Transfer via Windows BITS\n\nWindows Background Intelligent Transfer Service (BITS) is a technology that allows the transfer of files between a client and a server, which makes it a dual-use mechanism, being used by both legitimate apps and attackers. When malicious applications create BITS jobs, files are downloaded or uploaded in the context of the service host process, which can bypass security protections, and it helps to obscure which application requested the transfer.\n\nThis rule identifies such abuse by monitoring for file renaming events involving \"svchost.exe\" and \"BIT*.tmp\" on Windows systems.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Gain context into the BITS transfer.\n - Try to determine the process that initiated the BITS transfer.\n - Search `bitsadmin.exe` processes and examine their command lines.\n - Look for unusual processes loading `Bitsproxy.dll` and other BITS-related DLLs.\n - Try to determine the origin of the file.\n - Inspect network connections initiated by `svchost.exe`.\n - Inspect `Microsoft-Windows-Bits-Client/Operational` Windows logs, specifically the event ID 59, for unusual events.\n - Velociraptor can be used to extract these entries using the [bitsadmin artifact](https://docs.velociraptor.app/exchange/artifacts/pages/bitsadmin/).\n - Check the reputation of the remote server involved in the BITS transfer, such as its IP address or domain, using threat intelligence platforms or online reputation services.\n - Check if the domain is newly registered or unexpected.\n - Use the identified domain as an indicator of compromise (IoCs) to scope other compromised hosts in the environment.\n - [BitsParser](https://github.com/fireeye/BitsParser) can be used to parse BITS database files to extract BITS job information.\n- Examine the details of the dropped file, and whether it was executed.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved executables using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- Known false positives for the rule include legitimate software and system updates that use BITS for downloading files.\n\n### Related Rules\n\n- Persistence via BITS Job Notify Cmdline - c3b915e0-22f3-4bf7-991d-b643513c722f\n- Unsigned BITS Service Client Process - 9a3884d0-282d-45ea-86ce-b9c81100f026\n- Bitsadmin Activity - 8eec4df1-4b4b-4502-b6c3-c788714604c9\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Restore the affected system to its operational state by applying any necessary patches, updates, or configuration changes.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action == \"rename\" and\n process.name : \"svchost.exe\" and file.Ext.original.name : \"BIT*.tmp\" and \n (file.extension : (\"exe\", \"zip\", \"rar\", \"bat\", \"dll\", \"ps1\", \"vbs\", \"wsh\", \"js\", \"vbe\", \"pif\", \"scr\", \"cmd\", \"cpl\") or\n file.Ext.header_bytes : \"4d5a*\") and \n \n /* noisy paths, for hunting purposes you can use the same query without the following exclusions */\n not file.path : (\"?:\\\\Program Files\\\\*\", \"?:\\\\Program Files (x86)\\\\*\", \"?:\\\\Windows\\\\*\", \"?:\\\\ProgramData\\\\*\\\\*\") and \n \n /* lot of third party SW use BITS to download executables with a long file name */\n not length(file.name) > 30 and\n not file.path : (\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp*\\\\wct*.tmp\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\RdrServicesUpdater*.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Adobe\\\\ARM\\\\*\\\\AcroServicesUpdater2_x64.exe\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Docker Desktop Installer\\\\update-*.exe\"\n )\n", "references": ["https://attack.mitre.org/techniques/T1197/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.header_bytes", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.name", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f95972d3-c23b-463b-89a8-796b3f369b49", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": "https://attack.mitre.org/techniques/T1197/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "f95972d3-c23b-463b-89a8-796b3f369b49_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379.json b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379.json deleted file mode 100644 index 1f3f38ad0e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Browser Extension Install", "query": "file where host.os.type == \"windows\" and event.action : \"creation\" and \n(\n /* Firefox-Based Browsers */\n (\n file.name : \"*.xpi\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\*.xpi\" and\n not \n (\n process.name : \"firefox.exe\" and\n file.name : (\"langpack-*@firefox.mozilla.org.xpi\", \"*@dictionaries.addons.mozilla.org.xpi\")\n )\n ) or\n /* Chromium-Based Browsers */\n (\n file.name : \"*.crx\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\*\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f97504ac-1053-498f-aeaa-c6d01e76b379", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1176", "name": "Browser Extensions", "reference": "https://attack.mitre.org/techniques/T1176/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f97504ac-1053-498f-aeaa-c6d01e76b379", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json deleted file mode 100644 index 8ba64460784..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Browser Extension Install", "query": "file where event.action : \"creation\" and \n(\n /* Firefox-Based Browsers */\n (\n file.name : \"*.xpi\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\*.xpi\"\n ) or\n /* Chromium-Based Browsers */\n (\n file.name : \"*.crx\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\*\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}], "risk_score": 21, "rule_id": "f97504ac-1053-498f-aeaa-c6d01e76b379", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1176", "name": "Browser Extensions", "reference": "https://attack.mitre.org/techniques/T1176/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "f97504ac-1053-498f-aeaa-c6d01e76b379_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_2.json b/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_2.json deleted file mode 100644 index 65c809364da..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f97504ac-1053-498f-aeaa-c6d01e76b379_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the install of browser extensions. Malicious browser extensions can be installed via app store downloads masquerading as legitimate extensions, social engineering, or by an adversary that has already compromised a system.", "from": "now-9m", "index": ["logs-endpoint.events.file-*"], "language": "eql", "license": "Elastic License v2", "name": "Browser Extension Install", "query": "file where host.os.type == \"windows\" and event.action : \"creation\" and \n(\n /* Firefox-Based Browsers */\n (\n file.name : \"*.xpi\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\*\\\\Profiles\\\\*\\\\Extensions\\\\*.xpi\" and\n not \n (\n process.name : \"firefox.exe\" and\n file.name : (\"langpack-*@firefox.mozilla.org.xpi\", \"*@dictionaries.addons.mozilla.org.xpi\")\n )\n ) or\n /* Chromium-Based Browsers */\n (\n file.name : \"*.crx\" and\n file.path : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\*\\\\*\\\\User Data\\\\Webstore Downloads\\\\*\"\n )\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "f97504ac-1053-498f-aeaa-c6d01e76b379", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1176", "name": "Browser Extensions", "reference": "https://attack.mitre.org/techniques/T1176/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "f97504ac-1053-498f-aeaa-c6d01e76b379_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json deleted file mode 100644 index dfa061c2605..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_10.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_10.json deleted file mode 100644 index fa4cfd6be9e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 10}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json deleted file mode 100644 index ae0c7550da4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json deleted file mode 100644 index 2aed6d7521f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where host.os.type == \"windows\" and event.action == \"logon-failed\" and\n winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json deleted file mode 100644 index 79b1a9fccf1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json deleted file mode 100644 index f54ce191ba7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json deleted file mode 100644 index d4055bbaa19..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 8}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json b/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json deleted file mode 100644 index 64cb76cfb24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f9790abf-bd0c-45f9-8b5f-d0b74015e029_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple consecutive logon failures targeting an Admin account from the same source address and within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to accounts.", "from": "now-9m", "index": ["winlogbeat-*", "logs-system.security*", "logs-windows.forwarded*"], "language": "eql", "license": "Elastic License v2", "name": "Privileged Account Brute Force", "note": "## Triage and analysis\n\n### Investigating Privileged Account Brute Force\n\nAdversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to guess the password using a repetitive or iterative mechanism systematically. More details can be found [here](https://attack.mitre.org/techniques/T1110/001/).\n\nThis rule identifies potential password guessing/brute force activity from a single address against an account that contains the `admin` pattern on its name, which is likely a highly privileged account.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the logon failure reason code and the targeted user name.\n - Prioritize the investigation if the account is critical or has administrative privileges over the domain.\n- Investigate the source IP address of the failed Network Logon attempts.\n - Identify whether these attempts are coming from the internet or are internal.\n- Investigate other alerts associated with the involved users and source host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n- Check whether the involved credentials are used in automation or scheduled tasks.\n- If this activity is suspicious, contact the account owner and confirm whether they are aware of it.\n- Examine the source host for derived artifacts that indicate compromise:\n - Observe and collect information about the following activities in the alert source host:\n - Attempts to contact external domains and addresses.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the host which is the source of this activity.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Domain trust relationship issues.\n- Infrastructure or availability issues.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the source host to prevent further post-compromise behavior.\n- If the asset is exposed to the internet with RDP or other remote services available, take the necessary measures to restrict access to the asset. If not possible, limit the access via the firewall to only the needed IP addresses. Also, ensure the system uses robust authentication mechanisms and is patched regularly.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by winlog.computer_name, source.ip with maxspan=10s\n [authentication where event.action == \"logon-failed\" and winlog.logon.type : \"Network\" and\n source.ip != null and source.ip != \"127.0.0.1\" and source.ip != \"::1\" and user.name : \"*admin*\" and\n\n /* noisy failure status codes often associated to authentication misconfiguration */\n not winlog.event_data.Status : (\"0xC000015B\", \"0XC000005E\", \"0XC0000133\", \"0XC0000192\")] with runs=5\n", "references": ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"], "related_integrations": [{"package": "system", "version": "^1.6.4"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}, {"ecs": false, "name": "winlog.computer_name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.Status", "type": "keyword"}, {"ecs": false, "name": "winlog.logon.type", "type": "unknown"}], "risk_score": 47, "rule_id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 9}, "id": "f9790abf-bd0c-45f9-8b5f-d0b74015e029_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json deleted file mode 100644 index 488c34e8fd1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json deleted file mode 100644 index 6a11d9d6df4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json deleted file mode 100644 index 0413cbc13b5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json deleted file mode 100644 index 3e341cf2992..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json deleted file mode 100644 index c57dab5efe8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_206.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_206.json deleted file mode 100644 index b0a32cdb856..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_206.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_206", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_208.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_208.json deleted file mode 100644 index 6b961818f31..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", "false_positives": ["A user may report suspicious activity on their Okta account in error."], "index": ["filebeat-*", "logs-okta*"], "language": "kuery", "license": "Elastic License v2", "name": "Suspicious Activity Reported by Okta User", "note": "", "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", "references": ["https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta"], "related_integrations": [{"package": "okta", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 208}, "id": "f994964f-6fce-4d75-8e79-e16ccc412588_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_308.json b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_308.json new file mode 100644 index 00000000000..2bd142a98f1 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/f994964f-6fce-4d75-8e79-e16ccc412588_308.json @@ -0,0 +1,121 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can help security teams identify when an adversary is attempting to gain access to their network.", + "false_positives": [ + "A user may report suspicious activity on their Okta account in error." + ], + "index": [ + "filebeat-*", + "logs-okta*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Suspicious Activity Reported by Okta User", + "note": "", + "query": "event.dataset:okta.system and event.action:user.account.report_suspicious_activity_by_enduser\n", + "references": [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta" + ], + "related_integrations": [ + { + "package": "okta", + "version": "^3.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "f994964f-6fce-4d75-8e79-e16ccc412588", + "setup": "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", + "severity": "medium", + "tags": [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "query", + "version": 308 + }, + "id": "f994964f-6fce-4d75-8e79-e16ccc412588_308", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json deleted file mode 100644 index bb0700a4379..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json deleted file mode 100644 index d9f6b319532..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json deleted file mode 100644 index 4d5faba6c60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json deleted file mode 100644 index 47af79579b1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json deleted file mode 100644 index 1af85325286..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"cmd.exe\", \"powershell.exe\", \"robocopy.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") and process.args : \"*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_107.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_107.json deleted file mode 100644 index b44256cfe10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json deleted file mode 100644 index 533e733d5ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json deleted file mode 100644 index a775351c8f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_110.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_110.json deleted file mode 100644 index 8b44eb3ba55..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_111.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_111.json deleted file mode 100644 index bd6cdb692ae..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "references": ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_311.json b/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_311.json deleted file mode 100644 index eb5caa3c1db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa01341d-6662-426b-9d0c-6d81e33c8a9d_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.", "from": "now-9m", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Remote File Copy to a Hidden Share", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (\n process.name : (\"cmd.exe\", \"powershell.exe\", \"xcopy.exe\") and\n process.args : (\"copy*\", \"move*\", \"cp\", \"mv\") or\n process.name : \"robocopy.exe\"\n ) and process.args : \"*\\\\\\\\*\\\\*$*\"\n", "references": ["https://www.elastic.co/security-labs/hunting-for-lateral-movement-using-event-query-language"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0008", "name": "Lateral Movement", "reference": "https://attack.mitre.org/tactics/TA0008/"}, "technique": [{"id": "T1021", "name": "Remote Services", "reference": "https://attack.mitre.org/techniques/T1021/", "subtechnique": [{"id": "T1021.002", "name": "SMB/Windows Admin Shares", "reference": "https://attack.mitre.org/techniques/T1021/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "fa01341d-6662-426b-9d0c-6d81e33c8a9d_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json deleted file mode 100644 index 6d517f917e8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["filebeat-*", "logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 7}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json deleted file mode 100644 index d50eeb9758a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "severity": "low", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 1}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json deleted file mode 100644 index 39ee979ae4f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 3\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 2}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json deleted file mode 100644 index b57d2a69743..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=5s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 3}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json deleted file mode 100644 index 08db704e9d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 4}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json deleted file mode 100644 index 5ea4e71a242..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "setup": "\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 5}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json b/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json deleted file mode 100644 index f2efcb0532b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa210b61-b627-4e5e-86f4-17e8270656ab_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies multiple external consecutive login failures targeting a user account from the same source address within a short time interval. Adversaries will often brute force login attempts across multiple users with a common or known password, in an attempt to gain access to these accounts.", "from": "now-9m", "index": ["logs-system.auth-*"], "language": "eql", "license": "Elastic License v2", "max_signals": 5, "name": "Potential External Linux SSH Brute Force Detected", "note": "## Triage and analysis\n\n### Investigating Potential External Linux SSH Brute Force Detected\n\nThe rule identifies consecutive SSH login failures targeting a user account from the same source IP address to the same target host indicating brute force login attempts.\n\nThis rule will generate a lot of noise for systems with a front-facing SSH service, as adversaries scan the internet for remotely accessible SSH services and try to brute force them to gain unauthorized access. \n\nIn case this rule generates too much noise and external brute forcing is of not much interest, consider turning this rule off and enabling \"Potential Internal Linux SSH Brute Force Detected\" to detect internal brute force attempts.\n\n#### Possible investigation steps\n\n- Investigate the login failure user name(s).\n- Investigate the source IP address of the failed ssh login attempt(s).\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Identify the source and the target computer and their roles in the IT environment.\n\n### False positive analysis\n\n- Authentication misconfiguration or obsolete credentials.\n- Service account password expired.\n- Infrastructure or availability issue.\n\n### Related Rules\n\n- Potential Internal Linux SSH Brute Force Detected - 1c27fa22-7727-4dd3-81c0-de6da5555feb\n- Potential SSH Password Guessing - 8cb84371-d053-4f4f-bce0-c74990e28f28\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by host.id, source.ip, user.name with maxspan=15s\n [ authentication where host.os.type == \"linux\" and \n event.action in (\"ssh_login\", \"user_login\") and event.outcome == \"failure\" and\n not cidrmatch(source.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \n \"::1\", \"FE80::/10\", \"FF00::/8\") ] with runs = 10\n", "related_integrations": [{"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "user.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fa210b61-b627-4e5e-86f4-17e8270656ab", "setup": "## Setup\n\nThis rule requires data coming in from Filebeat.\n\n### Filebeat Setup\nFilebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.\n\n#### The following steps should be executed in order to add the Filebeat on a Linux System:\n- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.\n- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).\n- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).\n- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).\n- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).\n- For complete \u201cSetup and Run Filebeat\u201d information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).\n\n#### Rule Specific Setup Note\n- This rule requires the \u201cFilebeat System Module\u201d to be enabled.\n- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.\n- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1110", "name": "Brute Force", "reference": "https://attack.mitre.org/techniques/T1110/", "subtechnique": [{"id": "T1110.001", "name": "Password Guessing", "reference": "https://attack.mitre.org/techniques/T1110/001/"}, {"id": "T1110.003", "name": "Password Spraying", "reference": "https://attack.mitre.org/techniques/T1110/003/"}]}]}], "type": "eql", "version": 6}, "id": "fa210b61-b627-4e5e-86f4-17e8270656ab_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json deleted file mode 100644 index f39d5ddd0db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 7}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json deleted file mode 100644 index 638cffff568..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 1}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json deleted file mode 100644 index fb7d740a2d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"connection_attempted\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 2}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json deleted file mode 100644 index d62fea5a53f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 3}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json deleted file mode 100644 index 62ead45a59b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 4}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json deleted file mode 100644 index 344fd59b0fc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 5}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json b/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json deleted file mode 100644 index 047c121e9d5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary (located in a commonly abused location or executed manually) followed by a network event and ending with a shell being spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish persistence onto a target system.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Reverse Shell via Suspicious Binary", "query": "sequence by host.id, process.entity_id with maxspan=1s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and\n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and not\n process.name : (\"curl\", \"wget\", \"ping\", \"apt\", \"dpkg\", \"yum\", \"rpm\", \"dnf\", \"dockerd\") ]\n[ network where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"connection_attempted\", \"connection_accepted\") and\n process.executable : (\n \"./*\", \"/tmp/*\", \"/var/tmp/*\", \"/var/www/*\", \"/dev/shm/*\", \"/etc/init.d/*\", \"/etc/rc*.d/*\",\n \"/etc/crontab\", \"/etc/cron.*\", \"/etc/update-motd.d/*\", \"/usr/lib/update-notifier/*\",\n \"/boot/*\", \"/srv/*\", \"/run/*\", \"/root/*\", \"/etc/rc.local\"\n ) and destination.ip != null and destination.ip != \"127.0.0.1\" and destination.ip != \"::1\" ]\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") and \n process.parent.name : (\"bash\", \"dash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\") ]\n", "references": ["https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.004", "name": "Unix Shell", "reference": "https://attack.mitre.org/techniques/T1059/004/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1071", "name": "Application Layer Protocol", "reference": "https://attack.mitre.org/techniques/T1071/"}]}], "type": "eql", "version": 6}, "id": "fa3a59dc-33c3-43bf-80a9-e8437a922c7f_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json deleted file mode 100644 index 27273607daa..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and\n not file.path : (\n \"?:\\\\Windows\\\\system32\\\\amsi.dll\",\n \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\",\n \"?:\\\\$WINDOWS.~BT\\\\DUImageSandbox\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\amd64_microsoft-antimalware-scan-interface_*\\\\amsi.dll\"\n ) and\n not\n (\n process.executable : \"C:\\\\Windows\\\\System32\\\\wbengine.exe\" and\n file.path : (\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\system32\\\\amsi.dll\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\syswow64\\\\amsi.dll\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\WinSxS\\\\*\\\\amsi.dll\"\n )\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 213}, "id": "fa488440-04cc-41d7-9279-539387bf2a17", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_110.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_110.json deleted file mode 100644 index 058caa9d1b8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json deleted file mode 100644 index 02ee8864059..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json deleted file mode 100644 index 4adca827d14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 211}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_212.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_212.json deleted file mode 100644 index df7cf3e3ce5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 212}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_213.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_213.json deleted file mode 100644 index ccbca654522..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and\n not file.path : (\n \"?:\\\\Windows\\\\system32\\\\amsi.dll\",\n \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\",\n \"?:\\\\$WINDOWS.~BT\\\\DUImageSandbox\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\amd64_microsoft-antimalware-scan-interface_*\\\\amsi.dll\"\n ) and\n not\n (\n process.executable : \"C:\\\\Windows\\\\System32\\\\wbengine.exe\" and\n file.path : (\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\system32\\\\amsi.dll\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\syswow64\\\\amsi.dll\",\n \"\\\\Device\\\\HarddiskVolume??\\\\Windows\\\\WinSxS\\\\*\\\\amsi.dll\"\n )\n )\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 213}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json deleted file mode 100644 index a30f48ea0b6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json deleted file mode 100644 index 26cdf0c0d54..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribuition\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json deleted file mode 100644 index 9bbbc1082d8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json deleted file mode 100644 index 9b65458317e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.action != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json deleted file mode 100644 index 422436ba80c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json deleted file mode 100644 index 24d54301607..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json b/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json deleted file mode 100644 index 26b4ada39f4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fa488440-04cc-41d7-9279-539387bf2a17_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of the Antimalware Scan Interface (AMSI) DLL in an unusual location. This may indicate an attempt to bypass AMSI by loading a rogue AMSI module instead of the legit one.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious Antimalware Scan Interface DLL", "note": "## Triage and analysis\n\n### Investigating Suspicious Antimalware Scan Interface DLL\n\nThe Windows Antimalware Scan Interface (AMSI) is a versatile interface standard that allows your applications and services to integrate with any antimalware product on a machine. AMSI integrates with multiple Windows components, ranging from User Account Control (UAC) to VBA macros and PowerShell.\n\nAttackers might copy a rogue AMSI DLL to an unusual location to prevent the process from loading the legitimate module, achieving a bypass to execute malicious code.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Identify the process that created the DLL and which account was used.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the execution of scripts and macros after the registry modification.\n- Investigate other processes launched from the directory that the DLL was created.\n- Inspect the host for suspicious or abnormal behavior in the alert timeframe:\n - Observe and collect information about the following activities in the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n\n### False positive analysis\n\n- This modification should not happen legitimately. Any potential benign true positive (B-TP) should be mapped and monitored by the security team as these modifications expose the host to malware infections.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"windows\" and event.type != \"deletion\" and file.path != null and\n file.name : (\"amsi.dll\", \"amsi\") and not file.path : (\"?:\\\\Windows\\\\system32\\\\amsi.dll\", \"?:\\\\Windows\\\\Syswow64\\\\amsi.dll\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSXS\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\servicing\\\\LCU\\\\*\", \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\\\\*\", \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\")\n", "references": ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}, {"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 73, "rule_id": "fa488440-04cc-41d7-9279-539387bf2a17", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "fa488440-04cc-41d7-9279-539387bf2a17_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010.json deleted file mode 100644 index cc407101c58..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name == \"systemctl\" and process.args in (\"stop\", \"disable\", \"kill\") and process.args in (\"apparmor\", \"apparmor.service\")) or\n (process.name == \"service\" and process.args == \"apparmor\" and process.args == \"stop\") or \n (process.name == \"chkconfig\" and process.args == \"apparmor\" and process.args == \"off\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "fac52c69-2646-4e79-89c0-fd7653461010", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json deleted file mode 100644 index d83705e29ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args : \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json deleted file mode 100644 index 51993c56885..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args : \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json deleted file mode 100644 index e036586e044..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args : \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json deleted file mode 100644 index b46d0ef25f0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\") and event.type == \"start\"\nand (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json deleted file mode 100644 index 53a03745c3d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\") and\nevent.type == \"start\" and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json b/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json deleted file mode 100644 index 1678a9b061e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fac52c69-2646-4e79-89c0-fd7653461010_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for potential attempts to disable AppArmor. AppArmor is a Linux security module that enforces fine-grained access control policies to restrict the actions and resources that specific applications and processes can access. Adversaries may disable security tools to avoid possible detection of their tools and activities.", "from": "now-9m", "index": ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Disabling of AppArmor", "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\", \"executed\", \"process_started\")\n and (\n (process.name == \"systemctl\" and process.args == \"disable\" and process.args == \"apparmor\") or\n (process.name == \"ln\" and process.args : \"/etc/apparmor.d/*\" and process.args == \"/etc/apparmor.d/disable/\")\n)\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fac52c69-2646-4e79-89c0-fd7653461010", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "fac52c69-2646-4e79-89c0-fd7653461010_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435.json deleted file mode 100644 index 88e08e8fe75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"icsvc.dll\" and dll.code_signature.subject_name in (\"Dell Inc\", \"Dell Technologies Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : \"offreg.dll\" and dll.code_signature.subject_name == \"Malwarebytes Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"AppMgr.dll\" and dll.code_signature.subject_name == \"Autodesk, Inc\" and dll.code_signature.trusted == true) or\n (dll.name : (\"SsShim.dll\", \"Msi.dll\", \"wdscore.dll\") and process.name : \"DismHost.exe\" and dll.path : \"C:\\\\Windows\\\\Temp\\\\*\") or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\LINE\\\\bin\\\\current\\\\dbghelp.dll\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Host Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json deleted file mode 100644 index 3beb1fb6be1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", "query": "library where event.action == \"load\" and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (dll.name : \"icuuc.dll\" and dll.code_signature.subject_name == \"Valve\" and dll.code_signature.trusted == true) or \n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or \n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}], "risk_score": 21, "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json deleted file mode 100644 index 9c92b005947..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Bitdefender SRL\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"kerberos.dll\" and dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}], "risk_score": 21, "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 102}, "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json deleted file mode 100644 index fa0bdd85c94..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"version.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}], "risk_score": 21, "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_104.json b/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_104.json deleted file mode 100644 index 4ff38adee86..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb01d790-9f74-4e76-97dd-b4b0f7bf6435_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies suspicious instances of default system32 DLLs either unsigned or signed with non-MS certificates. This can potentially indicate the attempt to masquerade as system DLLs, perform DLL Search Order Hijacking or backdoor and resign legitimate DLLs.", "from": "now-9m", "index": ["logs-endpoint.events.library-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as System32 DLL", "query": "library where event.action == \"load\" and dll.Ext.relative_file_creation_time <= 3600 and\n not (\n dll.path : (\n \"?:\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\Windows\\\\SysWOW64\\\\*\",\n \"?:\\\\Windows\\\\SystemTemp\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\NewOS\\\\Windows\\\\System32\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Sources\\\\*\",\n \"?:\\\\$WINDOWS.~BT\\\\Work\\\\*\",\n \"?:\\\\Windows\\\\WinSxS\\\\*\",\n \"?:\\\\Windows\\\\SoftwareDistribution\\\\Download\\\\*\",\n \"?:\\\\Windows\\\\assembly\\\\NativeImages_v*\"\n )\n ) and\n not (\n dll.code_signature.subject_name in (\n \"Microsoft Windows\",\n \"Microsoft Corporation\",\n \"Microsoft Windows Hardware Abstraction Layer Publisher\",\n \"Microsoft Windows Publisher\",\n \"Microsoft Windows 3rd party Component\",\n \"Microsoft 3rd Party Application Component\"\n ) and dll.code_signature.trusted == true\n ) and not dll.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n dll.name : (\n \"aadauthhelper.dll\", \"aadcloudap.dll\", \"aadjcsp.dll\", \"aadtb.dll\", \"aadwamextension.dll\", \"aarsvc.dll\", \"abovelockapphost.dll\", \"accessibilitycpl.dll\", \"accountaccessor.dll\", \"accountsrt.dll\", \"acgenral.dll\", \"aclayers.dll\", \"acledit.dll\", \"aclui.dll\", \"acmigration.dll\", \"acppage.dll\", \"acproxy.dll\", \"acspecfc.dll\", \"actioncenter.dll\", \"actioncentercpl.dll\", \"actionqueue.dll\", \"activationclient.dll\", \"activeds.dll\", \"activesynccsp.dll\", \"actxprxy.dll\", \"acwinrt.dll\", \"acxtrnal.dll\", \"adaptivecards.dll\", \"addressparser.dll\", \"adhapi.dll\", \"adhsvc.dll\", \"admtmpl.dll\", \"adprovider.dll\", \"adrclient.dll\", \"adsldp.dll\", \"adsldpc.dll\", \"adsmsext.dll\", \"adsnt.dll\", \"adtschema.dll\", \"advancedemojids.dll\", \"advapi32.dll\", \"advapi32res.dll\", \"advpack.dll\", \"aeevts.dll\", \"aeinv.dll\", \"aepic.dll\", \"ajrouter.dll\", \"altspace.dll\", \"amsi.dll\", \"amsiproxy.dll\", \"amstream.dll\", \"apds.dll\", \"aphostclient.dll\", \"aphostres.dll\", \"aphostservice.dll\", \"apisampling.dll\", \"apisetschema.dll\", \"apmon.dll\", \"apmonui.dll\", \"appcontracts.dll\", \"appextension.dll\", \"apphelp.dll\", \"apphlpdm.dll\", \"appidapi.dll\", \"appidsvc.dll\", \"appinfo.dll\", \"appinfoext.dll\", \"applicationframe.dll\", \"applockercsp.dll\", \"appmgmts.dll\", \"appmgr.dll\", \"appmon.dll\", \"appointmentapis.dll\", \"appraiser.dll\", \"appreadiness.dll\", \"apprepapi.dll\", \"appresolver.dll\", \"appsruprov.dll\", \"appvcatalog.dll\", \"appvclientps.dll\", \"appvetwclientres.dll\", \"appvintegration.dll\", \"appvmanifest.dll\", \"appvpolicy.dll\", \"appvpublishing.dll\", \"appvreporting.dll\", \"appvscripting.dll\", \"appvsentinel.dll\", \"appvstreamingux.dll\", \"appvstreammap.dll\", \"appvterminator.dll\", \"appxalluserstore.dll\", \"appxpackaging.dll\", \"appxsip.dll\", \"appxsysprep.dll\", \"archiveint.dll\", \"asferror.dll\", \"aspnet_counters.dll\", \"asycfilt.dll\", \"atl.dll\", \"atlthunk.dll\", \"atmlib.dll\", \"audioeng.dll\", \"audiohandlers.dll\", \"audiokse.dll\", \"audioses.dll\", \"audiosrv.dll\", \"auditcse.dll\", \"auditpolcore.dll\", \"auditpolmsg.dll\", \"authbroker.dll\", \"authbrokerui.dll\", \"authentication.dll\", \"authext.dll\", \"authfwcfg.dll\", \"authfwgp.dll\", \"authfwsnapin.dll\", \"authfwwizfwk.dll\", \"authhostproxy.dll\", \"authui.dll\", \"authz.dll\", \"autopilot.dll\", \"autopilotdiag.dll\", \"autoplay.dll\", \"autotimesvc.dll\", \"avicap32.dll\", \"avifil32.dll\", \"avrt.dll\", \"axinstsv.dll\", \"azroles.dll\", \"azroleui.dll\", \"azsqlext.dll\", \"basecsp.dll\", \"basesrv.dll\", \"batmeter.dll\", \"bcastdvrbroker.dll\", \"bcastdvrclient.dll\", \"bcastdvrcommon.dll\", \"bcd.dll\", \"bcdprov.dll\", \"bcdsrv.dll\", \"bcp47langs.dll\", \"bcp47mrm.dll\", \"bcrypt.dll\", \"bcryptprimitives.dll\", \"bdehdcfglib.dll\", \"bderepair.dll\", \"bdesvc.dll\", \"bdesysprep.dll\", \"bdeui.dll\", \"bfe.dll\", \"bi.dll\", \"bidispl.dll\", \"bindfltapi.dll\", \"bingasds.dll\", \"bingfilterds.dll\", \"bingmaps.dll\", \"biocredprov.dll\", \"bisrv.dll\", \"bitlockercsp.dll\", \"bitsigd.dll\", \"bitsperf.dll\", \"bitsproxy.dll\", \"biwinrt.dll\", \"blbevents.dll\", \"blbres.dll\", \"blb_ps.dll\", \"bluetoothapis.dll\", \"bnmanager.dll\", \"bootmenuux.dll\", \"bootstr.dll\", \"bootux.dll\", \"bootvid.dll\", \"bridgeres.dll\", \"brokerlib.dll\", \"browcli.dll\", \"browserbroker.dll\", \"browseui.dll\", \"btagservice.dll\", \"bthavctpsvc.dll\", \"bthavrcp.dll\", \"bthavrcpappsvc.dll\", \"bthci.dll\", \"bthpanapi.dll\", \"bthradiomedia.dll\", \"bthserv.dll\", \"bthtelemetry.dll\", \"btpanui.dll\", \"bwcontexthandler.dll\", \"cabapi.dll\", \"cabinet.dll\", \"cabview.dll\", \"callbuttons.dll\", \"cameracaptureui.dll\", \"capauthz.dll\", \"capiprovider.dll\", \"capisp.dll\", \"captureservice.dll\", \"castingshellext.dll\", \"castlaunch.dll\", \"catsrv.dll\", \"catsrvps.dll\", \"catsrvut.dll\", \"cbdhsvc.dll\", \"cca.dll\", \"cdd.dll\", \"cdosys.dll\", \"cdp.dll\", \"cdprt.dll\", \"cdpsvc.dll\", \"cdpusersvc.dll\", \"cemapi.dll\", \"certca.dll\", \"certcli.dll\", \"certcredprovider.dll\", \"certenc.dll\", \"certenroll.dll\", \"certenrollui.dll\", \"certmgr.dll\", \"certpkicmdlet.dll\", \"certpoleng.dll\", \"certprop.dll\", \"cewmdm.dll\", \"cfgbkend.dll\", \"cfgmgr32.dll\", \"cfgspcellular.dll\", \"cfgsppolicy.dll\", \"cflapi.dll\", \"cfmifs.dll\", \"cfmifsproxy.dll\", \"chakra.dll\", \"chakradiag.dll\", \"chakrathunk.dll\", \"chartv.dll\", \"chatapis.dll\", \"chkwudrv.dll\", \"chsstrokeds.dll\", \"chtbopomofods.dll\", \"chtcangjieds.dll\", \"chthkstrokeds.dll\", \"chtquickds.dll\", \"chxapds.dll\", \"chxdecoder.dll\", \"chxhapds.dll\", \"chxinputrouter.dll\", \"chxranker.dll\", \"ci.dll\", \"cic.dll\", \"cimfs.dll\", \"circoinst.dll\", \"ciwmi.dll\", \"clb.dll\", \"clbcatq.dll\", \"cldapi.dll\", \"cleanpccsp.dll\", \"clfsw32.dll\", \"cliconfg.dll\", \"clipboardserver.dll\", \"clipc.dll\", \"clipsvc.dll\", \"clipwinrt.dll\", \"cloudap.dll\", \"cloudidsvc.dll\", \"clrhost.dll\", \"clusapi.dll\", \"cmcfg32.dll\", \"cmdext.dll\", \"cmdial32.dll\", \"cmgrcspps.dll\", \"cmifw.dll\", \"cmintegrator.dll\", \"cmlua.dll\", \"cmpbk32.dll\", \"cmstplua.dll\", \"cmutil.dll\", \"cngcredui.dll\", \"cngprovider.dll\", \"cnvfat.dll\", \"cofiredm.dll\", \"colbact.dll\", \"colorcnv.dll\", \"colorui.dll\", \"combase.dll\", \"comcat.dll\", \"comctl32.dll\", \"comdlg32.dll\", \"coml2.dll\", \"comppkgsup.dll\", \"compstui.dll\", \"computecore.dll\", \"computenetwork.dll\", \"computestorage.dll\", \"comrepl.dll\", \"comres.dll\", \"comsnap.dll\", \"comsvcs.dll\", \"comuid.dll\", \"configmanager2.dll\", \"conhostv1.dll\", \"connect.dll\", \"consentux.dll\", \"consentuxclient.dll\", \"console.dll\", \"consolelogon.dll\", \"contactapis.dll\", \"container.dll\", \"coredpus.dll\", \"coreglobconfig.dll\", \"coremas.dll\", \"coremessaging.dll\", \"coremmres.dll\", \"coreshell.dll\", \"coreshellapi.dll\", \"coreuicomponents.dll\", \"correngine.dll\", \"courtesyengine.dll\", \"cpfilters.dll\", \"creddialogbroker.dll\", \"credprovhelper.dll\", \"credprovhost.dll\", \"credprovs.dll\", \"credprovslegacy.dll\", \"credssp.dll\", \"credui.dll\", \"crypt32.dll\", \"cryptbase.dll\", \"cryptcatsvc.dll\", \"cryptdlg.dll\", \"cryptdll.dll\", \"cryptext.dll\", \"cryptnet.dll\", \"cryptngc.dll\", \"cryptowinrt.dll\", \"cryptsp.dll\", \"cryptsvc.dll\", \"crypttpmeksvc.dll\", \"cryptui.dll\", \"cryptuiwizard.dll\", \"cryptxml.dll\", \"cscapi.dll\", \"cscdll.dll\", \"cscmig.dll\", \"cscobj.dll\", \"cscsvc.dll\", \"cscui.dll\", \"csplte.dll\", \"cspproxy.dll\", \"csrsrv.dll\", \"cxcredprov.dll\", \"c_g18030.dll\", \"c_gsm7.dll\", \"c_is2022.dll\", \"c_iscii.dll\", \"d2d1.dll\", \"d3d10.dll\", \"d3d10core.dll\", \"d3d10level9.dll\", \"d3d10warp.dll\", \"d3d10_1.dll\", \"d3d10_1core.dll\", \"d3d11.dll\", \"d3d11on12.dll\", \"d3d12.dll\", \"d3d12core.dll\", \"d3d8thk.dll\", \"d3d9.dll\", \"d3d9on12.dll\", \"d3dscache.dll\", \"dab.dll\", \"dabapi.dll\", \"daconn.dll\", \"dafbth.dll\", \"dafdnssd.dll\", \"dafescl.dll\", \"dafgip.dll\", \"dafiot.dll\", \"dafipp.dll\", \"dafmcp.dll\", \"dafpos.dll\", \"dafprintprovider.dll\", \"dafupnp.dll\", \"dafwcn.dll\", \"dafwfdprovider.dll\", \"dafwiprov.dll\", \"dafwsd.dll\", \"damediamanager.dll\", \"damm.dll\", \"das.dll\", \"dataclen.dll\", \"datusage.dll\", \"davclnt.dll\", \"davhlpr.dll\", \"davsyncprovider.dll\", \"daxexec.dll\", \"dbgcore.dll\", \"dbgeng.dll\", \"dbghelp.dll\", \"dbgmodel.dll\", \"dbnetlib.dll\", \"dbnmpntw.dll\", \"dciman32.dll\", \"dcntel.dll\", \"dcomp.dll\", \"ddaclsys.dll\", \"ddcclaimsapi.dll\", \"ddds.dll\", \"ddisplay.dll\", \"ddoiproxy.dll\", \"ddores.dll\", \"ddpchunk.dll\", \"ddptrace.dll\", \"ddputils.dll\", \"ddp_ps.dll\", \"ddraw.dll\", \"ddrawex.dll\", \"defragproxy.dll\", \"defragres.dll\", \"defragsvc.dll\", \"deploymentcsps.dll\", \"deskadp.dll\", \"deskmon.dll\", \"desktopshellext.dll\", \"devenum.dll\", \"deviceaccess.dll\", \"devicecenter.dll\", \"devicecredential.dll\", \"devicepairing.dll\", \"deviceuxres.dll\", \"devinv.dll\", \"devmgr.dll\", \"devobj.dll\", \"devpropmgr.dll\", \"devquerybroker.dll\", \"devrtl.dll\", \"dfdts.dll\", \"dfscli.dll\", \"dfshim.dll\", \"dfsshlex.dll\", \"dggpext.dll\", \"dhcpcmonitor.dll\", \"dhcpcore.dll\", \"dhcpcore6.dll\", \"dhcpcsvc.dll\", \"dhcpcsvc6.dll\", \"dhcpsapi.dll\", \"diagcpl.dll\", \"diagnosticlogcsp.dll\", \"diagperf.dll\", \"diagsvc.dll\", \"diagtrack.dll\", \"dialclient.dll\", \"dialserver.dll\", \"dictationmanager.dll\", \"difxapi.dll\", \"dimsjob.dll\", \"dimsroam.dll\", \"dinput.dll\", \"dinput8.dll\", \"direct2ddesktop.dll\", \"directml.dll\", \"discan.dll\", \"dismapi.dll\", \"dispbroker.dll\", \"dispex.dll\", \"display.dll\", \"displaymanager.dll\", \"dlnashext.dll\", \"dmappsres.dll\", \"dmcfgutils.dll\", \"dmcmnutils.dll\", \"dmcsps.dll\", \"dmdlgs.dll\", \"dmdskmgr.dll\", \"dmdskres.dll\", \"dmdskres2.dll\", \"dmenrollengine.dll\", \"dmintf.dll\", \"dmiso8601utils.dll\", \"dmloader.dll\", \"dmocx.dll\", \"dmoleaututils.dll\", \"dmpushproxy.dll\", \"dmpushroutercore.dll\", \"dmrcdecoder.dll\", \"dmrserver.dll\", \"dmsynth.dll\", \"dmusic.dll\", \"dmutil.dll\", \"dmvdsitf.dll\", \"dmwappushsvc.dll\", \"dmwmicsp.dll\", \"dmxmlhelputils.dll\", \"dnsapi.dll\", \"dnscmmc.dll\", \"dnsext.dll\", \"dnshc.dll\", \"dnsrslvr.dll\", \"docprop.dll\", \"dolbydecmft.dll\", \"domgmt.dll\", \"dosettings.dll\", \"dosvc.dll\", \"dot3api.dll\", \"dot3cfg.dll\", \"dot3conn.dll\", \"dot3dlg.dll\", \"dot3gpclnt.dll\", \"dot3gpui.dll\", \"dot3hc.dll\", \"dot3mm.dll\", \"dot3msm.dll\", \"dot3svc.dll\", \"dot3ui.dll\", \"dpapi.dll\", \"dpapiprovider.dll\", \"dpapisrv.dll\", \"dpnaddr.dll\", \"dpnathlp.dll\", \"dpnet.dll\", \"dpnhpast.dll\", \"dpnhupnp.dll\", \"dpnlobby.dll\", \"dps.dll\", \"dpx.dll\", \"drprov.dll\", \"drt.dll\", \"drtprov.dll\", \"drttransport.dll\", \"drvsetup.dll\", \"drvstore.dll\", \"dsauth.dll\", \"dsccore.dll\", \"dsccoreconfprov.dll\", \"dsclient.dll\", \"dscproxy.dll\", \"dsctimer.dll\", \"dsdmo.dll\", \"dskquota.dll\", \"dskquoui.dll\", \"dsound.dll\", \"dsparse.dll\", \"dsprop.dll\", \"dsquery.dll\", \"dsreg.dll\", \"dsregtask.dll\", \"dsrole.dll\", \"dssec.dll\", \"dssenh.dll\", \"dssvc.dll\", \"dsui.dll\", \"dsuiext.dll\", \"dswave.dll\", \"dtsh.dll\", \"ducsps.dll\", \"dui70.dll\", \"duser.dll\", \"dusmapi.dll\", \"dusmsvc.dll\", \"dwmapi.dll\", \"dwmcore.dll\", \"dwmghost.dll\", \"dwminit.dll\", \"dwmredir.dll\", \"dwmscene.dll\", \"dwrite.dll\", \"dxcore.dll\", \"dxdiagn.dll\", \"dxgi.dll\", \"dxgwdi.dll\", \"dxilconv.dll\", \"dxmasf.dll\", \"dxp.dll\", \"dxpps.dll\", \"dxptasksync.dll\", \"dxtmsft.dll\", \"dxtrans.dll\", \"dxva2.dll\", \"dynamoapi.dll\", \"eapp3hst.dll\", \"eappcfg.dll\", \"eappcfgui.dll\", \"eappgnui.dll\", \"eapphost.dll\", \"eappprxy.dll\", \"eapprovp.dll\", \"eapputil.dll\", \"eapsimextdesktop.dll\", \"eapsvc.dll\", \"eapteapauth.dll\", \"eapteapconfig.dll\", \"eapteapext.dll\", \"easconsent.dll\", \"easwrt.dll\", \"edgeangle.dll\", \"edgecontent.dll\", \"edgehtml.dll\", \"edgeiso.dll\", \"edgemanager.dll\", \"edpauditapi.dll\", \"edpcsp.dll\", \"edptask.dll\", \"edputil.dll\", \"eeprov.dll\", \"eeutil.dll\", \"efsadu.dll\", \"efscore.dll\", \"efsext.dll\", \"efslsaext.dll\", \"efssvc.dll\", \"efsutil.dll\", \"efswrt.dll\", \"ehstorapi.dll\", \"ehstorpwdmgr.dll\", \"ehstorshell.dll\", \"els.dll\", \"elscore.dll\", \"elshyph.dll\", \"elslad.dll\", \"elstrans.dll\", \"emailapis.dll\", \"embeddedmodesvc.dll\", \"emojids.dll\", \"encapi.dll\", \"energy.dll\", \"energyprov.dll\", \"energytask.dll\", \"enrollmentapi.dll\", \"enterpriseapncsp.dll\", \"enterprisecsps.dll\", \"enterpriseetw.dll\", \"eqossnap.dll\", \"errordetails.dll\", \"errordetailscore.dll\", \"es.dll\", \"esclprotocol.dll\", \"esclscan.dll\", \"esclwiadriver.dll\", \"esdsip.dll\", \"esent.dll\", \"esentprf.dll\", \"esevss.dll\", \"eshims.dll\", \"etwrundown.dll\", \"euiccscsp.dll\", \"eventaggregation.dll\", \"eventcls.dll\", \"evr.dll\", \"execmodelclient.dll\", \"execmodelproxy.dll\", \"explorerframe.dll\", \"exsmime.dll\", \"extrasxmlparser.dll\", \"f3ahvoas.dll\", \"facilitator.dll\", \"familysafetyext.dll\", \"faultrep.dll\", \"fcon.dll\", \"fdbth.dll\", \"fdbthproxy.dll\", \"fddevquery.dll\", \"fde.dll\", \"fdeploy.dll\", \"fdphost.dll\", \"fdpnp.dll\", \"fdprint.dll\", \"fdproxy.dll\", \"fdrespub.dll\", \"fdssdp.dll\", \"fdwcn.dll\", \"fdwnet.dll\", \"fdwsd.dll\", \"feclient.dll\", \"ffbroker.dll\", \"fhcat.dll\", \"fhcfg.dll\", \"fhcleanup.dll\", \"fhcpl.dll\", \"fhengine.dll\", \"fhevents.dll\", \"fhshl.dll\", \"fhsrchapi.dll\", \"fhsrchph.dll\", \"fhsvc.dll\", \"fhsvcctl.dll\", \"fhtask.dll\", \"fhuxadapter.dll\", \"fhuxapi.dll\", \"fhuxcommon.dll\", \"fhuxgraphics.dll\", \"fhuxpresentation.dll\", \"fidocredprov.dll\", \"filemgmt.dll\", \"filterds.dll\", \"findnetprinters.dll\", \"firewallapi.dll\", \"flightsettings.dll\", \"fltlib.dll\", \"fluencyds.dll\", \"fmapi.dll\", \"fmifs.dll\", \"fms.dll\", \"fntcache.dll\", \"fontext.dll\", \"fontprovider.dll\", \"fontsub.dll\", \"fphc.dll\", \"framedyn.dll\", \"framedynos.dll\", \"frameserver.dll\", \"frprov.dll\", \"fsutilext.dll\", \"fthsvc.dll\", \"fundisc.dll\", \"fveapi.dll\", \"fveapibase.dll\", \"fvecerts.dll\", \"fvecpl.dll\", \"fveskybackup.dll\", \"fveui.dll\", \"fvewiz.dll\", \"fwbase.dll\", \"fwcfg.dll\", \"fwmdmcsp.dll\", \"fwpolicyiomgr.dll\", \"fwpuclnt.dll\", \"fwremotesvr.dll\", \"gameinput.dll\", \"gamemode.dll\", \"gamestreamingext.dll\", \"gameux.dll\", \"gamingtcui.dll\", \"gcdef.dll\", \"gdi32.dll\", \"gdi32full.dll\", \"gdiplus.dll\", \"generaltel.dll\", \"geocommon.dll\", \"geolocation.dll\", \"getuname.dll\", \"glmf32.dll\", \"globinputhost.dll\", \"glu32.dll\", \"gmsaclient.dll\", \"gpapi.dll\", \"gpcsewrappercsp.dll\", \"gpedit.dll\", \"gpprefcl.dll\", \"gpprnext.dll\", \"gpscript.dll\", \"gpsvc.dll\", \"gptext.dll\", \"graphicscapture.dll\", \"graphicsperfsvc.dll\", \"groupinghc.dll\", \"hal.dll\", \"halextpl080.dll\", \"hascsp.dll\", \"hashtagds.dll\", \"hbaapi.dll\", \"hcproviders.dll\", \"hdcphandler.dll\", \"heatcore.dll\", \"helppaneproxy.dll\", \"hgcpl.dll\", \"hhsetup.dll\", \"hid.dll\", \"hidcfu.dll\", \"hidserv.dll\", \"hlink.dll\", \"hmkd.dll\", \"hnetcfg.dll\", \"hnetcfgclient.dll\", \"hnetmon.dll\", \"hologramworld.dll\", \"holoshellruntime.dll\", \"holoshextensions.dll\", \"hotplug.dll\", \"hrtfapo.dll\", \"httpapi.dll\", \"httpprxc.dll\", \"httpprxm.dll\", \"httpprxp.dll\", \"httpsdatasource.dll\", \"htui.dll\", \"hvhostsvc.dll\", \"hvloader.dll\", \"hvsigpext.dll\", \"hvsocket.dll\", \"hydrogen.dll\", \"ia2comproxy.dll\", \"ias.dll\", \"iasacct.dll\", \"iasads.dll\", \"iasdatastore.dll\", \"iashlpr.dll\", \"iasmigplugin.dll\", \"iasnap.dll\", \"iaspolcy.dll\", \"iasrad.dll\", \"iasrecst.dll\", \"iassam.dll\", \"iassdo.dll\", \"iassvcs.dll\", \"icfupgd.dll\", \"icm32.dll\", \"icmp.dll\", \"icmui.dll\", \"iconcodecservice.dll\", \"icsigd.dll\", \"icsvc.dll\", \"icsvcext.dll\", \"icu.dll\", \"icuin.dll\", \"icuuc.dll\", \"idctrls.dll\", \"idlisten.dll\", \"idndl.dll\", \"idstore.dll\", \"ieadvpack.dll\", \"ieapfltr.dll\", \"iedkcs32.dll\", \"ieframe.dll\", \"iemigplugin.dll\", \"iepeers.dll\", \"ieproxy.dll\", \"iernonce.dll\", \"iertutil.dll\", \"iesetup.dll\", \"iesysprep.dll\", \"ieui.dll\", \"ifmon.dll\", \"ifsutil.dll\", \"ifsutilx.dll\", \"igddiag.dll\", \"ihds.dll\", \"ikeext.dll\", \"imagehlp.dll\", \"imageres.dll\", \"imagesp1.dll\", \"imapi.dll\", \"imapi2.dll\", \"imapi2fs.dll\", \"imgutil.dll\", \"imm32.dll\", \"implatsetup.dll\", \"indexeddblegacy.dll\", \"inetcomm.dll\", \"inetmib1.dll\", \"inetpp.dll\", \"inetppui.dll\", \"inetres.dll\", \"inked.dll\", \"inkobjcore.dll\", \"inproclogger.dll\", \"input.dll\", \"inputcloudstore.dll\", \"inputcontroller.dll\", \"inputhost.dll\", \"inputservice.dll\", \"inputswitch.dll\", \"inseng.dll\", \"installservice.dll\", \"internetmail.dll\", \"internetmailcsp.dll\", \"invagent.dll\", \"iologmsg.dll\", \"iphlpapi.dll\", \"iphlpsvc.dll\", \"ipnathlp.dll\", \"ipnathlpclient.dll\", \"ippcommon.dll\", \"ippcommonproxy.dll\", \"iprtprio.dll\", \"iprtrmgr.dll\", \"ipsecsnp.dll\", \"ipsecsvc.dll\", \"ipsmsnap.dll\", \"ipxlatcfg.dll\", \"iri.dll\", \"iscsicpl.dll\", \"iscsidsc.dll\", \"iscsied.dll\", \"iscsiexe.dll\", \"iscsilog.dll\", \"iscsium.dll\", \"iscsiwmi.dll\", \"iscsiwmiv2.dll\", \"ism.dll\", \"itircl.dll\", \"itss.dll\", \"iuilp.dll\", \"iumbase.dll\", \"iumcrypt.dll\", \"iumdll.dll\", \"iumsdk.dll\", \"iyuv_32.dll\", \"joinproviderol.dll\", \"joinutil.dll\", \"jpmapcontrol.dll\", \"jpndecoder.dll\", \"jpninputrouter.dll\", \"jpnranker.dll\", \"jpnserviceds.dll\", \"jscript.dll\", \"jscript9.dll\", \"jscript9diag.dll\", \"jsproxy.dll\", \"kbd101.dll\", \"kbd101a.dll\", \"kbd101b.dll\", \"kbd101c.dll\", \"kbd103.dll\", \"kbd106.dll\", \"kbd106n.dll\", \"kbda1.dll\", \"kbda2.dll\", \"kbda3.dll\", \"kbdadlm.dll\", \"kbdal.dll\", \"kbdarme.dll\", \"kbdarmph.dll\", \"kbdarmty.dll\", \"kbdarmw.dll\", \"kbdax2.dll\", \"kbdaze.dll\", \"kbdazel.dll\", \"kbdazst.dll\", \"kbdbash.dll\", \"kbdbe.dll\", \"kbdbene.dll\", \"kbdbgph.dll\", \"kbdbgph1.dll\", \"kbdbhc.dll\", \"kbdblr.dll\", \"kbdbr.dll\", \"kbdbu.dll\", \"kbdbug.dll\", \"kbdbulg.dll\", \"kbdca.dll\", \"kbdcan.dll\", \"kbdcher.dll\", \"kbdcherp.dll\", \"kbdcr.dll\", \"kbdcz.dll\", \"kbdcz1.dll\", \"kbdcz2.dll\", \"kbdda.dll\", \"kbddiv1.dll\", \"kbddiv2.dll\", \"kbddv.dll\", \"kbddzo.dll\", \"kbdes.dll\", \"kbdest.dll\", \"kbdfa.dll\", \"kbdfar.dll\", \"kbdfc.dll\", \"kbdfi.dll\", \"kbdfi1.dll\", \"kbdfo.dll\", \"kbdfr.dll\", \"kbdfthrk.dll\", \"kbdgae.dll\", \"kbdgeo.dll\", \"kbdgeoer.dll\", \"kbdgeome.dll\", \"kbdgeooa.dll\", \"kbdgeoqw.dll\", \"kbdgkl.dll\", \"kbdgn.dll\", \"kbdgr.dll\", \"kbdgr1.dll\", \"kbdgrlnd.dll\", \"kbdgthc.dll\", \"kbdhau.dll\", \"kbdhaw.dll\", \"kbdhe.dll\", \"kbdhe220.dll\", \"kbdhe319.dll\", \"kbdheb.dll\", \"kbdhebl3.dll\", \"kbdhela2.dll\", \"kbdhela3.dll\", \"kbdhept.dll\", \"kbdhu.dll\", \"kbdhu1.dll\", \"kbdibm02.dll\", \"kbdibo.dll\", \"kbdic.dll\", \"kbdinasa.dll\", \"kbdinbe1.dll\", \"kbdinbe2.dll\", \"kbdinben.dll\", \"kbdindev.dll\", \"kbdinen.dll\", \"kbdinguj.dll\", \"kbdinhin.dll\", \"kbdinkan.dll\", \"kbdinmal.dll\", \"kbdinmar.dll\", \"kbdinori.dll\", \"kbdinpun.dll\", \"kbdintam.dll\", \"kbdintel.dll\", \"kbdinuk2.dll\", \"kbdir.dll\", \"kbdit.dll\", \"kbdit142.dll\", \"kbdiulat.dll\", \"kbdjav.dll\", \"kbdjpn.dll\", \"kbdkaz.dll\", \"kbdkhmr.dll\", \"kbdkni.dll\", \"kbdkor.dll\", \"kbdkurd.dll\", \"kbdkyr.dll\", \"kbdla.dll\", \"kbdlao.dll\", \"kbdlisub.dll\", \"kbdlisus.dll\", \"kbdlk41a.dll\", \"kbdlt.dll\", \"kbdlt1.dll\", \"kbdlt2.dll\", \"kbdlv.dll\", \"kbdlv1.dll\", \"kbdlvst.dll\", \"kbdmac.dll\", \"kbdmacst.dll\", \"kbdmaori.dll\", \"kbdmlt47.dll\", \"kbdmlt48.dll\", \"kbdmon.dll\", \"kbdmonmo.dll\", \"kbdmonst.dll\", \"kbdmyan.dll\", \"kbdne.dll\", \"kbdnec.dll\", \"kbdnec95.dll\", \"kbdnecat.dll\", \"kbdnecnt.dll\", \"kbdnepr.dll\", \"kbdnko.dll\", \"kbdno.dll\", \"kbdno1.dll\", \"kbdnso.dll\", \"kbdntl.dll\", \"kbdogham.dll\", \"kbdolch.dll\", \"kbdoldit.dll\", \"kbdosa.dll\", \"kbdosm.dll\", \"kbdpash.dll\", \"kbdphags.dll\", \"kbdpl.dll\", \"kbdpl1.dll\", \"kbdpo.dll\", \"kbdro.dll\", \"kbdropr.dll\", \"kbdrost.dll\", \"kbdru.dll\", \"kbdru1.dll\", \"kbdrum.dll\", \"kbdsf.dll\", \"kbdsg.dll\", \"kbdsl.dll\", \"kbdsl1.dll\", \"kbdsmsfi.dll\", \"kbdsmsno.dll\", \"kbdsn1.dll\", \"kbdsora.dll\", \"kbdsorex.dll\", \"kbdsors1.dll\", \"kbdsorst.dll\", \"kbdsp.dll\", \"kbdsw.dll\", \"kbdsw09.dll\", \"kbdsyr1.dll\", \"kbdsyr2.dll\", \"kbdtaile.dll\", \"kbdtajik.dll\", \"kbdtam99.dll\", \"kbdtat.dll\", \"kbdth0.dll\", \"kbdth1.dll\", \"kbdth2.dll\", \"kbdth3.dll\", \"kbdtifi.dll\", \"kbdtifi2.dll\", \"kbdtiprc.dll\", \"kbdtiprd.dll\", \"kbdtt102.dll\", \"kbdtuf.dll\", \"kbdtuq.dll\", \"kbdturme.dll\", \"kbdtzm.dll\", \"kbdughr.dll\", \"kbdughr1.dll\", \"kbduk.dll\", \"kbdukx.dll\", \"kbdur.dll\", \"kbdur1.dll\", \"kbdurdu.dll\", \"kbdus.dll\", \"kbdusa.dll\", \"kbdusl.dll\", \"kbdusr.dll\", \"kbdusx.dll\", \"kbduzb.dll\", \"kbdvntc.dll\", \"kbdwol.dll\", \"kbdyak.dll\", \"kbdyba.dll\", \"kbdycc.dll\", \"kbdycl.dll\", \"kd.dll\", \"kdcom.dll\", \"kdcpw.dll\", \"kdhvcom.dll\", \"kdnet.dll\", \"kdnet_uart16550.dll\", \"kdscli.dll\", \"kdstub.dll\", \"kdusb.dll\", \"kd_02_10df.dll\", \"kd_02_10ec.dll\", \"kd_02_1137.dll\", \"kd_02_14e4.dll\", \"kd_02_15b3.dll\", \"kd_02_1969.dll\", \"kd_02_19a2.dll\", \"kd_02_1af4.dll\", \"kd_02_8086.dll\", \"kd_07_1415.dll\", \"kd_0c_8086.dll\", \"kerbclientshared.dll\", \"kerberos.dll\", \"kernel32.dll\", \"kernelbase.dll\", \"keycredmgr.dll\", \"keyiso.dll\", \"keymgr.dll\", \"knobscore.dll\", \"knobscsp.dll\", \"ksuser.dll\", \"ktmw32.dll\", \"l2gpstore.dll\", \"l2nacp.dll\", \"l2sechc.dll\", \"laprxy.dll\", \"legacynetux.dll\", \"lfsvc.dll\", \"libcrypto.dll\", \"licensemanager.dll\", \"licensingcsp.dll\", \"licensingdiagspp.dll\", \"licensingwinrt.dll\", \"licmgr10.dll\", \"linkinfo.dll\", \"lltdapi.dll\", \"lltdres.dll\", \"lltdsvc.dll\", \"lmhsvc.dll\", \"loadperf.dll\", \"localsec.dll\", \"localspl.dll\", \"localui.dll\", \"locationapi.dll\", \"lockappbroker.dll\", \"lockcontroller.dll\", \"lockscreendata.dll\", \"loghours.dll\", \"logoncli.dll\", \"logoncontroller.dll\", \"lpasvc.dll\", \"lpk.dll\", \"lsasrv.dll\", \"lscshostpolicy.dll\", \"lsm.dll\", \"lsmproxy.dll\", \"lstelemetry.dll\", \"luainstall.dll\", \"luiapi.dll\", \"lz32.dll\", \"magnification.dll\", \"maintenanceui.dll\", \"manageci.dll\", \"mapconfiguration.dll\", \"mapcontrolcore.dll\", \"mapgeocoder.dll\", \"mapi32.dll\", \"mapistub.dll\", \"maprouter.dll\", \"mapsbtsvc.dll\", \"mapsbtsvcproxy.dll\", \"mapscsp.dll\", \"mapsstore.dll\", \"mapstoasttask.dll\", \"mapsupdatetask.dll\", \"mbaeapi.dll\", \"mbaeapipublic.dll\", \"mbaexmlparser.dll\", \"mbmediamanager.dll\", \"mbsmsapi.dll\", \"mbussdapi.dll\", \"mccsengineshared.dll\", \"mccspal.dll\", \"mciavi32.dll\", \"mcicda.dll\", \"mciqtz32.dll\", \"mciseq.dll\", \"mciwave.dll\", \"mcrecvsrc.dll\", \"mdmcommon.dll\", \"mdmdiagnostics.dll\", \"mdminst.dll\", \"mdmmigrator.dll\", \"mdmregistration.dll\", \"memorydiagnostic.dll\", \"messagingservice.dll\", \"mf.dll\", \"mf3216.dll\", \"mfaacenc.dll\", \"mfasfsrcsnk.dll\", \"mfaudiocnv.dll\", \"mfc42.dll\", \"mfc42u.dll\", \"mfcaptureengine.dll\", \"mfcore.dll\", \"mfcsubs.dll\", \"mfds.dll\", \"mfdvdec.dll\", \"mferror.dll\", \"mfh263enc.dll\", \"mfh264enc.dll\", \"mfksproxy.dll\", \"mfmediaengine.dll\", \"mfmjpegdec.dll\", \"mfmkvsrcsnk.dll\", \"mfmp4srcsnk.dll\", \"mfmpeg2srcsnk.dll\", \"mfnetcore.dll\", \"mfnetsrc.dll\", \"mfperfhelper.dll\", \"mfplat.dll\", \"mfplay.dll\", \"mfps.dll\", \"mfreadwrite.dll\", \"mfsensorgroup.dll\", \"mfsrcsnk.dll\", \"mfsvr.dll\", \"mftranscode.dll\", \"mfvdsp.dll\", \"mfvfw.dll\", \"mfwmaaec.dll\", \"mgmtapi.dll\", \"mi.dll\", \"mibincodec.dll\", \"midimap.dll\", \"migisol.dll\", \"miguiresource.dll\", \"mimefilt.dll\", \"mimofcodec.dll\", \"minstoreevents.dll\", \"miracastinputmgr.dll\", \"miracastreceiver.dll\", \"mirrordrvcompat.dll\", \"mispace.dll\", \"mitigationclient.dll\", \"miutils.dll\", \"mlang.dll\", \"mmcbase.dll\", \"mmcndmgr.dll\", \"mmcshext.dll\", \"mmdevapi.dll\", \"mmgaclient.dll\", \"mmgaproxystub.dll\", \"mmres.dll\", \"mobilenetworking.dll\", \"modemui.dll\", \"modernexecserver.dll\", \"moricons.dll\", \"moshost.dll\", \"moshostclient.dll\", \"moshostcore.dll\", \"mosstorage.dll\", \"mp3dmod.dll\", \"mp43decd.dll\", \"mp4sdecd.dll\", \"mpeval.dll\", \"mpg4decd.dll\", \"mpr.dll\", \"mprapi.dll\", \"mprddm.dll\", \"mprdim.dll\", \"mprext.dll\", \"mprmsg.dll\", \"mpssvc.dll\", \"mpunits.dll\", \"mrmcorer.dll\", \"mrmdeploy.dll\", \"mrmindexer.dll\", \"mrt100.dll\", \"mrt_map.dll\", \"msaatext.dll\", \"msac3enc.dll\", \"msacm32.dll\", \"msafd.dll\", \"msajapi.dll\", \"msalacdecoder.dll\", \"msalacencoder.dll\", \"msamrnbdecoder.dll\", \"msamrnbencoder.dll\", \"msamrnbsink.dll\", \"msamrnbsource.dll\", \"msasn1.dll\", \"msauddecmft.dll\", \"msaudite.dll\", \"msauserext.dll\", \"mscandui.dll\", \"mscat32.dll\", \"msclmd.dll\", \"mscms.dll\", \"mscoree.dll\", \"mscorier.dll\", \"mscories.dll\", \"msctf.dll\", \"msctfmonitor.dll\", \"msctfp.dll\", \"msctfui.dll\", \"msctfuimanager.dll\", \"msdadiag.dll\", \"msdart.dll\", \"msdelta.dll\", \"msdmo.dll\", \"msdrm.dll\", \"msdtckrm.dll\", \"msdtclog.dll\", \"msdtcprx.dll\", \"msdtcspoffln.dll\", \"msdtctm.dll\", \"msdtcuiu.dll\", \"msdtcvsp1res.dll\", \"msfeeds.dll\", \"msfeedsbs.dll\", \"msflacdecoder.dll\", \"msflacencoder.dll\", \"msftedit.dll\", \"msheif.dll\", \"mshtml.dll\", \"mshtmldac.dll\", \"mshtmled.dll\", \"mshtmler.dll\", \"msi.dll\", \"msicofire.dll\", \"msidcrl40.dll\", \"msident.dll\", \"msidle.dll\", \"msidntld.dll\", \"msieftp.dll\", \"msihnd.dll\", \"msiltcfg.dll\", \"msimg32.dll\", \"msimsg.dll\", \"msimtf.dll\", \"msisip.dll\", \"msiso.dll\", \"msiwer.dll\", \"mskeyprotcli.dll\", \"mskeyprotect.dll\", \"msls31.dll\", \"msmpeg2adec.dll\", \"msmpeg2enc.dll\", \"msmpeg2vdec.dll\", \"msobjs.dll\", \"msoert2.dll\", \"msopusdecoder.dll\", \"mspatcha.dll\", \"mspatchc.dll\", \"msphotography.dll\", \"msports.dll\", \"msprivs.dll\", \"msrahc.dll\", \"msrating.dll\", \"msrawimage.dll\", \"msrdc.dll\", \"msrdpwebaccess.dll\", \"msrle32.dll\", \"msscntrs.dll\", \"mssecuser.dll\", \"mssign32.dll\", \"mssip32.dll\", \"mssitlb.dll\", \"mssph.dll\", \"mssprxy.dll\", \"mssrch.dll\", \"mssvp.dll\", \"mstask.dll\", \"mstextprediction.dll\", \"mstscax.dll\", \"msutb.dll\", \"msv1_0.dll\", \"msvcirt.dll\", \"msvcp110_win.dll\", \"msvcp120_clr0400.dll\", \"msvcp140_clr0400.dll\", \"msvcp60.dll\", \"msvcp_win.dll\", \"msvcr100_clr0400.dll\", \"msvcr120_clr0400.dll\", \"msvcrt.dll\", \"msvfw32.dll\", \"msvidc32.dll\", \"msvidctl.dll\", \"msvideodsp.dll\", \"msvp9dec.dll\", \"msvproc.dll\", \"msvpxenc.dll\", \"mswb7.dll\", \"mswebp.dll\", \"mswmdm.dll\", \"mswsock.dll\", \"msxml3.dll\", \"msxml3r.dll\", \"msxml6.dll\", \"msxml6r.dll\", \"msyuv.dll\", \"mtcmodel.dll\", \"mtf.dll\", \"mtfappserviceds.dll\", \"mtfdecoder.dll\", \"mtffuzzyds.dll\", \"mtfserver.dll\", \"mtfspellcheckds.dll\", \"mtxclu.dll\", \"mtxdm.dll\", \"mtxex.dll\", \"mtxoci.dll\", \"muifontsetup.dll\", \"mycomput.dll\", \"mydocs.dll\", \"napcrypt.dll\", \"napinsp.dll\", \"naturalauth.dll\", \"naturallanguage6.dll\", \"navshutdown.dll\", \"ncaapi.dll\", \"ncasvc.dll\", \"ncbservice.dll\", \"ncdautosetup.dll\", \"ncdprop.dll\", \"nci.dll\", \"ncobjapi.dll\", \"ncrypt.dll\", \"ncryptprov.dll\", \"ncryptsslp.dll\", \"ncsi.dll\", \"ncuprov.dll\", \"nddeapi.dll\", \"ndfapi.dll\", \"ndfetw.dll\", \"ndfhcdiscovery.dll\", \"ndishc.dll\", \"ndproxystub.dll\", \"nduprov.dll\", \"negoexts.dll\", \"netapi32.dll\", \"netbios.dll\", \"netcenter.dll\", \"netcfgx.dll\", \"netcorehc.dll\", \"netdiagfx.dll\", \"netdriverinstall.dll\", \"netevent.dll\", \"netfxperf.dll\", \"neth.dll\", \"netid.dll\", \"netiohlp.dll\", \"netjoin.dll\", \"netlogon.dll\", \"netman.dll\", \"netmsg.dll\", \"netplwiz.dll\", \"netprofm.dll\", \"netprofmsvc.dll\", \"netprovfw.dll\", \"netprovisionsp.dll\", \"netsetupapi.dll\", \"netsetupengine.dll\", \"netsetupshim.dll\", \"netsetupsvc.dll\", \"netshell.dll\", \"nettrace.dll\", \"netutils.dll\", \"networkexplorer.dll\", \"networkhelper.dll\", \"networkicon.dll\", \"networkproxycsp.dll\", \"networkstatus.dll\", \"networkuxbroker.dll\", \"newdev.dll\", \"nfcradiomedia.dll\", \"ngccredprov.dll\", \"ngcctnr.dll\", \"ngcctnrsvc.dll\", \"ngcisoctnr.dll\", \"ngckeyenum.dll\", \"ngcksp.dll\", \"ngclocal.dll\", \"ngcpopkeysrv.dll\", \"ngcprocsp.dll\", \"ngcrecovery.dll\", \"ngcsvc.dll\", \"ngctasks.dll\", \"ninput.dll\", \"nlaapi.dll\", \"nlahc.dll\", \"nlasvc.dll\", \"nlhtml.dll\", \"nlmgp.dll\", \"nlmproxy.dll\", \"nlmsprep.dll\", \"nlsbres.dll\", \"nlsdata0000.dll\", \"nlsdata0009.dll\", \"nlsdl.dll\", \"nlslexicons0009.dll\", \"nmadirect.dll\", \"normaliz.dll\", \"npmproxy.dll\", \"npsm.dll\", \"nrpsrv.dll\", \"nshhttp.dll\", \"nshipsec.dll\", \"nshwfp.dll\", \"nsi.dll\", \"nsisvc.dll\", \"ntasn1.dll\", \"ntdll.dll\", \"ntdsapi.dll\", \"ntlanman.dll\", \"ntlanui2.dll\", \"ntlmshared.dll\", \"ntmarta.dll\", \"ntprint.dll\", \"ntshrui.dll\", \"ntvdm64.dll\", \"objsel.dll\", \"occache.dll\", \"ocsetapi.dll\", \"odbc32.dll\", \"odbcbcp.dll\", \"odbcconf.dll\", \"odbccp32.dll\", \"odbccr32.dll\", \"odbccu32.dll\", \"odbcint.dll\", \"odbctrac.dll\", \"oemlicense.dll\", \"offfilt.dll\", \"officecsp.dll\", \"offlinelsa.dll\", \"offlinesam.dll\", \"offreg.dll\", \"ole32.dll\", \"oleacc.dll\", \"oleacchooks.dll\", \"oleaccrc.dll\", \"oleaut32.dll\", \"oledlg.dll\", \"oleprn.dll\", \"omadmagent.dll\", \"omadmapi.dll\", \"onebackuphandler.dll\", \"onex.dll\", \"onexui.dll\", \"opcservices.dll\", \"opengl32.dll\", \"ortcengine.dll\", \"osbaseln.dll\", \"osksupport.dll\", \"osuninst.dll\", \"p2p.dll\", \"p2pgraph.dll\", \"p2pnetsh.dll\", \"p2psvc.dll\", \"packager.dll\", \"panmap.dll\", \"pautoenr.dll\", \"pcacli.dll\", \"pcadm.dll\", \"pcaevts.dll\", \"pcasvc.dll\", \"pcaui.dll\", \"pcpksp.dll\", \"pcsvdevice.dll\", \"pcwum.dll\", \"pcwutl.dll\", \"pdh.dll\", \"pdhui.dll\", \"peerdist.dll\", \"peerdistad.dll\", \"peerdistcleaner.dll\", \"peerdistsh.dll\", \"peerdistsvc.dll\", \"peopleapis.dll\", \"peopleband.dll\", \"perceptiondevice.dll\", \"perfctrs.dll\", \"perfdisk.dll\", \"perfnet.dll\", \"perfos.dll\", \"perfproc.dll\", \"perfts.dll\", \"phoneom.dll\", \"phoneproviders.dll\", \"phoneservice.dll\", \"phoneserviceres.dll\", \"phoneutil.dll\", \"phoneutilres.dll\", \"photowiz.dll\", \"pickerplatform.dll\", \"pid.dll\", \"pidgenx.dll\", \"pifmgr.dll\", \"pimstore.dll\", \"pkeyhelper.dll\", \"pktmonapi.dll\", \"pku2u.dll\", \"pla.dll\", \"playlistfolder.dll\", \"playsndsrv.dll\", \"playtodevice.dll\", \"playtomanager.dll\", \"playtomenu.dll\", \"playtoreceiver.dll\", \"ploptin.dll\", \"pmcsnap.dll\", \"pngfilt.dll\", \"pnidui.dll\", \"pnpclean.dll\", \"pnppolicy.dll\", \"pnpts.dll\", \"pnpui.dll\", \"pnpxassoc.dll\", \"pnpxassocprx.dll\", \"pnrpauto.dll\", \"pnrphc.dll\", \"pnrpnsp.dll\", \"pnrpsvc.dll\", \"policymanager.dll\", \"polstore.dll\", \"posetup.dll\", \"posyncservices.dll\", \"pots.dll\", \"powercpl.dll\", \"powrprof.dll\", \"ppcsnap.dll\", \"prauthproviders.dll\", \"prflbmsg.dll\", \"printui.dll\", \"printwsdahost.dll\", \"prm0009.dll\", \"prncache.dll\", \"prnfldr.dll\", \"prnntfy.dll\", \"prntvpt.dll\", \"profapi.dll\", \"profext.dll\", \"profprov.dll\", \"profsvc.dll\", \"profsvcext.dll\", \"propsys.dll\", \"provcore.dll\", \"provdatastore.dll\", \"provdiagnostics.dll\", \"provengine.dll\", \"provhandlers.dll\", \"provisioningcsp.dll\", \"provmigrate.dll\", \"provops.dll\", \"provplugineng.dll\", \"provsysprep.dll\", \"provthrd.dll\", \"proximitycommon.dll\", \"proximityservice.dll\", \"prvdmofcomp.dll\", \"psapi.dll\", \"pshed.dll\", \"psisdecd.dll\", \"psmsrv.dll\", \"pstask.dll\", \"pstorec.dll\", \"ptpprov.dll\", \"puiapi.dll\", \"puiobj.dll\", \"pushtoinstall.dll\", \"pwlauncher.dll\", \"pwrshplugin.dll\", \"pwsso.dll\", \"qasf.dll\", \"qcap.dll\", \"qdv.dll\", \"qdvd.dll\", \"qedit.dll\", \"qedwipes.dll\", \"qmgr.dll\", \"query.dll\", \"quiethours.dll\", \"qwave.dll\", \"racengn.dll\", \"racpldlg.dll\", \"radardt.dll\", \"radarrs.dll\", \"radcui.dll\", \"rasadhlp.dll\", \"rasapi32.dll\", \"rasauto.dll\", \"raschap.dll\", \"raschapext.dll\", \"rasctrs.dll\", \"rascustom.dll\", \"rasdiag.dll\", \"rasdlg.dll\", \"rasgcw.dll\", \"rasman.dll\", \"rasmans.dll\", \"rasmbmgr.dll\", \"rasmediamanager.dll\", \"rasmm.dll\", \"rasmontr.dll\", \"rasplap.dll\", \"rasppp.dll\", \"rastapi.dll\", \"rastls.dll\", \"rastlsext.dll\", \"rdbui.dll\", \"rdpbase.dll\", \"rdpcfgex.dll\", \"rdpcore.dll\", \"rdpcorets.dll\", \"rdpencom.dll\", \"rdpendp.dll\", \"rdpnano.dll\", \"rdpsaps.dll\", \"rdpserverbase.dll\", \"rdpsharercom.dll\", \"rdpudd.dll\", \"rdpviewerax.dll\", \"rdsappxhelper.dll\", \"rdsdwmdr.dll\", \"rdvvmtransport.dll\", \"rdxservice.dll\", \"rdxtaskfactory.dll\", \"reagent.dll\", \"reagenttask.dll\", \"recovery.dll\", \"regapi.dll\", \"regctrl.dll\", \"regidle.dll\", \"regsvc.dll\", \"reguwpapi.dll\", \"reinfo.dll\", \"remotepg.dll\", \"remotewipecsp.dll\", \"reportingcsp.dll\", \"resampledmo.dll\", \"resbparser.dll\", \"reseteng.dll\", \"resetengine.dll\", \"resetengonline.dll\", \"resourcemapper.dll\", \"resutils.dll\", \"rgb9rast.dll\", \"riched20.dll\", \"riched32.dll\", \"rjvmdmconfig.dll\", \"rmapi.dll\", \"rmclient.dll\", \"rnr20.dll\", \"roamingsecurity.dll\", \"rometadata.dll\", \"rotmgr.dll\", \"rpcepmap.dll\", \"rpchttp.dll\", \"rpcns4.dll\", \"rpcnsh.dll\", \"rpcrt4.dll\", \"rpcrtremote.dll\", \"rpcss.dll\", \"rsaenh.dll\", \"rshx32.dll\", \"rstrtmgr.dll\", \"rtffilt.dll\", \"rtm.dll\", \"rtmediaframe.dll\", \"rtmmvrortc.dll\", \"rtutils.dll\", \"rtworkq.dll\", \"rulebasedds.dll\", \"samcli.dll\", \"samlib.dll\", \"samsrv.dll\", \"sas.dll\", \"sbe.dll\", \"sbeio.dll\", \"sberes.dll\", \"sbservicetrigger.dll\", \"scansetting.dll\", \"scardbi.dll\", \"scarddlg.dll\", \"scardsvr.dll\", \"scavengeui.dll\", \"scdeviceenum.dll\", \"scecli.dll\", \"scesrv.dll\", \"schannel.dll\", \"schedcli.dll\", \"schedsvc.dll\", \"scksp.dll\", \"scripto.dll\", \"scrobj.dll\", \"scrptadm.dll\", \"scrrun.dll\", \"sdcpl.dll\", \"sdds.dll\", \"sdengin2.dll\", \"sdfhost.dll\", \"sdhcinst.dll\", \"sdiageng.dll\", \"sdiagprv.dll\", \"sdiagschd.dll\", \"sdohlp.dll\", \"sdrsvc.dll\", \"sdshext.dll\", \"searchfolder.dll\", \"sechost.dll\", \"seclogon.dll\", \"secproc.dll\", \"secproc_isv.dll\", \"secproc_ssp.dll\", \"secproc_ssp_isv.dll\", \"secur32.dll\", \"security.dll\", \"semgrps.dll\", \"semgrsvc.dll\", \"sendmail.dll\", \"sens.dll\", \"sensapi.dll\", \"sensorsapi.dll\", \"sensorscpl.dll\", \"sensorservice.dll\", \"sensorsnativeapi.dll\", \"sensorsutilsv2.dll\", \"sensrsvc.dll\", \"serialui.dll\", \"servicinguapi.dll\", \"serwvdrv.dll\", \"sessenv.dll\", \"setbcdlocale.dll\", \"settingmonitor.dll\", \"settingsync.dll\", \"settingsynccore.dll\", \"setupapi.dll\", \"setupcl.dll\", \"setupcln.dll\", \"setupetw.dll\", \"sfc.dll\", \"sfc_os.dll\", \"sgrmenclave.dll\", \"shacct.dll\", \"shacctprofile.dll\", \"sharedpccsp.dll\", \"sharedrealitysvc.dll\", \"sharehost.dll\", \"sharemediacpl.dll\", \"shcore.dll\", \"shdocvw.dll\", \"shell32.dll\", \"shellstyle.dll\", \"shfolder.dll\", \"shgina.dll\", \"shimeng.dll\", \"shimgvw.dll\", \"shlwapi.dll\", \"shpafact.dll\", \"shsetup.dll\", \"shsvcs.dll\", \"shunimpl.dll\", \"shutdownext.dll\", \"shutdownux.dll\", \"shwebsvc.dll\", \"signdrv.dll\", \"simauth.dll\", \"simcfg.dll\", \"skci.dll\", \"slc.dll\", \"slcext.dll\", \"slwga.dll\", \"smartscreenps.dll\", \"smbhelperclass.dll\", \"smbwmiv2.dll\", \"smiengine.dll\", \"smphost.dll\", \"smsroutersvc.dll\", \"sndvolsso.dll\", \"snmpapi.dll\", \"socialapis.dll\", \"softkbd.dll\", \"softpub.dll\", \"sortwindows61.dll\", \"sortwindows62.dll\", \"spacebridge.dll\", \"spacecontrol.dll\", \"spatializerapo.dll\", \"spatialstore.dll\", \"spbcd.dll\", \"speechpal.dll\", \"spfileq.dll\", \"spinf.dll\", \"spmpm.dll\", \"spnet.dll\", \"spoolss.dll\", \"spopk.dll\", \"spp.dll\", \"sppc.dll\", \"sppcext.dll\", \"sppcomapi.dll\", \"sppcommdlg.dll\", \"sppinst.dll\", \"sppnp.dll\", \"sppobjs.dll\", \"sppwinob.dll\", \"sppwmi.dll\", \"spwinsat.dll\", \"spwizeng.dll\", \"spwizimg.dll\", \"spwizres.dll\", \"spwmp.dll\", \"sqlsrv32.dll\", \"sqmapi.dll\", \"srchadmin.dll\", \"srclient.dll\", \"srcore.dll\", \"srevents.dll\", \"srh.dll\", \"srhelper.dll\", \"srm.dll\", \"srmclient.dll\", \"srmlib.dll\", \"srmscan.dll\", \"srmshell.dll\", \"srmstormod.dll\", \"srmtrace.dll\", \"srm_ps.dll\", \"srpapi.dll\", \"srrstr.dll\", \"srumapi.dll\", \"srumsvc.dll\", \"srvcli.dll\", \"srvsvc.dll\", \"srwmi.dll\", \"sscore.dll\", \"sscoreext.dll\", \"ssdm.dll\", \"ssdpapi.dll\", \"ssdpsrv.dll\", \"sspicli.dll\", \"sspisrv.dll\", \"ssshim.dll\", \"sstpsvc.dll\", \"starttiledata.dll\", \"startupscan.dll\", \"stclient.dll\", \"sti.dll\", \"sti_ci.dll\", \"stobject.dll\", \"storageusage.dll\", \"storagewmi.dll\", \"storewuauth.dll\", \"storprop.dll\", \"storsvc.dll\", \"streamci.dll\", \"structuredquery.dll\", \"sud.dll\", \"svf.dll\", \"svsvc.dll\", \"swprv.dll\", \"sxproxy.dll\", \"sxs.dll\", \"sxshared.dll\", \"sxssrv.dll\", \"sxsstore.dll\", \"synccenter.dll\", \"synccontroller.dll\", \"synchostps.dll\", \"syncproxy.dll\", \"syncreg.dll\", \"syncres.dll\", \"syncsettings.dll\", \"syncutil.dll\", \"sysclass.dll\", \"sysfxui.dll\", \"sysmain.dll\", \"sysntfy.dll\", \"syssetup.dll\", \"systemcpl.dll\", \"t2embed.dll\", \"tabbtn.dll\", \"tabbtnex.dll\", \"tabsvc.dll\", \"tapi3.dll\", \"tapi32.dll\", \"tapilua.dll\", \"tapimigplugin.dll\", \"tapiperf.dll\", \"tapisrv.dll\", \"tapisysprep.dll\", \"tapiui.dll\", \"taskapis.dll\", \"taskbarcpl.dll\", \"taskcomp.dll\", \"taskschd.dll\", \"taskschdps.dll\", \"tbauth.dll\", \"tbs.dll\", \"tcbloader.dll\", \"tcpipcfg.dll\", \"tcpmib.dll\", \"tcpmon.dll\", \"tcpmonui.dll\", \"tdh.dll\", \"tdlmigration.dll\", \"tellib.dll\", \"termmgr.dll\", \"termsrv.dll\", \"tetheringclient.dll\", \"tetheringmgr.dll\", \"tetheringservice.dll\", \"tetheringstation.dll\", \"textshaping.dll\", \"themecpl.dll\", \"themeservice.dll\", \"themeui.dll\", \"threadpoolwinrt.dll\", \"thumbcache.dll\", \"timebrokerclient.dll\", \"timebrokerserver.dll\", \"timesync.dll\", \"timesynctask.dll\", \"tlscsp.dll\", \"tokenbinding.dll\", \"tokenbroker.dll\", \"tokenbrokerui.dll\", \"tpmcertresources.dll\", \"tpmcompc.dll\", \"tpmtasks.dll\", \"tpmvsc.dll\", \"tquery.dll\", \"traffic.dll\", \"transportdsa.dll\", \"trie.dll\", \"trkwks.dll\", \"tsbyuv.dll\", \"tscfgwmi.dll\", \"tserrredir.dll\", \"tsf3gip.dll\", \"tsgqec.dll\", \"tsmf.dll\", \"tspkg.dll\", \"tspubwmi.dll\", \"tssessionux.dll\", \"tssrvlic.dll\", \"tsworkspace.dll\", \"ttdloader.dll\", \"ttdplm.dll\", \"ttdrecord.dll\", \"ttdrecordcpu.dll\", \"ttlsauth.dll\", \"ttlscfg.dll\", \"ttlsext.dll\", \"tvratings.dll\", \"twext.dll\", \"twinapi.dll\", \"twinui.dll\", \"txflog.dll\", \"txfw32.dll\", \"tzautoupdate.dll\", \"tzres.dll\", \"tzsyncres.dll\", \"ubpm.dll\", \"ucmhc.dll\", \"ucrtbase.dll\", \"ucrtbase_clr0400.dll\", \"ucrtbase_enclave.dll\", \"udhisapi.dll\", \"udwm.dll\", \"ueficsp.dll\", \"uexfat.dll\", \"ufat.dll\", \"uiamanager.dll\", \"uianimation.dll\", \"uiautomationcore.dll\", \"uicom.dll\", \"uireng.dll\", \"uiribbon.dll\", \"uiribbonres.dll\", \"ulib.dll\", \"umb.dll\", \"umdmxfrm.dll\", \"umpdc.dll\", \"umpnpmgr.dll\", \"umpo-overrides.dll\", \"umpo.dll\", \"umpoext.dll\", \"umpowmi.dll\", \"umrdp.dll\", \"unattend.dll\", \"unenrollhook.dll\", \"unimdmat.dll\", \"uniplat.dll\", \"unistore.dll\", \"untfs.dll\", \"updateagent.dll\", \"updatecsp.dll\", \"updatepolicy.dll\", \"upnp.dll\", \"upnphost.dll\", \"upshared.dll\", \"urefs.dll\", \"urefsv1.dll\", \"ureg.dll\", \"url.dll\", \"urlmon.dll\", \"usbcapi.dll\", \"usbceip.dll\", \"usbmon.dll\", \"usbperf.dll\", \"usbpmapi.dll\", \"usbtask.dll\", \"usbui.dll\", \"user32.dll\", \"usercpl.dll\", \"userdataservice.dll\", \"userdatatimeutil.dll\", \"userenv.dll\", \"userinitext.dll\", \"usermgr.dll\", \"usermgrcli.dll\", \"usermgrproxy.dll\", \"usoapi.dll\", \"usocoreps.dll\", \"usosvc.dll\", \"usp10.dll\", \"ustprov.dll\", \"utcutil.dll\", \"utildll.dll\", \"uudf.dll\", \"uvcmodel.dll\", \"uwfcfgmgmt.dll\", \"uwfcsp.dll\", \"uwfservicingapi.dll\", \"uxinit.dll\", \"uxlib.dll\", \"uxlibres.dll\", \"uxtheme.dll\", \"vac.dll\", \"van.dll\", \"vault.dll\", \"vaultcds.dll\", \"vaultcli.dll\", \"vaultroaming.dll\", \"vaultsvc.dll\", \"vbsapi.dll\", \"vbscript.dll\", \"vbssysprep.dll\", \"vcardparser.dll\", \"vdsbas.dll\", \"vdsdyn.dll\", \"vdsutil.dll\", \"vdsvd.dll\", \"vds_ps.dll\", \"verifier.dll\", \"vertdll.dll\", \"vfuprov.dll\", \"vfwwdm32.dll\", \"vhfum.dll\", \"vid.dll\", \"videohandlers.dll\", \"vidreszr.dll\", \"virtdisk.dll\", \"vmbuspipe.dll\", \"vmdevicehost.dll\", \"vmictimeprovider.dll\", \"vmrdvcore.dll\", \"voiprt.dll\", \"vpnike.dll\", \"vpnikeapi.dll\", \"vpnsohdesktop.dll\", \"vpnv2csp.dll\", \"vscmgrps.dll\", \"vssapi.dll\", \"vsstrace.dll\", \"vss_ps.dll\", \"w32time.dll\", \"w32topl.dll\", \"waasassessment.dll\", \"waasmediccapsule.dll\", \"waasmedicps.dll\", \"waasmedicsvc.dll\", \"wabsyncprovider.dll\", \"walletproxy.dll\", \"walletservice.dll\", \"wavemsp.dll\", \"wbemcomn.dll\", \"wbiosrvc.dll\", \"wci.dll\", \"wcimage.dll\", \"wcmapi.dll\", \"wcmcsp.dll\", \"wcmsvc.dll\", \"wcnapi.dll\", \"wcncsvc.dll\", \"wcneapauthproxy.dll\", \"wcneappeerproxy.dll\", \"wcnnetsh.dll\", \"wcnwiz.dll\", \"wc_storage.dll\", \"wdc.dll\", \"wdi.dll\", \"wdigest.dll\", \"wdscore.dll\", \"webauthn.dll\", \"webcamui.dll\", \"webcheck.dll\", \"webclnt.dll\", \"webio.dll\", \"webservices.dll\", \"websocket.dll\", \"wecapi.dll\", \"wecsvc.dll\", \"wephostsvc.dll\", \"wer.dll\", \"werconcpl.dll\", \"wercplsupport.dll\", \"werenc.dll\", \"weretw.dll\", \"wersvc.dll\", \"werui.dll\", \"wevtapi.dll\", \"wevtfwd.dll\", \"wevtsvc.dll\", \"wfapigp.dll\", \"wfdprov.dll\", \"wfdsconmgr.dll\", \"wfdsconmgrsvc.dll\", \"wfhc.dll\", \"whealogr.dll\", \"whhelper.dll\", \"wiaaut.dll\", \"wiadefui.dll\", \"wiadss.dll\", \"wiarpc.dll\", \"wiascanprofiles.dll\", \"wiaservc.dll\", \"wiashext.dll\", \"wiatrace.dll\", \"wificloudstore.dll\", \"wificonfigsp.dll\", \"wifidisplay.dll\", \"wimgapi.dll\", \"win32spl.dll\", \"win32u.dll\", \"winbio.dll\", \"winbiodatamodel.dll\", \"winbioext.dll\", \"winbrand.dll\", \"wincorlib.dll\", \"wincredprovider.dll\", \"wincredui.dll\", \"windowmanagement.dll\", \"windowscodecs.dll\", \"windowscodecsext.dll\", \"windowscodecsraw.dll\", \"windowsiotcsp.dll\", \"windowslivelogin.dll\", \"winethc.dll\", \"winhttp.dll\", \"winhttpcom.dll\", \"winhvemulation.dll\", \"winhvplatform.dll\", \"wininet.dll\", \"wininetlui.dll\", \"wininitext.dll\", \"winipcfile.dll\", \"winipcsecproc.dll\", \"winipsec.dll\", \"winlangdb.dll\", \"winlogonext.dll\", \"winmde.dll\", \"winml.dll\", \"winmm.dll\", \"winmmbase.dll\", \"winmsipc.dll\", \"winnlsres.dll\", \"winnsi.dll\", \"winreagent.dll\", \"winrnr.dll\", \"winrscmd.dll\", \"winrsmgr.dll\", \"winrssrv.dll\", \"winrttracing.dll\", \"winsatapi.dll\", \"winscard.dll\", \"winsetupui.dll\", \"winshfhc.dll\", \"winsku.dll\", \"winsockhc.dll\", \"winsqlite3.dll\", \"winsrpc.dll\", \"winsrv.dll\", \"winsrvext.dll\", \"winsta.dll\", \"winsync.dll\", \"winsyncmetastore.dll\", \"winsyncproviders.dll\", \"wintrust.dll\", \"wintypes.dll\", \"winusb.dll\", \"wirednetworkcsp.dll\", \"wisp.dll\", \"wkscli.dll\", \"wkspbrokerax.dll\", \"wksprtps.dll\", \"wkssvc.dll\", \"wlanapi.dll\", \"wlancfg.dll\", \"wlanconn.dll\", \"wlandlg.dll\", \"wlangpui.dll\", \"wlanhc.dll\", \"wlanhlp.dll\", \"wlanmediamanager.dll\", \"wlanmm.dll\", \"wlanmsm.dll\", \"wlanpref.dll\", \"wlanradiomanager.dll\", \"wlansec.dll\", \"wlansvc.dll\", \"wlansvcpal.dll\", \"wlanui.dll\", \"wlanutil.dll\", \"wldap32.dll\", \"wldp.dll\", \"wlgpclnt.dll\", \"wlidcli.dll\", \"wlidcredprov.dll\", \"wlidfdp.dll\", \"wlidnsp.dll\", \"wlidprov.dll\", \"wlidres.dll\", \"wlidsvc.dll\", \"wmadmod.dll\", \"wmadmoe.dll\", \"wmalfxgfxdsp.dll\", \"wmasf.dll\", \"wmcodecdspps.dll\", \"wmdmlog.dll\", \"wmdmps.dll\", \"wmdrmsdk.dll\", \"wmerror.dll\", \"wmi.dll\", \"wmiclnt.dll\", \"wmicmiplugin.dll\", \"wmidcom.dll\", \"wmidx.dll\", \"wmiprop.dll\", \"wmitomi.dll\", \"wmnetmgr.dll\", \"wmp.dll\", \"wmpdui.dll\", \"wmpdxm.dll\", \"wmpeffects.dll\", \"wmphoto.dll\", \"wmploc.dll\", \"wmpps.dll\", \"wmpshell.dll\", \"wmsgapi.dll\", \"wmspdmod.dll\", \"wmspdmoe.dll\", \"wmvcore.dll\", \"wmvdecod.dll\", \"wmvdspa.dll\", \"wmvencod.dll\", \"wmvsdecd.dll\", \"wmvsencd.dll\", \"wmvxencd.dll\", \"woftasks.dll\", \"wofutil.dll\", \"wordbreakers.dll\", \"workfoldersgpext.dll\", \"workfoldersres.dll\", \"workfoldersshell.dll\", \"workfolderssvc.dll\", \"wosc.dll\", \"wow64.dll\", \"wow64cpu.dll\", \"wow64win.dll\", \"wpbcreds.dll\", \"wpc.dll\", \"wpcapi.dll\", \"wpcdesktopmonsvc.dll\", \"wpcproxystubs.dll\", \"wpcrefreshtask.dll\", \"wpcwebfilter.dll\", \"wpdbusenum.dll\", \"wpdshext.dll\", \"wpdshserviceobj.dll\", \"wpdsp.dll\", \"wpd_ci.dll\", \"wpnapps.dll\", \"wpnclient.dll\", \"wpncore.dll\", \"wpninprc.dll\", \"wpnprv.dll\", \"wpnservice.dll\", \"wpnsruprov.dll\", \"wpnuserservice.dll\", \"wpportinglibrary.dll\", \"wpprecorderum.dll\", \"wptaskscheduler.dll\", \"wpx.dll\", \"ws2help.dll\", \"ws2_32.dll\", \"wscapi.dll\", \"wscinterop.dll\", \"wscisvif.dll\", \"wsclient.dll\", \"wscproxystub.dll\", \"wscsvc.dll\", \"wsdapi.dll\", \"wsdchngr.dll\", \"wsdprintproxy.dll\", \"wsdproviderutil.dll\", \"wsdscanproxy.dll\", \"wsecedit.dll\", \"wsepno.dll\", \"wshbth.dll\", \"wshcon.dll\", \"wshelper.dll\", \"wshext.dll\", \"wshhyperv.dll\", \"wship6.dll\", \"wshqos.dll\", \"wshrm.dll\", \"wshtcpip.dll\", \"wshunix.dll\", \"wslapi.dll\", \"wsmagent.dll\", \"wsmauto.dll\", \"wsmplpxy.dll\", \"wsmres.dll\", \"wsmsvc.dll\", \"wsmwmipl.dll\", \"wsnmp32.dll\", \"wsock32.dll\", \"wsplib.dll\", \"wsp_fs.dll\", \"wsp_health.dll\", \"wsp_sr.dll\", \"wtsapi32.dll\", \"wuapi.dll\", \"wuaueng.dll\", \"wuceffects.dll\", \"wudfcoinstaller.dll\", \"wudfplatform.dll\", \"wudfsmcclassext.dll\", \"wudfx.dll\", \"wudfx02000.dll\", \"wudriver.dll\", \"wups.dll\", \"wups2.dll\", \"wuuhext.dll\", \"wuuhosdeployment.dll\", \"wvc.dll\", \"wwaapi.dll\", \"wwaext.dll\", \"wwanapi.dll\", \"wwancfg.dll\", \"wwanhc.dll\", \"wwanprotdim.dll\", \"wwanradiomanager.dll\", \"wwansvc.dll\", \"wwapi.dll\", \"xamltilerender.dll\", \"xaudio2_8.dll\", \"xaudio2_9.dll\", \"xblauthmanager.dll\", \"xblgamesave.dll\", \"xblgamesaveext.dll\", \"xblgamesaveproxy.dll\", \"xboxgipsvc.dll\", \"xboxgipsynthetic.dll\", \"xboxnetapisvc.dll\", \"xinput1_4.dll\", \"xinput9_1_0.dll\", \"xinputuap.dll\", \"xmlfilter.dll\", \"xmllite.dll\", \"xmlprovi.dll\", \"xolehlp.dll\", \"xpsgdiconverter.dll\", \"xpsprint.dll\", \"xpspushlayer.dll\", \"xpsrasterservice.dll\", \"xpsservices.dll\", \"xwizards.dll\", \"xwreg.dll\", \"xwtpdui.dll\", \"xwtpw32.dll\", \"zipcontainer.dll\", \"zipfldr.dll\", \"bootsvc.dll\", \"halextintcpsedma.dll\", \"icsvcvss.dll\", \"ieproxydesktop.dll\", \"lsaadt.dll\", \"nlansp_c.dll\", \"nrtapi.dll\", \"opencl.dll\", \"pfclient.dll\", \"pnpdiag.dll\", \"prxyqry.dll\", \"rdpnanotransport.dll\", \"servicingcommon.dll\", \"sortwindows63.dll\", \"sstpcfg.dll\", \"tdhres.dll\", \"umpodev.dll\", \"utcapi.dll\", \"windlp.dll\", \"wow64base.dll\", \"wow64con.dll\", \"blbuires.dll\", \"bpainst.dll\", \"cbclient.dll\", \"certadm.dll\", \"certocm.dll\", \"certpick.dll\", \"csdeployres.dll\", \"dsdeployres.dll\", \"eapa3hst.dll\", \"eapacfg.dll\", \"eapahost.dll\", \"elsext.dll\", \"encdump.dll\", \"escmigplugin.dll\", \"fsclient.dll\", \"fsdeployres.dll\", \"fssminst.dll\", \"fssmres.dll\", \"fssprov.dll\", \"ipamapi.dll\", \"kpssvc.dll\", \"lbfoadminlib.dll\", \"mintdh.dll\", \"mmci.dll\", \"mmcico.dll\", \"mprsnap.dll\", \"mstsmhst.dll\", \"mstsmmc.dll\", \"muxinst.dll\", \"personax.dll\", \"rassfm.dll\", \"rasuser.dll\", \"rdmsinst.dll\", \"rdmsres.dll\", \"rtrfiltr.dll\", \"sacsvr.dll\", \"scrdenrl.dll\", \"sdclient.dll\", \"sharedstartmodel.dll\", \"smsrouter.dll\", \"spwizimg_svr.dll\", \"sqlcecompact40.dll\", \"sqlceoledb40.dll\", \"sqlceqp40.dll\", \"sqlcese40.dll\", \"srvmgrinst.dll\", \"svrmgrnc.dll\", \"tapisnap.dll\", \"tlsbrand.dll\", \"tsec.dll\", \"tsprop.dll\", \"tspubiconhelper.dll\", \"tssdjet.dll\", \"tsuserex.dll\", \"ualapi.dll\", \"ualsvc.dll\", \"umcres.dll\", \"updatehandlers.dll\", \"usocore.dll\", \"vssui.dll\", \"wsbappres.dll\", \"wsbonline.dll\", \"wsmselpl.dll\", \"wsmselrr.dll\", \"xpsfilt.dll\", \"xpsshhdr.dll\"\n ) and\n not (\n (\n dll.name : \"icuuc.dll\" and dll.code_signature.subject_name in (\n \"Valve\", \"Valve Corp.\", \"Avanquest Software (7270356 Canada Inc)\", \"Adobe Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"timeSync.dll\", \"appInfo.dll\") and dll.code_signature.subject_name in (\n \"VMware Inc.\", \"VMware, Inc.\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"libcrypto.dll\" and dll.code_signature.subject_name in (\n \"NoMachine S.a.r.l.\", \"Oculus VR, LLC\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : \"ucrtbase.dll\" and dll.code_signature.subject_name in (\n \"Proofpoint, Inc.\", \"Rapid7 LLC\", \"Eclipse.org Foundation, Inc.\", \"Amazon.com Services LLC\", \"Windows Phone\"\n ) and dll.code_signature.trusted == true\n ) or\n (\n dll.name : (\"libcrypto.dll\", \"wmi.dll\", \"geolocation.dll\", \"kerberos.dll\") and\n dll.code_signature.subject_name == \"Bitdefender SRL\" and dll.code_signature.trusted == true\n ) or\n (dll.name : \"ICMP.dll\" and dll.code_signature.subject_name == \"Paessler AG\" and dll.code_signature.trusted == true) or\n (dll.name : \"dbghelp.dll\" and dll.code_signature.trusted == true) or\n (dll.name : \"DirectML.dll\" and dll.code_signature.subject_name == \"Adobe Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"icsvc.dll\" and dll.code_signature.subject_name in (\"Dell Inc\", \"Dell Technologies Inc.\") and dll.code_signature.trusted == true) or\n (dll.name : \"offreg.dll\" and dll.code_signature.subject_name == \"Malwarebytes Inc.\" and dll.code_signature.trusted == true) or\n (dll.name : \"AppMgr.dll\" and dll.code_signature.subject_name == \"Autodesk, Inc\" and dll.code_signature.trusted == true) or\n (dll.name : (\"SsShim.dll\", \"Msi.dll\", \"wdscore.dll\") and process.name : \"DismHost.exe\" and dll.path : \"C:\\\\Windows\\\\Temp\\\\*\") or\n (\n dll.path : (\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\dxgi.dll\",\n \"?:\\\\Windows\\\\SystemApps\\\\*\\\\wincorlib.dll\",\n \"?:\\\\Windows\\\\dxgi.dll\",\n \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\LINE\\\\bin\\\\current\\\\dbghelp.dll\"\n )\n )\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "dll.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Persistence", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}, {"id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [{"id": "T1574.001", "name": "DLL Search Order Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/001/"}, {"id": "T1574.002", "name": "DLL Side-Loading", "reference": "https://attack.mitre.org/techniques/T1574/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1554", "name": "Compromise Client Software Binary", "reference": "https://attack.mitre.org/techniques/T1554/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fb01d790-9f74-4e76-97dd-b4b0f7bf6435_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json deleted file mode 100644 index 9995f91e2a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 108}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json deleted file mode 100644 index b65a34eda68..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 102}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json deleted file mode 100644 index f2ee5e157e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 103}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json deleted file mode 100644 index 5ac0777b5c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 104}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json deleted file mode 100644 index c90396e1b70..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 105}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json deleted file mode 100644 index b33e3ae3fe0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 106}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json deleted file mode 100644 index 631eefaaaad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 107}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_108.json b/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_108.json deleted file mode 100644 index 5b5c5fbe3ca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb02b8d3-71ee-4af1-bacd-215d23f17efa_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection. This may be indicative of an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.", "false_positives": ["Security testing may produce events like this. Activity of this kind performed by non-engineers and ordinary users is unusual."], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Network Connection via Registration Utility", "note": "## Triage and analysis\n\n### Investigating Network Connection via Registration Utility\n\nBy examining the specific traits of Windows binaries -- such as process trees, command lines, network connections, registry modifications, and so on -- it's possible to establish a baseline of normal activity. Deviations from this baseline can indicate malicious activity such as masquerading, and deserve further investigation.\n\nThis rule looks for the execution of `regsvr32.exe`, `RegAsm.exe`, or `RegSvcs.exe` utilities followed by a network connection to an external address. Attackers can abuse utilities to execute malicious files or masquerade as those utilities in order to bypass detections and evade defenses.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n - Investigate the file digital signature and process original filename, if suspicious, treat it as potential malware.\n- Investigate the target host that the signed binary is communicating with.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n- Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of destination IP address and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "sequence by process.entity_id\n [process where host.os.type == \"windows\" and event.type == \"start\" and\n process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not (\n (?process.Ext.token.integrity_level_name : \"System\" or ?winlog.event_data.IntegrityLevel : \"System\") and\n (process.parent.name : \"msiexec.exe\" or process.parent.executable : (\"C:\\\\Program Files (x86)\\\\*.exe\", \"C:\\\\Program Files\\\\*.exe\"))\n )\n ]\n [network where host.os.type == \"windows\" and process.name : (\"regsvr32.exe\", \"RegAsm.exe\", \"RegSvcs.exe\") and\n not cidrmatch(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\",\n \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\",\n \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\",\n \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\n \"FE80::/10\", \"FF00::/8\") and network.protocol != \"dns\"]\n", "references": ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": false, "name": "process.Ext.token.integrity_level_name", "type": "unknown"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}, {"ecs": false, "name": "winlog.event_data.IntegrityLevel", "type": "keyword"}], "risk_score": 21, "rule_id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1218/", "subtechnique": [{"id": "T1218.009", "name": "Regsvcs/Regasm", "reference": "https://attack.mitre.org/techniques/T1218/009/"}, {"id": "T1218.010", "name": "Regsvr32", "reference": "https://attack.mitre.org/techniques/T1218/010/"}]}]}], "type": "eql", "version": 108}, "id": "fb02b8d3-71ee-4af1-bacd-215d23f17efa_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587.json b/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587.json deleted file mode 100644 index 6f614ab4f9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.", "from": "now-6m", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Cloned GitHub Repos From PAT", "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and event.action:\"git.clone\" and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "threshold": {"cardinality": [{"field": "github.repo", "value": 10}], "field": ["github.hashed_token"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_1.json b/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_1.json deleted file mode 100644 index 46be10fcc50..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.", "from": "now-6m", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "High Number of Cloned GitHub Repos From PAT", "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and event.action:\"git.clone\" and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}, {"ecs": false, "name": "github.repository_public", "type": "boolean"}], "risk_score": 21, "rule_id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "threshold": {"cardinality": [{"field": "github.repo", "value": 10}], "field": ["github.hashed_token"], "value": 1}, "timestamp_override": "event.ingested", "type": "threshold", "version": 1}, "id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_103.json b/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_103.json new file mode 100644 index 00000000000..4f1281abd5a --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fb0afac5-bbd6-49b0-b4f8-44e5381e1587_103.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.", + "from": "now-6m", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "High Number of Cloned GitHub Repos From PAT", + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and event.action:\"git.clone\" and \ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\") and \ngithub.repository_public:false\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.repository_public", + "type": "boolean" + } + ], + "risk_score": 21, + "rule_id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Execution", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "threshold": { + "cardinality": [ + { + "field": "github.repo", + "value": 10 + } + ], + "field": [ + "github.hashed_token" + ], + "value": 1 + }, + "timestamp_override": "event.ingested", + "type": "threshold", + "version": 103 + }, + "id": "fb0afac5-bbd6-49b0-b4f8-44e5381e1587_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json deleted file mode 100644 index f8a5caacd8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail-*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "fbd44836-0d69-4004-a0b4-03c20370c435", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json deleted file mode 100644 index 542b8f954db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "fbd44836-0d69-4004-a0b4-03c20370c435_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json deleted file mode 100644 index 154a0e5b74b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "fbd44836-0d69-4004-a0b4-03c20370c435_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json deleted file mode 100644 index 0a29171ffc8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "fbd44836-0d69-4004-a0b4-03c20370c435_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json b/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json deleted file mode 100644 index 8c3faf71605..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fbd44836-0d69-4004-a0b4-03c20370c435_205.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an AWS configuration change to stop recording a designated set of resources.", "false_positives": ["Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Recording changes from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS Configuration Recorder Stopped", "note": "", "query": "event.dataset:aws.cloudtrail and event.provider:config.amazonaws.com and event.action:StopConfigurationRecorder and event.outcome:success\n", "references": ["https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 73, "rule_id": "fbd44836-0d69-4004-a0b4-03c20370c435", "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "high", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [{"id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 205}, "id": "fbd44836-0d69-4004-a0b4-03c20370c435_205", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json deleted file mode 100644 index 0ae043700dd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json deleted file mode 100644 index 388af20889f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json deleted file mode 100644 index 3efd0d52dca..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json deleted file mode 100644 index 4b6701e66a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json deleted file mode 100644 index b15e860b247..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json deleted file mode 100644 index 8561248b7e9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json deleted file mode 100644 index 9f572f70d4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json b/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json deleted file mode 100644 index d82f3c13cdd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies User Account Control (UAC) bypass attempts by abusing an elevated COM Interface to launch a malicious program. Attackers may attempt to bypass UAC to stealthily execute code with elevated permissions.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n process.executable : \"C:\\\\*\\\\AppData\\\\*\\\\Temp\\\\IDC*.tmp\\\\*.exe\" and\n process.parent.name : \"ieinstal.exe\" and process.parent.args : \"-Embedding\"\n\n /* uncomment once in winlogbeat */\n /* and not (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) */\n", "references": ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comautoapprovallist.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.002", "name": "Bypass User Account Control", "reference": "https://attack.mitre.org/techniques/T1548/002/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1559", "name": "Inter-Process Communication", "reference": "https://attack.mitre.org/techniques/T1559/", "subtechnique": [{"id": "T1559.001", "name": "Component Object Model", "reference": "https://attack.mitre.org/techniques/T1559/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fc7c0fa4-8f03-4b3e-8336-c5feab0be022_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c.json b/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c.json deleted file mode 100644 index 165884fb2d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}], "risk_score": 21, "rule_id": "fc909baa-fb34-4c46-9691-be276ef4234c", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "fc909baa-fb34-4c46-9691-be276ef4234c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_1.json b/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_1.json deleted file mode 100644 index fb045ea6066..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.", "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-github.audit-*"], "language": "kuery", "license": "Elastic License v2", "name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", "new_terms_fields": ["github.hashed_token", "github.actor_ip"], "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": false, "name": "github.actor_ip", "type": "ip"}, {"ecs": false, "name": "github.hashed_token", "type": "keyword"}, {"ecs": false, "name": "github.programmatic_access_type", "type": "keyword"}], "risk_score": 21, "rule_id": "fc909baa-fb34-4c46-9691-be276ef4234c", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Use Case: UEBA", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": "https://attack.mitre.org/techniques/T1078/", "subtechnique": [{"id": "T1078.004", "name": "Cloud Accounts", "reference": "https://attack.mitre.org/techniques/T1078/004/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "fc909baa-fb34-4c46-9691-be276ef4234c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_103.json b/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_103.json new file mode 100644 index 00000000000..ae0d241b20c --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fc909baa-fb34-4c46-9691-be276ef4234c_103.json @@ -0,0 +1,95 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "building_block_type": "default", + "description": "Detects a new IP address used for a GitHub PAT not previously seen in the last 14 days.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-github.audit-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "First Occurrence of IP Address For GitHub Personal Access Token (PAT)", + "new_terms_fields": [ + "github.hashed_token", + "github.actor_ip" + ], + "query": "event.dataset:\"github.audit\" and event.category:\"configuration\" and\ngithub.actor_ip:* and github.hashed_token:* and\ngithub.programmatic_access_type:(\"OAuth access token\" or \"Fine-grained personal access token\")\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.actor_ip", + "type": "ip" + }, + { + "ecs": false, + "name": "github.hashed_token", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.programmatic_access_type", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fc909baa-fb34-4c46-9691-be276ef4234c", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Use Case: UEBA", + "Tactic: Initial Access", + "Rule Type: BBR", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0001", + "name": "Initial Access", + "reference": "https://attack.mitre.org/tactics/TA0001/" + }, + "technique": [ + { + "id": "T1078", + "name": "Valid Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/", + "subtechnique": [ + { + "id": "T1078.004", + "name": "Cloud Accounts", + "reference": "https://attack.mitre.org/techniques/T1078/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 103 + }, + "id": "fc909baa-fb34-4c46-9691-be276ef4234c_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2.json b/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2.json deleted file mode 100644 index 2a3bf783594..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "User or Group Creation/Modification", "query": "iam where host.os.type == \"linux\" and event.type in (\"creation\", \"change\") and auditd.result == \"success\" and \nevent.action in (\"changed-password\", \"added-user-account\", \"added-group-account-to\")\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.result", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2", "setup": "## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /usr/sbin/groupadd -p x -k group_modification\n-w /sbin/groupadd -p x -k group_modification\n-w /usr/sbin/groupmod -p x -k group_modification\n-w /sbin/groupmod -p x -k group_modification\n-w /usr/sbin/addgroup -p x -k group_modification\n-w /sbin/addgroup -p x -k group_modification\n-w /usr/sbin/usermod -p x -k user_modification\n-w /sbin/usermod -p x -k user_modification\n-w /usr/sbin/userdel -p x -k user_modification\n-w /sbin/userdel -p x -k user_modification\n-w /usr/sbin/useradd -p x -k user_modification\n-w /sbin/useradd -p x -k user_modification\n-w /usr/sbin/adduser -p x -k user_modification\n-w /sbin/adduser -p x -k user_modification\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_1.json b/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_1.json deleted file mode 100644 index 2a0365135bb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "User or Group Creation/Modification", "query": "iam where host.os.type == \"linux\" and event.type in (\"creation\", \"change\") and auditd.result == \"success\" and \nevent.action in (\"changed-password\", \"added-user-account\", \"added-group-account-to\")\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.result", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2", "setup": "## Setup\nThis rule requires the use of the `auditd_manager` integration. `Auditd_manager` is a tool designed to simplify and enhance the management of the audit subsystem in Linux systems. It provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. The following steps should be executed in order to install and deploy `auditd_manager` on a Linux system.\n```\nKibana -->\nManagement -->\nIntegrations -->\nAuditd Manager -->\nAdd Auditd Manager\n```\n`Auditd_manager` subscribes to the kernel and receives events as they occur without any additional configuration. However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, no additional configuration is required.\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_2.json b/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_2.json deleted file mode 100644 index fc83428d4c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fcf733d5-7801-4eb0-92ac-8ffacf3658f2_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule leverages the `auditd_manager` integration to detect user or group creation or modification events on Linux systems. Threat actors may attempt to create or modify users or groups to establish persistence on the system.", "from": "now-9m", "index": ["auditbeat-*", "logs-auditd_manager.auditd-*"], "language": "eql", "license": "Elastic License v2", "name": "User or Group Creation/Modification", "query": "iam where host.os.type == \"linux\" and event.type in (\"creation\", \"change\") and auditd.result == \"success\" and \nevent.action in (\"changed-password\", \"added-user-account\", \"added-group-account-to\")\n", "related_integrations": [{"package": "auditd_manager", "version": "^1.0.0"}], "required_fields": [{"ecs": false, "name": "auditd.result", "type": "unknown"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}], "risk_score": 21, "rule_id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2", "setup": "## Setup\n\nThis rule requires data coming in from Auditd Manager.\n\n### Auditd Manager Integration Setup\nThe Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.\nAuditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.\n\n#### The following steps should be executed in order to add the Elastic Agent System integration \"auditd_manager\" on a Linux System:\n- Go to the Kibana home page and click \u201cAdd integrations\u201d.\n- In the query bar, search for \u201cAuditd Manager\u201d and select the integration to see more details about it.\n- Click \u201cAdd Auditd Manager\u201d.\n- Configure the integration name and optionally add a description.\n- Review optional and advanced settings accordingly.\n- Add the newly installed \u201cauditd manager\u201d to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.\n- Click \u201cSave and Continue\u201d.\n- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).\n\n#### Rule Specific Setup Note\nAuditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.\nHowever, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the \"audit rules\" configuration box or the \"auditd rule files\" box by specifying a file to read the audit rules from.\nFor this detection rule to trigger, the following additional audit rules are required to be added to the integration:\n```\n-w /usr/sbin/groupadd -p x -k group_modification\n-w /sbin/groupadd -p x -k group_modification\n-w /usr/sbin/groupmod -p x -k group_modification\n-w /sbin/groupmod -p x -k group_modification\n-w /usr/sbin/addgroup -p x -k group_modification\n-w /sbin/addgroup -p x -k group_modification\n-w /usr/sbin/usermod -p x -k user_modification\n-w /sbin/usermod -p x -k user_modification\n-w /usr/sbin/userdel -p x -k user_modification\n-w /sbin/userdel -p x -k user_modification\n-w /usr/sbin/useradd -p x -k user_modification\n-w /sbin/useradd -p x -k user_modification\n-w /usr/sbin/adduser -p x -k user_modification\n-w /sbin/adduser -p x -k user_modification\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Auditd Manager"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1136", "name": "Create Account", "reference": "https://attack.mitre.org/techniques/T1136/", "subtechnique": [{"id": "T1136.001", "name": "Local Account", "reference": "https://attack.mitre.org/techniques/T1136/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "fcf733d5-7801-4eb0-92ac-8ffacf3658f2_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d.json b/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d.json deleted file mode 100644 index 6ec94cbdf07..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the deletion of a GitHub app either from a repo or an organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub App Deleted", "query": "configuration where event.dataset == \"github.audit\" and github.category == \"integration_installation\" and event.type == \"deletion\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "keyword"}], "risk_score": 21, "rule_id": "fd01b949-81be-46d5-bcf8-284395d5f56d", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fd01b949-81be-46d5-bcf8-284395d5f56d", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_1.json b/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_1.json deleted file mode 100644 index f2b992d55ea..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the deletion of a GitHub app either from a repo or an organization.", "from": "now-9m", "index": ["logs-github.audit-*"], "language": "eql", "license": "Elastic License v2", "name": "GitHub App Deleted", "query": "configuration where event.dataset == \"github.audit\" and github.category == \"integration_installation\" and event.type == \"deletion\"\n", "related_integrations": [{"package": "github", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "github.category", "type": "keyword"}], "risk_score": 21, "rule_id": "fd01b949-81be-46d5-bcf8-284395d5f56d", "severity": "low", "tags": ["Domain: Cloud", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Github"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1648", "name": "Serverless Execution", "reference": "https://attack.mitre.org/techniques/T1648/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fd01b949-81be-46d5-bcf8-284395d5f56d_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_103.json b/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_103.json new file mode 100644 index 00000000000..a2370ad93a3 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/fd01b949-81be-46d5-bcf8-284395d5f56d_103.json @@ -0,0 +1,70 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Detects the deletion of a GitHub app either from a repo or an organization.", + "from": "now-9m", + "index": [ + "logs-github.audit-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "GitHub App Deleted", + "query": "configuration where event.dataset == \"github.audit\" and github.category == \"integration_installation\" and event.type == \"deletion\"\n", + "related_integrations": [ + { + "package": "github", + "version": "^2.0.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.dataset", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": false, + "name": "github.category", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "fd01b949-81be-46d5-bcf8-284395d5f56d", + "severity": "low", + "tags": [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Execution", + "Data Source: Github" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0002", + "name": "Execution", + "reference": "https://attack.mitre.org/tactics/TA0002/" + }, + "technique": [ + { + "id": "T1648", + "name": "Serverless Execution", + "reference": "https://attack.mitre.org/techniques/T1648/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 103 + }, + "id": "fd01b949-81be-46d5-bcf8-284395d5f56d_103", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc.json b/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc.json deleted file mode 100644 index 0f75e3de57c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the `withDecryption` parameter set to true. This is a [NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.", "false_positives": ["Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate reason to access the parameters and that the credentials are secured."], "from": "now-9m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "## Triage and Analysis\n\n### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag\n\nThis rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.\n\nAdversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.\n\n#### Possible Investigation Steps\n\n- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.\n- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.\n- **Contextualize with User Behavior**: Assess whether the access pattern fits the user\u2019s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.\n- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.\n- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user\u2019s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.\n\n### Response and Remediation\n\n- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.\n- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.\n- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.\n- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.\n- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.\n\n### Additional Information\n\nThis rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: \"ssm.amazonaws.com\"\n and event.action: (GetParameters or GetParameter)\n and event.outcome: success\n and aws.cloudtrail.request_parameters: *withDecryption=true*\n", "references": ["https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html", "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc", "setup": "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Systems Manager", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.006", "name": "Cloud Secrets Management Stores", "reference": "https://attack.mitre.org/techniques/T1555/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json b/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json deleted file mode 100644 index 64d8273b80f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd332492-0bc6-11ef-b5be-f661ea17fbcc_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects the first occurrence of a user identity accessing AWS Systems Manager (SSM) SecureString parameters using the GetParameter or GetParameters API actions with credentials in the request parameters. This could indicate that the user is accessing sensitive information. This rule detects when a user accesses a SecureString parameter with the `withDecryption` parameter set to true. This is a [NewTerms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects the first occurrence of a specific AWS ARN accessing SecureString parameters with decryption within the last 10 days.", "false_positives": ["Users may legitimately access AWS Systems Manager (SSM) parameters using the GetParameter, GetParameters, or DescribeParameters API actions with credentials in the request parameters. Ensure that the user has a legitimate reason to access the parameters and that the credentials are secured."], "from": "now-9m", "history_window_start": "now-10d", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "language": "kuery", "license": "Elastic License v2", "name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "new_terms_fields": ["aws.cloudtrail.user_identity.arn"], "note": "\n## Triage and Analysis\n\n### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag\n\nThis rule detects when an AWS resource accesses SecureString parameters within AWS Systems Manager (SSM) with the decryption flag set to true. SecureStrings are encrypted using a KMS key, and accessing these with decryption can indicate attempts to access sensitive data.\n\nAdversaries may target SecureStrings to retrieve sensitive information such as encryption keys, passwords, and other credentials that are stored securely. Accessing these parameters with decryption enabled is particularly concerning because it implies the adversary is attempting to bypass the encryption to obtain plain text values that can be immediately used or exfiltrated. This behavior might be part of a larger attack strategy aimed at escalating privileges or moving laterally within an environment to access protected data or critical infrastructure.\n\n#### Possible Investigation Steps\n\n- **Review the Access Event**: Identify the specific API call (`GetParameter` or `GetParameters`) that triggered the rule. Examine the `request_parameters` for `withDecryption` set to true and the name of the accessed parameter.\n- **Verify User Identity and Access Context**: Check the `user_identity` details to understand who accessed the parameter and their role within the organization. This includes checking the ARN and access key ID to determine if the access was authorized.\n- **Contextualize with User Behavior**: Assess whether the access pattern fits the user\u2019s normal behavior or job responsibilities. Investigate any out-of-pattern activities around the time of the event.\n- **Analyze Geographic and IP Context**: Using the `source.ip` and `source.geo` information, verify if the request came from a trusted location or if there are any anomalies that suggest a compromised account.\n- **Inspect Related CloudTrail Events**: Look for other related events in CloudTrail to see if there was unusual activity before or after this event, such as unusual login attempts, changes to permissions, or other API calls that could indicate broader unauthorized actions.\n\n### False Positive Analysis\n\n- **Legitimate Administrative Use**: Verify if the decryption of SecureString parameters is a common practice for the user\u2019s role, particularly if used in automation scripts or deployment processes like those involving Terraform or similar tools.\n\n### Response and Remediation\n\n- **Immediate Verification**: Contact the user or team responsible for the API call to verify their intent and authorization.\n- **Review and Revise Permissions**: If the access was unauthorized, review the permissions assigned to the user or role to ensure they align with the principle of least privilege.\n- **Audit Parameter Access Policies**: Ensure that policies governing access to SecureString parameters are strict and audit logs are enabled to track access with decryption.\n- **Incident Response**: If suspicious activity is confirmed, follow through with your organization's incident response plan to mitigate any potential security issues.\n- **Enhanced Monitoring and Alerting**: Strengthen monitoring rules to detect unusual accesses to SecureString parameters, especially those that involve decryption.\n\n### Additional Information\n\nThis rule focuses solely on SecureStrings in AWS Systems Manager (SSM) parameters. SecureStrings are encrypted using an AWS Key Management Service (KMS) key. When a user accesses a SecureString parameter, they can specify whether the parameter should be decrypted. If the user specifies that the parameter should be decrypted, the decrypted value is returned in the response.\n", "query": "event.dataset: aws.cloudtrail\n and event.provider: \"ssm.amazonaws.com\"\n and event.action: (GetParameters or GetParameter)\n and event.outcome: success\n and aws.cloudtrail.request_parameters: *withDecryption=true*\n", "references": ["https://docs.aws.amazon.com/vsts/latest/userguide/systemsmanager-getparameter.html", "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc", "setup": "This rule requires that AWS CloudTrail logs are ingested into the Elastic Stack. Ensure that the AWS integration is properly configured to collect AWS CloudTrail logs. This rule also requires event logging for AWS Systems Manager (SSM) API actions which can be enabled in CloudTrail's data events settings.\n", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: AWS Systems Manager", "Tactic: Credential Access", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": "https://attack.mitre.org/techniques/T1555/", "subtechnique": [{"id": "T1555.006", "name": "Cloud Secrets Management Stores", "reference": "https://attack.mitre.org/techniques/T1555/006/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "fd332492-0bc6-11ef-b5be-f661ea17fbcc_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json deleted file mode 100644 index 75e6ab51d15..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json deleted file mode 100644 index 8dbae9697f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json deleted file mode 100644 index e7b7687c274..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json deleted file mode 100644 index 71019cfe7d2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json deleted file mode 100644 index 8f140ddfe29..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_108.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_108.json deleted file mode 100644 index 9f1c2a32945..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json deleted file mode 100644 index 131c663de03..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json deleted file mode 100644 index 55073a149ed..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_111.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_111.json deleted file mode 100644 index 5b3ae3bc434..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_311.json b/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_311.json deleted file mode 100644 index 813c41621a5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd4a992d-6130-4802-9ff8-829b89ae801f_311.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "The Application Shim was created to allow for backward compatibility of software as the operating system codebase changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Application Shimming via Sdbinst", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and process.name : \"sdbinst.exe\" and\n process.args : \"?*\" and\n not (process.args : \"-m\" and process.args : \"-bg\") and\n not process.args : \"-mm\"\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd4a992d-6130-4802-9ff8-829b89ae801f", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [{"id": "T1546.011", "name": "Application Shimming", "reference": "https://attack.mitre.org/techniques/T1546/011/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 311}, "id": "fd4a992d-6130-4802-9ff8-829b89ae801f_311", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json deleted file mode 100644 index 78080df1b7e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json deleted file mode 100644 index 53f8f6b757a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 103}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json deleted file mode 100644 index e1af39b681d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json deleted file mode 100644 index bc9f3b255d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json deleted file mode 100644 index bd4208856c7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_107.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_107.json deleted file mode 100644 index 1ebc82bf9ab..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json deleted file mode 100644 index d696cc48028..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_109.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_109.json deleted file mode 100644 index 6f46baee372..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_110.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_110.json deleted file mode 100644 index 65c445c0c57..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "endgame-*", "logs-system.security*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_310.json b/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_310.json deleted file mode 100644 index 33f24ce6c75..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd70c98a-c410-42dc-a2e3-761c71848acf_310.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic", "Austin Songer"], "description": "Identifies suspicious commands being used with certutil.exe. CertUtil is a native Windows component which is part of Certificate Services. CertUtil is often abused by attackers to live off the land for stealthier command and control or data exfiltration.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "eql", "license": "Elastic License v2", "name": "Suspicious CertUtil Commands", "note": "## Triage and analysis\n\n### Investigating Suspicious CertUtil Commands\n\n`certutil.exe` is a command line utility program that is included with Microsoft Windows operating systems. It is used to manage and manipulate digital certificates and certificate services on computers running Windows.\n\nAttackers can abuse `certutil.exe` utility to download and/or deobfuscate malware, offensive security tools, and certificates from external sources to take the next steps in a compromised environment. This rule identifies command line arguments used to accomplish these behaviors.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine the command line to determine the nature of the execution.\n - If files were downloaded, retrieve them and check whether they were run, and under which security context.\n - If files were obfuscated or deobfuscated, retrieve them.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the involved files using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n (process.name : \"certutil.exe\" or ?process.pe.original_file_name == \"CertUtil.exe\") and\n process.args : (\"?decode\", \"?encode\", \"?urlcache\", \"?verifyctl\", \"?encodehex\", \"?decodehex\", \"?exportPFX\")\n", "references": ["https://twitter.com/Moriarty_Meng/status/984380793383370752", "https://twitter.com/egre55/status/1087685529016193025", "https://www.sysadmins.lv/blog-en/certutil-tips-and-tricks-working-with-x509-file-format.aspx", "https://docs.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://www.elastic.co/security-labs/siestagraph-new-implant-uncovered-in-asean-member-foreign-ministry"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.pe.original_file_name", "type": "keyword"}], "risk_score": 47, "rule_id": "fd70c98a-c410-42dc-a2e3-761c71848acf", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": "https://attack.mitre.org/techniques/T1140/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 310}, "id": "fd70c98a-c410-42dc-a2e3-761c71848acf_310", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json deleted file mode 100644 index fda1aeb8412..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"process.args": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\silcollector.cmd"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and\nprocess.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\") and\nnot process.command_line : \"\\\"cmd.exe\\\" /C sc control hptpsmarthealthservice 211\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 213}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json deleted file mode 100644 index 387e64d918d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - $osquery_0\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - $osquery_1\n - $osquery_2\n - $osquery_3\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json deleted file mode 100644 index e756296d925..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json deleted file mode 100644 index a63e37ea125..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json deleted file mode 100644 index af8bd48382c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "process where host.os.type == \"windows\" and event.type == \"start\" and\n\n process.parent.name : \"svchost.exe\" and process.name : \"cmd.exe\" and\n\n not process.args :\n (\"??:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat?\",\n \"?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat\",\n \"\\\\system32\\\\cleanmgr.exe\",\n \"?:\\\\Windows\\\\system32\\\\silcollector.cmd\",\n \"\\\\system32\\\\AppHostRegistrationVerifier.exe\",\n \"\\\\system32\\\\ServerManagerLauncher.exe\",\n \"dir\",\n \"?:\\\\Program Files\\\\*\",\n \"?:\\\\Program Files (x86)\\\\*\",\n \"?:\\\\Windows\\\\LSDeployment\\\\Lspush.exe\",\n \"(x86)\\\\FMAuditOnsite\\\\watchdog.bat\",\n \"?:\\\\ProgramData\\\\chocolatey\\\\bin\\\\choco-upgrade-all.bat\",\n \"Files\\\\Npcap\\\\CheckStatus.bat\") and\n\n /* very noisy pattern - bat or cmd script executed via scheduled tasks */\n not (process.parent.args : \"netsvcs\" and process.args : (\"?:\\\\*.bat\", \"?:\\\\*.cmd\"))\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.args", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json deleted file mode 100644 index 08790fd0f14..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_207.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and \nprocess.name.caseless:\"cmd.exe\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 207}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_207", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json deleted file mode 100644 index 8d73f3d0ad1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_208.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and \nprocess.name.caseless:\"cmd.exe\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.name.caseless", "type": "unknown"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 208}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_208", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_209.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_209.json deleted file mode 100644 index 8f2e90e8898..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_209.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and process.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\")\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 209}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_209", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json deleted file mode 100644 index c8fd4a96e10..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_210.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and process.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\")\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 210}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_210", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json deleted file mode 100644 index df7375be1e2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_211.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and process.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\")\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 211}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_211", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_212.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_212.json deleted file mode 100644 index f74d594b881..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_212.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"process.args": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\silcollector.cmd"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and\nprocess.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\") and\nnot process.command_line : \"\\\"cmd.exe\\\" /C sc control hptpsmarthealthservice 211\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 212}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_212", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_213.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_213.json deleted file mode 100644 index 414a8da6537..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_213.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"process.args": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\silcollector.cmd"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.*", "logs-system.security*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and\nprocess.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\") and\nnot process.command_line : \"\\\"cmd.exe\\\" /C sc control hptpsmarthealthservice 211\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}, {"package": "system", "version": "^1.6.4"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: System"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 213}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_213", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_216.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_216.json deleted file mode 100644 index e8373cc83e1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_216.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"process.args": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\silcollector.cmd"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and\nprocess.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\") and\nnot process.command_line : \"\\\"cmd.exe\\\" /C sc control hptpsmarthealthservice 211\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 216}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_216", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_318.json b/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_318.json deleted file mode 100644 index ccfdb1de667..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd7a6052-58fa-4397-93c3-4795249ccfa2_318.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe", "filters": [{"meta": {"negate": true}, "query": {"wildcard": {"process.args": {"case_insensitive": true, "value": "?:\\\\Windows\\\\system32\\\\silcollector.cmd"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files\\\\Npcap\\\\CheckStatus.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "*?:\\\\Program Files*\\\\Pulseway\\\\watchdog.bat*"}}}}, {"meta": {"negate": true}, "query": {"wildcard": {"process.command_line": {"case_insensitive": true, "value": "cmd /C \".\\\\inetsrv\\\\iissetup.exe /keygen \""}}}}], "from": "now-9m", "history_window_start": "now-14d", "index": ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.forwarded*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-system.security*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"], "language": "kuery", "license": "Elastic License v2", "name": "Svchost spawning Cmd", "new_terms_fields": ["host.id", "process.command_line", "user.id"], "note": "## Triage and analysis\n\n### Investigating Svchost spawning Cmd\n\nThe Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that `Svchost.exe` is reserved for use by the operating system and should not be used by non-Windows services.\n\nThis rule looks for the creation of the `cmd.exe` process with `svchost.exe` as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as `svchost.exe` or exploitation for privilege escalation.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the process executable using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.\n\n\n### False positive analysis\n\n- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type:windows and event.category:process and event.type:start and process.parent.name:\"svchost.exe\" and\nprocess.name:(\"cmd.exe\" or \"Cmd.exe\" or \"CMD.EXE\") and\nnot process.command_line : \"\\\"cmd.exe\\\" /C sc control hptpsmarthealthservice 211\"\n", "references": ["https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^2.0.0"}, {"package": "system", "version": "^1.6.4"}, {"package": "m365_defender", "version": "^2.0.0"}, {"package": "sentinel_one_cloud_funnel", "version": "^1.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd7a6052-58fa-4397-93c3-4795249ccfa2", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: System", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/"}]}], "timeline_id": "e70679c2-6cde-4510-9764-4823df18f7db", "timeline_title": "Comprehensive Process Timeline", "timestamp_override": "event.ingested", "type": "new_terms", "version": 318}, "id": "fd7a6052-58fa-4397-93c3-4795249ccfa2_318", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8.json b/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8.json deleted file mode 100644 index 5fbd19e9b34..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary.", "from": "now-119m", "index": ["logs-endpoint.events.library-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Image Loaded with Invalid Signature", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.code_signature.status : (\"errorUntrustedRoot\", \"errorBadDigest\", \"errorUntrustedRoot\") and\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and\n not startswith~(dll.name, process.name) and\n not dll.path : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json b/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json deleted file mode 100644 index b255e8fd53e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies binaries that are loaded and with an invalid code signature. This may indicate an attempt to masquerade as a signed binary.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Image Loaded with Invalid Signature", "query": "library where host.os.type == \"windows\" and event.action == \"load\" and\n dll.code_signature.status : (\"errorUntrustedRoot\", \"errorBadDigest\", \"errorUntrustedRoot\") and\n (dll.Ext.relative_file_creation_time <= 500 or dll.Ext.relative_file_name_modify_time <= 500) and\n not startswith~(dll.name, process.name) and\n not dll.path : (\n \"?:\\\\Windows\\\\System32\\\\DriverStore\\\\FileRepository\\\\*\"\n )\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "dll.Ext.relative_file_creation_time", "type": "unknown"}, {"ecs": false, "name": "dll.Ext.relative_file_name_modify_time", "type": "unknown"}, {"ecs": true, "name": "dll.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "dll.name", "type": "keyword"}, {"ecs": true, "name": "dll.path", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "fd9484f2-1c56-44ae-8b28-dc1354e3a0e8_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6.json deleted file mode 100644 index 7ecd9b611db..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Moved or Copied", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\", \"/usr/libexec/platform-python\", \"/usr/bin/platform-python\", \"/bin/platform-python\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\", \"/sbin/sshd\", \"/usr/local/sbin/sshd\", \"/usr/sbin/crond\", \"/sbin/crond\",\n \"/usr/local/sbin/crond\", \"/usr/sbin/gdm\"\n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json deleted file mode 100644 index c9520ca8feb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\", \"cat\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/mv\", \"/usr/bin/mv\", \"/bin/cp\", \"/usr/bin/cp\",\n \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\", \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\",\n \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\", \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n )]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "type": "eql", "version": 1}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_10.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_10.json deleted file mode 100644 index 1471eee02f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Moved or Copied", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\", \"/usr/libexec/platform-python\", \"/usr/bin/platform-python\", \"/bin/platform-python\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\", \"/sbin/sshd\", \"/usr/local/sbin/sshd\", \"/usr/sbin/crond\", \"/sbin/crond\",\n \"/usr/local/sbin/crond\", \"/usr/sbin/gdm\", \n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_11.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_11.json deleted file mode 100644 index 73f2ffc41a4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Moved or Copied", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\", \"/usr/libexec/platform-python\", \"/usr/bin/platform-python\", \"/bin/platform-python\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\", \"/sbin/sshd\", \"/usr/local/sbin/sshd\", \"/usr/sbin/crond\", \"/sbin/crond\",\n \"/usr/local/sbin/crond\", \"/usr/sbin/gdm\"\n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_12.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_12.json deleted file mode 100644 index 31f497de7be..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Moved or Copied", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\", \"/usr/libexec/platform-python\", \"/usr/bin/platform-python\", \"/bin/platform-python\",\n \"/usr/lib/systemd/systemd\", \"/usr/sbin/sshd\", \"/sbin/sshd\", \"/usr/local/sbin/sshd\", \"/usr/sbin/crond\", \"/sbin/crond\",\n \"/usr/local/sbin/crond\", \"/usr/sbin/gdm\"\n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/", "https://www.elastic.co/security-labs/sequel-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json deleted file mode 100644 index 06db322a84c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 2}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json deleted file mode 100644 index 4113ec23a3e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n )]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 3}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json deleted file mode 100644 index d8f9f01b303..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : \"/tmp/rear*\"]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 4}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_5.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_5.json deleted file mode 100644 index a88086e12f9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/dracut*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 5}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json deleted file mode 100644 index 396de47a5f7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/rear*\", \"/var/tmp/dracut*\", \"/var/tmp/mkinitramfs*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 6}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json deleted file mode 100644 index 3267cdbc035..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/rear*\", \"/var/tmp/dracut*\", \"/var/tmp/mkinitramfs*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}, {"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}]}], "type": "eql", "version": 7}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_8.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_8.json deleted file mode 100644 index 774ec2ace8c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary to a suspicious directory. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Copied and/or Moved to Suspicious Directory", "query": "sequence by host.id, process.entity_id with maxspan=1s\n [process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name in (\"cp\", \"mv\") and process.args : (\n // Shells\n \"/bin/*sh\", \"/usr/bin/*sh\", \n\n // Interpreters\n \"/bin/python*\", \"/usr/bin/python*\", \"/bin/php*\", \"/usr/bin/php*\", \"/bin/ruby*\", \"/usr/bin/ruby*\", \"/bin/perl*\",\n \"/usr/bin/perl*\", \"/bin/lua*\", \"/usr/bin/lua*\", \"/bin/java*\", \"/usr/bin/java*\", \n\n // Compilers\n \"/bin/gcc*\", \"/usr/bin/gcc*\", \"/bin/g++*\", \"/usr/bin/g++*\", \"/bin/cc\", \"/usr/bin/cc\",\n\n // Suspicious utilities\n \"/bin/nc\", \"/usr/bin/nc\", \"/bin/ncat\", \"/usr/bin/ncat\", \"/bin/netcat\", \"/usr/bin/netcat\", \"/bin/nc.openbsd\",\n \"/usr/bin/nc.openbsd\", \"/bin/*awk\", \"/usr/bin/*awk\", \"/bin/socat\", \"/usr/bin/socat\", \"/bin/openssl\",\n \"/usr/bin/openssl\", \"/bin/telnet\", \"/usr/bin/telnet\", \"/bin/mkfifo\", \"/usr/bin/mkfifo\", \"/bin/mknod\",\n \"/usr/bin/mknod\", \"/bin/ping*\", \"/usr/bin/ping*\", \"/bin/nmap\", \"/usr/bin/nmap\",\n\n // System utilities\n \"/bin/ls\", \"/usr/bin/ls\", \"/bin/cat\", \"/usr/bin/cat\", \"/bin/sudo\", \"/usr/bin/sudo\", \"/bin/curl\", \"/usr/bin/curl\",\n \"/bin/wget\", \"/usr/bin/wget\", \"/bin/tmux\", \"/usr/bin/tmux\", \"/bin/screen\", \"/usr/bin/screen\", \"/bin/ssh\",\n \"/usr/bin/ssh\", \"/bin/ftp\", \"/usr/bin/ftp\"\n ) and not process.parent.name in (\"dracut-install\", \"apticron\", \"generate-from-dir\", \"platform-python\")]\n [file where host.os.type == \"linux\" and event.action == \"creation\" and file.path : (\n \"/dev/shm/*\", \"/run/shm/*\", \"/tmp/*\", \"/var/tmp/*\", \"/run/*\", \"/var/run/*\", \"/var/www/*\", \"/proc/*/fd/*\"\n ) and not file.path : (\"/tmp/rear*\", \"/var/tmp/rear*\", \"/var/tmp/dracut*\", \"/var/tmp/mkinitramfs*\")]\n", "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "type": "eql", "version": 8}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json b/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json deleted file mode 100644 index baf61c0c528..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fda1d332-5e08-4f27-8a9b-8c802e3292a6_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for the copying or moving of a system binary. Adversaries may copy/move and rename system binaries to evade detection. Copying a system binary to a different location should not occur often, so if it does, the activity should be investigated.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "System Binary Moved or Copied", "query": "file where host.os.type == \"linux\" and event.type == \"change\" and event.action == \"rename\" and\nfile.Ext.original.path : (\n \"/bin/*\", \"/usr/bin/*\", \"/usr/local/bin/*\", \"/sbin/*\", \"/usr/sbin/*\", \"/usr/local/sbin/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/lib/snapd/snapd\", \"/usr/local/bin/dockerd\", \"/usr/libexec/netplan/generate\",\n \"/usr/bin/update-alternatives\", \"/bin/update-alternatives\", \"/usr/sbin/update-alternatives\",\n \"/sbin/update-alternatives\", \"/usr/bin/pip3\", \"/bin/pip3\", \"/usr/local/bin/pip3\", \"/usr/local/bin/node\",\n \"/bin/node\", \"/usr/bin/node\", \"/sbin/apk\", \"/usr/sbin/apk\", \"/usr/local/sbin/apk\", \"/usr/bin/pip\", \"/bin/pip\",\n \"/usr/local/bin/pip\"\n ) or\n file.Ext.original.path : (\n \"/bin/*.tmp\", \"/usr/bin/*.tmp\", \"/usr/local/bin/*.tmp\", \"/sbin/*.tmp\", \"/usr/sbin/*.tmp\", \"/usr/local/sbin/*.tmp\"\n ) or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": false, "name": "file.Ext.original.path", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.003", "name": "Rename System Utilities", "reference": "https://attack.mitre.org/techniques/T1036/003/"}]}, {"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "fda1d332-5e08-4f27-8a9b-8c802e3292a6_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56.json deleted file mode 100644 index 45d2ad6ab52..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json deleted file mode 100644 index 87ec2fb8d90..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json deleted file mode 100644 index 8917196ed2c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_3.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_3.json deleted file mode 100644 index 86f80ee850d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json deleted file mode 100644 index ab3f251ef60..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 47, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_5.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_5.json deleted file mode 100644 index bde0ca78f2f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_6.json b/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_6.json deleted file mode 100644 index 324eff706d0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fddff193-48a3-484d-8d35-90bb3d323a56_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Kerberos Ticket Dump", "note": "## Triage and analysis\n\n### Investigating PowerShell Kerberos Ticket Dump\n\nKerberos is an authentication protocol that relies on tickets to grant access to network resources. Adversaries may abuse this protocol to acquire credentials for lateral movement within a network.\n\nThis rule indicates the use of scripts that contain code capable of dumping Kerberos tickets, which can indicate potential PowerShell abuse for credential theft.\n\n### Possible investigation steps\n\n- Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Investigate if the script was executed, and if so, which account was targeted.\n- Identify the account involved and contact the owner to confirm whether they are aware of this activity.\n- Check if the script has any other functionality that can be potentially malicious.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate other potentially compromised accounts and hosts. Review login events (like 4624) for suspicious events involving the subject and target accounts.\n\n### False positive analysis\n\n- If this activity is expected and noisy in your environment, consider adding exceptions \u2014 preferably with a combination of file path and user ID conditions.\n\n### Related Rules\n\n- PowerShell Kerberos Ticket Request - eb610e70-f9e6-4949-82b9-f1c5bcd37c39\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Disable or limit involved accounts during the investigation and response.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "event.category:process and host.os.type:windows and\n powershell.file.script_block_text : (\n \"LsaCallAuthenticationPackage\" and\n (\n \"KerbRetrieveEncodedTicketMessage\" or\n \"KerbQueryTicketCacheMessage\" or\n \"KerbQueryTicketCacheExMessage\" or\n \"KerbQueryTicketCacheEx2Message\" or\n \"KerbRetrieveTicketMessage\" or\n \"KerbDecryptDataMessage\"\n )\n )\n", "references": ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"], "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}], "risk_score": 73, "rule_id": "fddff193-48a3-484d-8d35-90bb3d323a56", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "high", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/"}, {"id": "T1558", "name": "Steal or Forge Kerberos Tickets", "reference": "https://attack.mitre.org/techniques/T1558/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "fddff193-48a3-484d-8d35-90bb3d323a56_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96.json deleted file mode 100644 index 384ede33192..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json deleted file mode 100644 index 9d4673168df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "note": "", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json deleted file mode 100644 index b7c1827e618..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "note": "", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json deleted file mode 100644 index 6db566ba5c2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 3}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json deleted file mode 100644 index 4f5291faa12..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "The 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 4}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json deleted file mode 100644 index c7cc3b2f0cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 5}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_6.json b/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_6.json deleted file mode 100644 index e880a67132c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe25d5bc-01fa-494a-95ff-535c29cc4c96_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM to perform lateral movement using built-in tools.", "from": "now-119m", "index": ["winlogbeat-*", "logs-windows.powershell*"], "interval": "60m", "language": "kuery", "license": "Elastic License v2", "name": "PowerShell Script with Password Policy Discovery Capabilities", "query": "event.category: \"process\" and host.os.type:windows and\n(\n powershell.file.script_block_text: (\n \"Get-ADDefaultDomainPasswordPolicy\" or\n \"Get-ADFineGrainedPasswordPolicy\" or\n \"Get-ADUserResultantPasswordPolicy\" or\n \"Get-DomainPolicy\" or\n \"Get-GPPPassword\" or\n \"Get-PassPol\"\n )\n or\n powershell.file.script_block_text: (\n (\"defaultNamingContext\" or \"ActiveDirectory.DirectoryContext\" or \"ActiveDirectory.DirectorySearcher\") and\n (\n (\n \".MinLengthPassword\" or\n \".MinPasswordAge\" or\n \".MaxPasswordAge\"\n ) or\n (\n \"minPwdAge\" or\n \"maxPwdAge\" or\n \"minPwdLength\"\n ) or\n (\n \"msDS-PasswordSettings\"\n )\n )\n )\n) and not powershell.file.script_block_text : (\n \"sentinelbreakpoints\" and \"Set-PSBreakpoint\" and \"PowerSploitIndicators\"\n )\n and not \n (\n powershell.file.script_block_text : (\"43c15630-959c-49e4-a977-758c5cc93408\" and \"CmdletsToExport\" and \"ActiveDirectory.Types.ps1xml\")\n )\n and not user.id : \"S-1-5-18\"\n", "related_integrations": [{"package": "windows", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "powershell.file.script_block_text", "type": "unknown"}, {"ecs": true, "name": "user.id", "type": "keyword"}], "risk_score": 21, "rule_id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96", "setup": "## Setup\n\nThe 'PowerShell Script Block Logging' logging policy must be enabled.\nSteps to implement the logging policy with Advanced Audit Configuration:\n\n```\nComputer Configuration >\nAdministrative Templates >\nWindows PowerShell >\nTurn on PowerShell Script Block Logging (Enable)\n```\n\nSteps to implement the logging policy via registry:\n\n```\nreg add \"hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" /v EnableScriptBlockLogging /t REG_DWORD /d 1\n```\n", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Data Source: PowerShell Logs", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0007", "name": "Discovery", "reference": "https://attack.mitre.org/tactics/TA0007/"}, "technique": [{"id": "T1201", "name": "Password Policy Discovery", "reference": "https://attack.mitre.org/techniques/T1201/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": "https://attack.mitre.org/techniques/T1059/", "subtechnique": [{"id": "T1059.001", "name": "PowerShell", "reference": "https://attack.mitre.org/techniques/T1059/001/"}]}]}], "timestamp_override": "event.ingested", "type": "query", "version": 6}, "id": "fe25d5bc-01fa-494a-95ff-535c29cc4c96_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json deleted file mode 100644 index ac1bdec316b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and\n (\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n ) or\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n )\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\System32\\\\DeviceEnroller.exe\", \n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\tmuninst.exe\"\n )\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json deleted file mode 100644 index efb7dc26a24..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json deleted file mode 100644 index 795417793df..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json deleted file mode 100644 index 5359a2d3314..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json deleted file mode 100644 index 8988f47082f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json deleted file mode 100644 index f04290cacef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json deleted file mode 100644 index 711ec6d4f80..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_109.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 109}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_109", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json deleted file mode 100644 index a669bc23565..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_110.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}, {"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 110}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_110", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_111.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_111.json deleted file mode 100644 index 8736aa628cf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_111.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 111}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_111", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_112.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_112.json deleted file mode 100644 index fe7afda32a2..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_112.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type in (\"creation\", \"change\") and\n process.executable != null and \n not process.executable :\n (\"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\System32\\\\DeviceEnroller.exe\", \n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\tmuninst.exe\") and \n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\" and\n registry.data.strings : (\"1\", \"0x00000001\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\" and\n registry.data.strings : (\"0\", \"0x00000000\")) or\n (registry.path : \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\" and\n registry.data.strings : (\"1\", \"0x00000001\"))\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 112}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_112", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_113.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_113.json deleted file mode 100644 index eeeaaffec4d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_113.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and\n (\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n ) or\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n )\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\System32\\\\DeviceEnroller.exe\", \n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\tmuninst.exe\"\n )\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 113}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_113", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_114.json b/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_114.json deleted file mode 100644 index 7e051eee69d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fe794edd-487f-4a90-b285-3ee54f2af2d3_114.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Austin Songer"], "description": "Identifies when one or more features on Microsoft Defender are disabled. Adversaries may disable or tamper with Microsoft Defender features to evade detection and conceal malicious behavior.", "false_positives": ["Legitimate Windows Defender configuration changes"], "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Microsoft Windows Defender Tampering", "note": "## Triage and analysis\n\n### Investigating Microsoft Windows Defender Tampering\n\nMicrosoft Windows Defender is an antivirus product built into Microsoft Windows, which makes it popular across multiple environments. Disabling it is a common step in threat actor playbooks.\n\nThis rule monitors the registry for modifications that disable Windows Defender features.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the account owner and confirm whether they are aware of this activity.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Examine which features have been disabled, and check if this operation is done under change management and approved according to the organization's policy.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Analysts can dismiss the alert if the administrator is aware of the activity, the configuration is justified (for example, it is being used to deploy other security solutions or troubleshooting), and no other suspicious activity has been observed.\n\n### Related rules\n\n- Windows Defender Disabled via Registry Modification - 2ffa1f1e-b6db-47fa-994b-1512743847eb\n- Disabling Windows Defender Security Settings via PowerShell - c8cccb06-faf2-4cd5-886e-2c9636cfcb87\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved hosts to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Take actions to restore the appropriate Windows Defender antivirus configurations.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Review the privileges assigned to the user to ensure that the least privilege principle is being followed.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and process.executable != null and\n (\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\PUAProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\App and Browser protection\\\\DisallowExploitProtectionOverride\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Features\\\\TamperProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Windows Defender Exploit Guard\\\\Controlled Folder Access\\\\EnableControlledFolderAccess\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SpynetReporting\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\SubmitSamplesConsent\"\n ) and registry.data.strings : (\"0\", \"0x00000000\")\n ) or\n (\n registry.path : (\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\DisableAntiSpyware\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableRealtimeMonitoring\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIntrusionPreventionSystem\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableScriptScanning\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableIOAVProtection\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Reporting\\\\DisableEnhancedNotifications\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\SpyNet\\\\DisableBlockAtFirstSeen\",\n \"HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\Real-Time Protection\\\\DisableBehaviorMonitoring\"\n ) and registry.data.strings : (\"1\", \"0x00000001\")\n )\n ) and\n not process.executable : (\n \"?:\\\\Windows\\\\system32\\\\svchost.exe\", \n \"?:\\\\Windows\\\\CCM\\\\CcmExec.exe\", \n \"?:\\\\Windows\\\\System32\\\\DeviceEnroller.exe\", \n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\tmuninst.exe\"\n )\n", "references": ["https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://www.tenforums.com/tutorials/104025-turn-off-core-isolation-memory-integrity-windows-10-a.html", "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/51514-turn-off-microsoft-defender-periodic-scanning-windows-10-a.html", "https://www.tenforums.com/tutorials/3569-turn-off-real-time-protection-microsoft-defender-antivirus.html", "https://www.tenforums.com/tutorials/99576-how-schedule-scan-microsoft-defender-antivirus-windows-10-a.html", "https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "fe794edd-487f-4a90-b285-3ee54f2af2d3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}, {"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 114}, "id": "fe794edd-487f-4a90-b285-3ee54f2af2d3_114", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c.json deleted file mode 100644 index 620ebf32bbf..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", "from": "now-9m", "index": ["logs-endpoint.events.process-*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Business App Installer", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", "references": ["https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json deleted file mode 100644 index 6c372824e9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Business App Installer", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", "references": ["https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json deleted file mode 100644 index efb9e5ba5eb..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Business App Installer", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", "references": ["https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution", "Rule Type: BBR"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json b/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json deleted file mode 100644 index e7d703fe76f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feafdc51-c575-4ed2-89dd-8e20badc2d6c_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies executables with names resembling legitimate business applications but lacking signatures from the original developer. Attackers may trick users into downloading malicious executables that masquerade as legitimate applications via malicious ads, forum posts, and tutorials, effectively gaining initial access.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Masquerading as Business App Installer", "query": "process where host.os.type == \"windows\" and\n event.type == \"start\" and process.executable : \"?:\\\\Users\\\\*\\\\Downloads\\\\*\" and\n not process.code_signature.status : (\"errorCode_endpoint*\", \"errorUntrustedRoot\", \"errorChaining\") and\n (\n /* Slack */\n (process.name : \"*slack*.exe\" and not\n (process.code_signature.subject_name in (\n \"Slack Technologies, Inc.\",\n \"Slack Technologies, LLC\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* WebEx */\n (process.name : \"*webex*.exe\" and not\n (process.code_signature.subject_name in (\"Cisco WebEx LLC\", \"Cisco Systems, Inc.\") and process.code_signature.trusted == true)\n ) or\n\n /* Teams */\n (process.name : \"teams*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Discord */\n (process.name : \"*discord*.exe\" and not\n (process.code_signature.subject_name == \"Discord Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* WhatsApp */\n (process.name : \"*whatsapp*.exe\" and not\n (process.code_signature.subject_name in (\n \"WhatsApp LLC\",\n \"WhatsApp, Inc\",\n \"24803D75-212C-471A-BC57-9EF86AB91435\"\n ) and process.code_signature.trusted == true)\n ) or\n\n /* Zoom */\n (process.name : (\"*zoom*installer*.exe\", \"*zoom*setup*.exe\", \"zoom.exe\") and not\n (process.code_signature.subject_name == \"Zoom Video Communications, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Outlook */\n (process.name : \"*outlook*.exe\" and not\n (\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true) or\n (\n process.name: \"MSOutlookHelp-PST-Viewer.exe\" and process.code_signature.subject_name == \"Aryson Technologies Pvt. Ltd\" and\n process.code_signature.trusted == true\n )\n )\n ) or\n\n /* Thunderbird */\n (process.name : \"*thunderbird*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Grammarly */\n (process.name : \"*grammarly*.exe\" and not\n (process.code_signature.subject_name == \"Grammarly, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Dropbox */\n (process.name : \"*dropbox*.exe\" and not\n (process.code_signature.subject_name == \"Dropbox, Inc\" and process.code_signature.trusted == true)\n ) or\n\n /* Tableau */\n (process.name : \"*tableau*.exe\" and not\n (process.code_signature.subject_name == \"Tableau Software LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Google Drive */\n (process.name : \"*googledrive*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* MSOffice */\n (process.name : \"*office*setup*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Okta */\n (process.name : \"*okta*.exe\" and not\n (process.code_signature.subject_name == \"Okta, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* OneDrive */\n (process.name : \"*onedrive*.exe\" and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Chrome */\n (process.name : \"*chrome*.exe\" and not\n (process.code_signature.subject_name in (\"Google LLC\", \"Google Inc\") and process.code_signature.trusted == true)\n ) or\n\n /* Firefox */\n (process.name : \"*firefox*.exe\" and not\n (process.code_signature.subject_name == \"Mozilla Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Edge */\n (process.name : (\"*microsoftedge*.exe\", \"*msedge*.exe\") and not\n (process.code_signature.subject_name == \"Microsoft Corporation\" and process.code_signature.trusted == true)\n ) or\n\n /* Brave */\n (process.name : \"*brave*.exe\" and not\n (process.code_signature.subject_name == \"Brave Software, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* GoogleCloud Related Tools */\n (process.name : \"*GoogleCloud*.exe\" and not\n (process.code_signature.subject_name == \"Google LLC\" and process.code_signature.trusted == true)\n ) or\n\n /* Github Related Tools */\n (process.name : \"*github*.exe\" and not\n (process.code_signature.subject_name == \"GitHub, Inc.\" and process.code_signature.trusted == true)\n ) or\n\n /* Notion */\n (process.name : \"*notion*.exe\" and not\n (process.code_signature.subject_name == \"Notion Labs, Inc.\" and process.code_signature.trusted == true)\n )\n )\n", "references": ["https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-lumma-infostealers"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.status", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.subject_name", "type": "keyword"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 21, "rule_id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c", "severity": "low", "tags": ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Initial Access", "Tactic: Execution"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1036", "name": "Masquerading", "reference": "https://attack.mitre.org/techniques/T1036/", "subtechnique": [{"id": "T1036.001", "name": "Invalid Code Signature", "reference": "https://attack.mitre.org/techniques/T1036/001/"}, {"id": "T1036.005", "name": "Match Legitimate Name or Location", "reference": "https://attack.mitre.org/techniques/T1036/005/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0001", "name": "Initial Access", "reference": "https://attack.mitre.org/tactics/TA0001/"}, "technique": [{"id": "T1189", "name": "Drive-by Compromise", "reference": "https://attack.mitre.org/techniques/T1189/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "feafdc51-c575-4ed2-89dd-8e20badc2d6c_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0.json b/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0.json deleted file mode 100644 index 438113f40d4..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process.", "from": "now-119m", "index": ["logs-endpoint.events.process-*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution via MS VisualStudio Pre/Post Build Events", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"MSBuild.exe\" and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp*.exec.cmd\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : (\n \"cmd.exe\", \"powershell.exe\",\n \"MSHTA.EXE\", \"CertUtil.exe\",\n \"CertReq.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"MSbuild.exe\",\n \"cscript.exe\", \"wscript.exe\",\n \"installutil.exe\"\n ) and\n not \n (\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.args : (\n \"*\\\\vcpkg\\\\scripts\\\\buildsystems\\\\msbuild\\\\applocal.ps1\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\VisualStudio\\\\SxS\\\\VS?\",\n \"process.versions.node*\",\n \"?:\\\\Program Files\\\\nodejs\\\\node.exe\",\n \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\MSBuild\\\\ToolsVersions\\\\*\",\n \"*Get-ChildItem*Tipasplus.css*\",\n \"Build\\\\GenerateResourceScripts.ps1\",\n \"Shared\\\\Common\\\\..\\\\..\\\\BuildTools\\\\ConfigBuilder.ps1\\\"\",\n \"?:\\\\Projets\\\\*\\\\PostBuild\\\\MediaCache.ps1\"\n )\n ) and\n not process.executable : \"?:\\\\Program Files*\\\\Microsoft Visual Studio\\\\*\\\\MSBuild.exe\" and\n not (process.name : \"cmd.exe\" and\n process.command_line :\n (\"*vswhere.exe -property catalog_productSemanticVersion*\",\n \"*git log --pretty=format*\", \"*\\\\.nuget\\\\packages\\\\vswhere\\\\*\",\n \"*Common\\\\..\\\\..\\\\BuildTools\\\\*\"))\n ] by process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 2}, "id": "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json b/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json deleted file mode 100644 index d65848b22f1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "building_block_type": "default", "description": "Identifies the execution of a command via Microsoft Visual Studio Pre or Post build events. Adversaries may backdoor a trusted visual studio project to execute a malicious command during the project build process.", "from": "now-119m", "index": ["logs-endpoint.events.*"], "interval": "60m", "language": "eql", "license": "Elastic License v2", "name": "Execution via MS VisualStudio Pre/Post Build Events", "query": "sequence with maxspan=1m\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : \"cmd.exe\" and process.parent.name : \"MSBuild.exe\" and\n process.args : \"?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp*.exec.cmd\"] by process.entity_id\n [process where host.os.type == \"windows\" and event.action == \"start\" and\n process.name : (\n \"cmd.exe\", \"powershell.exe\",\n \"MSHTA.EXE\", \"CertUtil.exe\",\n \"CertReq.exe\", \"rundll32.exe\",\n \"regsvr32.exe\", \"MSbuild.exe\",\n \"cscript.exe\", \"wscript.exe\",\n \"installutil.exe\"\n ) and\n not \n (\n process.name : (\"cmd.exe\", \"powershell.exe\") and\n process.args : (\n \"*\\\\vcpkg\\\\scripts\\\\buildsystems\\\\msbuild\\\\applocal.ps1\",\n \"HKLM\\\\SOFTWARE\\\\Microsoft\\\\VisualStudio\\\\SxS\\\\VS?\",\n \"process.versions.node*\",\n \"?:\\\\Program Files\\\\nodejs\\\\node.exe\",\n \"HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\MSBuild\\\\ToolsVersions\\\\*\",\n \"*Get-ChildItem*Tipasplus.css*\",\n \"Build\\\\GenerateResourceScripts.ps1\",\n \"Shared\\\\Common\\\\..\\\\..\\\\BuildTools\\\\ConfigBuilder.ps1\\\"\",\n \"?:\\\\Projets\\\\*\\\\PostBuild\\\\MediaCache.ps1\"\n )\n ) and\n not process.executable : \"?:\\\\Program Files*\\\\Microsoft Visual Studio\\\\*\\\\MSBuild.exe\" and\n not (process.name : \"cmd.exe\" and\n process.command_line :\n (\"*vswhere.exe -property catalog_productSemanticVersion*\",\n \"*git log --pretty=format*\", \"*\\\\.nuget\\\\packages\\\\vswhere\\\\*\",\n \"*Common\\\\..\\\\..\\\\BuildTools\\\\*\"))\n ] by process.parent.entity_id\n", "references": ["https://docs.microsoft.com/en-us/visualstudio/ide/reference/pre-build-event-post-build-event-command-line-dialog-box?view=vs-2022", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html", "https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Execution/execution_evasion_visual_studio_prebuild_event.evtx"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.args", "type": "keyword"}, {"ecs": true, "name": "process.command_line", "type": "wildcard"}, {"ecs": true, "name": "process.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.parent.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.parent.name", "type": "keyword"}], "risk_score": 21, "rule_id": "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0", "severity": "low", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Rule Type: BBR", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1127", "name": "Trusted Developer Utilities Proxy Execution", "reference": "https://attack.mitre.org/techniques/T1127/", "subtechnique": [{"id": "T1127.001", "name": "MSBuild", "reference": "https://attack.mitre.org/techniques/T1127/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": []}], "type": "eql", "version": 1}, "id": "fec7ccb7-6ed9-4f98-93ab-d6b366b063a0_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json deleted file mode 100644 index 3e41f2435ad..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"AccessVBOM\", \"VbaWarnings\") and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json deleted file mode 100644 index f14dea76845..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_104.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 104}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_104", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json deleted file mode 100644 index 1730c6a4da0..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 105}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json deleted file mode 100644 index dbb22290acd..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_106.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n\n\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 106}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_106", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json deleted file mode 100644 index 1627e7ad418..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_107.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\") and\n process.name : (\"cscript.exe\", \"wscript.exe\", \"mshta.exe\", \"mshta.exe\", \"winword.exe\", \"excel.exe\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 107}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_107", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_108.json b/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_108.json deleted file mode 100644 index df98229fe6e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/feeed87c-5e95-4339-aef1-47fd79bcfbe3_108.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Microsoft Office Products offer options for users and developers to control the security settings for running and using Macros. Adversaries may abuse these security settings to modify the default behavior of the Office Application to trust future macros and/or disable security warnings, which could increase their chances of establishing persistence.", "from": "now-9m", "index": ["winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"], "language": "eql", "license": "Elastic License v2", "name": "MS Office Macro Security Registry Modifications", "note": "## Triage and analysis\n\n### Investigating MS Office Macro Security Registry Modifications\n\nMacros are small programs that are used to automate repetitive tasks in Microsoft Office applications. Historically, macros have been used for a variety of reasons -- from automating part of a job, to building entire processes and data flows. Macros are written in Visual Basic for Applications (VBA) and are saved as part of Microsoft Office files.\n\nMacros are often created for legitimate reasons, but they can also be written by attackers to gain access, harm a system, or bypass other security controls such as application allow listing. In fact, exploitation from malicious macros is one of the top ways that organizations are compromised today. These attacks are often conducted through phishing or spear phishing campaigns.\n\nAttackers can convince victims to modify Microsoft Office security settings, so their macros are trusted by default and no warnings are displayed when they are executed. These settings include:\n\n- *Trust access to the VBA project object model* - When enabled, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n- *VbaWarnings* - When set to 1, Microsoft Office will trust all macros and run any code without showing a security warning or requiring user permission.\n\nThis rule looks for registry changes affecting the conditions above.\n\n#### Possible investigation steps\n\n- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n- Identify the user account that performed the action and whether it should perform this kind of action.\n- Contact the user and check if the change was done manually.\n- Verify whether malicious macros were executed after the registry change.\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Retrieve recently executed Office documents and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - File and registry access, modification, and creation activities.\n - Service creation and launch activities.\n - Scheduled task creation.\n - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.\n - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n### False positive analysis\n\n- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Reset the registry key value.\n- Isolate the involved host to prevent further post-compromise behavior.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Explore using GPOs to manage security settings for Microsoft Office macros.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "registry where host.os.type == \"windows\" and event.type == \"change\" and registry.value : (\"AccessVBOM\", \"VbaWarnings\") and\n registry.path : (\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"HKU\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-5-21-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\AccessVBOM\",\n \"\\\\REGISTRY\\\\USER\\\\S-1-12-1-*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Security\\\\VbaWarnings\"\n ) and\n registry.data.strings : (\"0x00000001\", \"1\")\n", "related_integrations": [{"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "registry.data.strings", "type": "wildcard"}, {"ecs": true, "name": "registry.path", "type": "keyword"}, {"ecs": true, "name": "registry.value", "type": "keyword"}], "risk_score": 47, "rule_id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3", "setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1112", "name": "Modify Registry", "reference": "https://attack.mitre.org/techniques/T1112/"}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1204", "name": "User Execution", "reference": "https://attack.mitre.org/techniques/T1204/", "subtechnique": [{"id": "T1204.002", "name": "Malicious File", "reference": "https://attack.mitre.org/techniques/T1204/002/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 108}, "id": "feeed87c-5e95-4339-aef1-47fd79bcfbe3_108", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json deleted file mode 100644 index 034e8fe26f5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", "false_positives": ["Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "(event.dataset: (network_traffic.http or network_traffic.tls) or\n (event.category: (network or network_traffic) and network.protocol: http)) and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "url.extension", "type": "keyword"}, {"ecs": true, "name": "url.path", "type": "wildcard"}], "risk_score": 47, "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json deleted file mode 100644 index 7ac786d1add..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", "false_positives": ["Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."], "from": "now-9m", "index": ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"], "language": "kuery", "license": "Elastic License v2", "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.category:(network or network_traffic) and network.protocol:http and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "url.extension", "type": "keyword"}, {"ecs": true, "name": "url.path", "type": "wildcard"}], "risk_score": 47, "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "severity": "medium", "tags": ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json deleted file mode 100644 index c470b6a0c8f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", "false_positives": ["Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "event.dataset: (network_traffic.http or network_traffic.tls) and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "url.extension", "type": "keyword"}, {"ecs": true, "name": "url.path", "type": "wildcard"}], "risk_score": 47, "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json b/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json deleted file mode 100644 index 5c9428f825a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff013cb4-274d-434a-96bb-fe15ddd3ae92_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.", "false_positives": ["Downloading RAR or PowerShell files from the Internet may be expected for certain systems. This rule should be tailored to either exclude systems as sources or destinations in which this behavior is expected."], "from": "now-9m", "index": ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"], "language": "kuery", "license": "Elastic License v2", "name": "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet", "note": "## Threat intel\n\nThis activity has been observed in FIN7 campaigns.", "query": "(event.dataset: (network_traffic.http or network_traffic.tls) or\n (event.category: (network or network_traffic) and network.protocol: http)) and\n (url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and\n not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.0.0.0/24 or\n 192.0.0.0/29 or\n 192.0.0.8/32 or\n 192.0.0.9/32 or\n 192.0.0.10/32 or\n 192.0.0.170/32 or\n 192.0.0.171/32 or\n 192.0.2.0/24 or\n 192.31.196.0/24 or\n 192.52.193.0/24 or\n 192.168.0.0/16 or\n 192.88.99.0/24 or\n 224.0.0.0/4 or\n 100.64.0.0/10 or\n 192.175.48.0/24 or\n 198.18.0.0/15 or\n 198.51.100.0/24 or\n 203.0.113.0/24 or\n 240.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n ) and\n source.ip:(\n 10.0.0.0/8 or\n 172.16.0.0/12 or\n 192.168.0.0/16\n )\n", "references": ["https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"], "related_integrations": [{"package": "network_traffic", "version": "^1.1.0"}], "required_fields": [{"ecs": true, "name": "destination.ip", "type": "ip"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "network.protocol", "type": "keyword"}, {"ecs": true, "name": "source.ip", "type": "ip"}, {"ecs": true, "name": "url.extension", "type": "keyword"}, {"ecs": true, "name": "url.path", "type": "wildcard"}], "risk_score": 47, "rule_id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92", "severity": "medium", "tags": ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1105", "name": "Ingress Tool Transfer", "reference": "https://attack.mitre.org/techniques/T1105/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ff013cb4-274d-434a-96bb-fe15ddd3ae92_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1.json deleted file mode 100644 index 4ad2941a41d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "dga_high_sum_probability", "name": "Potential DGA Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/"}]}], "type": "machine_learning", "version": 5}, "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json deleted file mode 100644 index ad479d8711a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "dga_high_sum_probability", "name": "Potential DGA Activity", "note": "", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "setup": "The Domain Generation Algorithm (DGA) integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.", "severity": "low", "tags": ["Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/"}]}], "type": "machine_learning", "version": 1}, "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_2.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_2.json deleted file mode 100644 index 0df2e93ba2d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "dga_high_sum_probability", "name": "Potential DGA Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "setup": "The rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/"}]}], "type": "machine_learning", "version": 2}, "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json deleted file mode 100644 index b2f9012f8a6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "dga_high_sum_probability", "name": "Potential DGA Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Under Settings, click Install Domain Generation Algorithm Detection assets and follow the prompts to install the assets.\n\n#### Ingest Pipeline Setup\nBefore you can enable this rule, you'll need to enrich DNS events with predictions from the Supervised DGA Detection model. This is done via the ingest pipeline named `-ml_dga_ingest_pipeline` installed with the DGA Detection package.\n- If using an Elastic Beat such as Packetbeat, add the DGA ingest pipeline to it by adding a simple configuration [setting](https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html#pipelines-for-beats) to `packetbeat.yml`.\n- If adding the DGA ingest pipeline to an existing pipeline, use a [pipeline processor](https://www.elastic.co/guide/en/elasticsearch/reference/current/pipeline-processor.html).\n\n#### Adding Custom Mappings\n- Go to the Kibana homepage. Under Management, click Stack Management.\n- Under Data click Index Management and navigate to the Component Templates tab.\n- Templates that can be edited to add custom components will be marked with a @custom suffix. Edit the @custom component template corresponding to the beat/integration you added the DGA ingest pipeline to, by pasting the following JSON blob in the \"Load JSON\" flyout:\n```\n{\n \"properties\": {\n \"ml_is_dga\": {\n \"properties\": {\n \"malicious_prediction\": {\n \"type\": \"long\"\n },\n \"malicious_probability\": {\n \"type\": \"float\"\n }\n }\n }\n }\n}\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/"}]}], "type": "machine_learning", "version": 3}, "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_4.json b/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_4.json deleted file mode 100644 index ac9199348dc..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff0d807d-869b-4a0d-a493-52bc46d2f1b1_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"anomaly_threshold": 70, "author": ["Elastic"], "description": "A population analysis machine learning job detected potential DGA (domain generation algorithm) activity. Such activity is often used by malware command and control (C2) channels. This machine learning job looks for a source IP address making DNS requests that have an aggregate high probability of being DGA activity.", "from": "now-45m", "interval": "15m", "license": "Elastic License v2", "machine_learning_job_id": "dga_high_sum_probability", "name": "Potential DGA Activity", "references": ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/dga", "https://www.elastic.co/security-labs/detect-domain-generation-algorithm-activity-with-new-kibana-integration"], "related_integrations": [{"package": "dga", "version": "^2.0.0"}, {"package": "endpoint", "version": "^8.2.0"}, {"package": "network_traffic", "version": "^1.1.0"}], "risk_score": 21, "rule_id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1", "setup": "## Setup\n\nThe rule requires the Domain Generation Algorithm (DGA) Detection integration assets to be installed, as well as DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. \n\n### DGA Detection Setup\nThe DGA Detection integration consists of an ML-based framework to detect DGA activity in DNS events.\n\n#### Prerequisite Requirements:\n- Fleet is required for DGA Detection.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n- DNS events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint), [Network Packet Capture](https://docs.elastic.co/integrations/network_traffic) integration, or [Packetbeat](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html).\n- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n- To add the Network Packet Capture integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.\n- To set up and run Packetbeat, follow [this](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html) guide.\n\n#### The following steps should be executed to install assets associated with the DGA Detection integration:\n- Go to the Kibana homepage. Under Management, click Integrations.\n- In the query bar, search for Domain Generation Algorithm Detection and select the integration to see more details about it.\n- Follow the instructions under the **Installation** section.\n- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.\n```\n\n### Anomaly Detection Setup\nBefore you can enable this rule, you'll need to enable the corresponding Anomaly Detection job. \n- Go to the Kibana homepage. Under Analytics, click Machine Learning.\n- Under Anomaly Detection, click Jobs, and then click \"Create job\". Select the Data View containing your enriched DNS events. For example, this would be `logs-endpoint.events.*` if you used Elastic Defend to collect events, or `logs-network_traffic.*` if you used Network Packet Capture.\n- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/dga/kibana/ml_module/dga-ml.json) configuration file, you will see a card for DGA under \"Use preconfigured jobs\".\n- Keep the default settings and click \"Create jobs\" to start the anomaly detection job and datafeed.\n", "severity": "low", "tags": ["Use Case: Domain Generation Algorithm Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0011", "name": "Command and Control", "reference": "https://attack.mitre.org/tactics/TA0011/"}, "technique": [{"id": "T1568", "name": "Dynamic Resolution", "reference": "https://attack.mitre.org/techniques/T1568/"}]}], "type": "machine_learning", "version": 4}, "id": "ff0d807d-869b-4a0d-a493-52bc46d2f1b1_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json deleted file mode 100644 index bfe4fb266d6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Cron Job Created or Modified", "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Modified\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\n'/var/spool/cron/crontabs/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Cron File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/cron.allow\", \"/etc/cron.deny\", \"/etc/cron.d/*\", \"/etc/cron.hourly/*\", \"/etc/cron.daily/*\", \"/etc/cron.weekly/*\",\n \"/etc/cron.monthly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/var/spool/anacron/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\", \"/opt/elasticbeanstalk/bin/platform-engine\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/opt/imunify360/venv/bin/python3\",\n \"/opt/eset/efs/lib/utild\", \"/usr/sbin/anacron\", \"/usr/bin/podman\", \"/kaniko/kaniko-executor\"\n ) or\n file.path : \"/var/spool/cron/crontabs/tmp.*\" or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n process.name in (\"crontab\", \"crond\", \"executor\", \"puppet\", \"droplet-agent.postinst\", \"cf-agent\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json deleted file mode 100644 index 03c4a75bd27..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "severity": "medium", "tags": ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Execution", "Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 1}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_10.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_10.json deleted file mode 100644 index 1c1e4d6d4c1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_10.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE\\n'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE\\n'/etc/cron.monthly/%' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE ( path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab' OR path =\\n'/usr/sbin/cron' OR path = '/usr/sbin/anacron' )\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' )\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\n change or file_modify_event or creation or file_create_event or rename or file_rename_event\n) and file.path : (\n /etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or /etc/cron.weekly/* or\n /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron or /var/spool/cron/crontabs/*\n) and not (\n (process.name : (\n dpkg or dockerd or rpm or snapd or yum or exe or dnf or podman or dnf-automatic or puppet or autossl_check)\n ) or \n (file.extension : (swp or swpx)) or \n (process.name : sed and file.name : sed*) or \n (process.name : perl and file.name : e2scrub_all.tmp*) or\n (process.executable : /var/lib/dpkg*) or\n (file.path:/var/spool/cron/crontabs/tmp.*)\n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 10}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_10", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json deleted file mode 100644 index 72b8e06192b..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_11.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Cron Job Created or Modified", "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Modified\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE\\n'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE\\n'/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Cron File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/cron.allow\", \"/etc/cron.deny\", \"/etc/cron.d/*\", \"/etc/cron.hourly/*\", \"/etc/cron.daily/*\", \"/etc/cron.weekly/*\",\n \"/etc/cron.monthly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/var/spool/anacron/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\"\n ) or\n file.path : \"/var/spool/cron/crontabs/tmp.*\" or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\") or\n process.executable == null or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 11}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_11", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_12.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_12.json deleted file mode 100644 index 35276787484..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_12.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Cron Job Created or Modified", "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Modified\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\n'/var/spool/cron/crontabs/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Cron File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/cron.allow\", \"/etc/cron.deny\", \"/etc/cron.d/*\", \"/etc/cron.hourly/*\", \"/etc/cron.daily/*\", \"/etc/cron.weekly/*\",\n \"/etc/cron.monthly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/var/spool/anacron/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\", \"/opt/elasticbeanstalk/bin/platform-engine\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/opt/imunify360/venv/bin/python3\",\n \"/opt/eset/efs/lib/utild\", \"/usr/sbin/anacron\", \"/usr/bin/podman\", \"/kaniko/kaniko-executor\"\n ) or\n file.path : \"/var/spool/cron/crontabs/tmp.*\" or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n process.name in (\"crontab\", \"crond\", \"executor\", \"puppet\", \"droplet-agent.postinst\", \"cf-agent\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 12}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_12", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_13.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_13.json deleted file mode 100644 index bbb66cdbe63..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_13.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule monitors for (ana)cron jobs being created or renamed. Linux cron jobs are scheduled tasks that can be leveraged by system administrators to set up scheduled tasks, but may be abused by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "index": ["logs-endpoint.events.file*"], "language": "eql", "license": "Elastic License v2", "name": "Cron Job Created or Modified", "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Modified\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of cron jobs by monitoring for file creation and rename events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%'\\nOR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE\\n'/var/spool/cron/crontabs/%')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Cron File Information\",\"query\":\"SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS\\nfile_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS\\nfile_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT\\nJOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/cron.allow.d/%' OR path LIKE\\n'/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR\\npath LIKE '/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%')\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- Systemd Service Created - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "file where host.os.type == \"linux\" and\nevent.action in (\"rename\", \"creation\") and file.path : (\n \"/etc/cron.allow\", \"/etc/cron.deny\", \"/etc/cron.d/*\", \"/etc/cron.hourly/*\", \"/etc/cron.daily/*\", \"/etc/cron.weekly/*\",\n \"/etc/cron.monthly/*\", \"/etc/crontab\", \"/var/spool/cron/crontabs/*\", \"/var/spool/anacron/*\"\n) and not (\n process.executable in (\n \"/bin/dpkg\", \"/usr/bin/dpkg\", \"/bin/dockerd\", \"/usr/bin/dockerd\", \"/usr/sbin/dockerd\", \"/bin/microdnf\",\n \"/usr/bin/microdnf\", \"/bin/rpm\", \"/usr/bin/rpm\", \"/bin/snapd\", \"/usr/bin/snapd\", \"/bin/yum\", \"/usr/bin/yum\",\n \"/bin/dnf\", \"/usr/bin/dnf\", \"/bin/podman\", \"/usr/bin/podman\", \"/bin/dnf-automatic\", \"/usr/bin/dnf-automatic\",\n \"/bin/pacman\", \"/usr/bin/pacman\", \"/usr/bin/dpkg-divert\", \"/bin/dpkg-divert\", \"/sbin/apk\", \"/usr/sbin/apk\",\n \"/usr/local/sbin/apk\", \"/usr/bin/apt\", \"/usr/sbin/pacman\", \"/bin/podman\", \"/usr/bin/podman\", \"/usr/bin/puppet\",\n \"/bin/puppet\", \"/opt/puppetlabs/puppet/bin/puppet\", \"/usr/bin/chef-client\", \"/bin/chef-client\",\n \"/bin/autossl_check\", \"/usr/bin/autossl_check\", \"/proc/self/exe\", \"/dev/fd/*\", \"/usr/bin/pamac-daemon\",\n \"/bin/pamac-daemon\", \"/usr/local/bin/dockerd\", \"/opt/elasticbeanstalk/bin/platform-engine\",\n \"/opt/puppetlabs/puppet/bin/ruby\", \"/usr/libexec/platform-python\", \"/opt/imunify360/venv/bin/python3\",\n \"/opt/eset/efs/lib/utild\", \"/usr/sbin/anacron\", \"/usr/bin/podman\", \"/kaniko/kaniko-executor\"\n ) or\n file.path : \"/var/spool/cron/crontabs/tmp.*\" or\n file.extension in (\"swp\", \"swpx\", \"swx\", \"dpkg-remove\") or\n file.Ext.original.extension == \"dpkg-new\" or\n process.executable : (\n \"/nix/store/*\", \"/var/lib/dpkg/*\", \"/tmp/vmis.*\", \"/snap/*\", \"/dev/fd/*\", \"/usr/libexec/platform-python*\"\n ) or\n process.executable == null or\n process.name in (\"crontab\", \"crond\", \"executor\", \"puppet\", \"droplet-agent.postinst\", \"cf-agent\") or\n (process.name == \"sed\" and file.name : \"sed*\") or\n (process.name == \"perl\" and file.name : \"e2scrub_all.tmp*\") \n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": false, "name": "file.Ext.original.extension", "type": "unknown"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 13}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_13", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json deleted file mode 100644 index e6d45fca232..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /var/spool/cron/* or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\") or file.extension : \"swp\")\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 2}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json deleted file mode 100644 index a5a4cc56532..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swx\"))\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 3}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json deleted file mode 100644 index 5ce1777e1de..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-7d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["file.path", "process.name"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swx\"))\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 4}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json deleted file mode 100644 index 8d06e67566f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swpx\"))\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 5}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json deleted file mode 100644 index 67d68d82ab9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swpx\"))\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 6}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json deleted file mode 100644 index e8532b075ee..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/cron.allow' OR\\n path = '/etc/cron.deny' OR\\n path = '/etc/crontab' OR\\n path = '/usr/sbin/cron' OR\\n path = '/usr/sbin/anacron'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"5\") or \nfile.extension : (\"swp\" or \"swpx\"))\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 7}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_8.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_8.json deleted file mode 100644 index ea0163fa934..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/cron.allow' OR\\n path = '/etc/cron.deny' OR\\n path = '/etc/crontab' OR\\n path = '/usr/sbin/cron' OR\\n path = '/usr/sbin/anacron'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"podman\" or \n \"dnf-automatic\")) or \n (file.extension : (\"swp\" or \"swpx\")) or \n (process.name : \"sed\" and file.name : sed*) or \n (process.name : \"perl\" and file.name : e2scrub_all.tmp*)\n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 8}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json b/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json deleted file mode 100644 index d867eabf33e..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff10d4d8-fea7-422d-afb1-e5a2702369a9_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Linux cron jobs are scheduled tasks that can be leveraged by malicious actors for persistence, privilege escalation and command execution. By creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.", "from": "now-9m", "history_window_start": "now-10d", "index": ["logs-endpoint.events.*", "endgame-*"], "language": "kuery", "license": "Elastic License v2", "name": "Cron Job Created or Changed by Previously Unknown Process", "new_terms_fields": ["host.id", "file.path", "process.executable"], "note": "## Triage and analysis\n\n### Investigating Cron Job Created or Changed by Previously Unknown Process\nLinux cron jobs are scheduled tasks that run at specified intervals or times, managed by the cron daemon. \n\nBy creating or modifying cron job configurations, attackers can execute malicious commands or scripts at predefined intervals, ensuring their continued presence and enabling unauthorized activities.\n\nThis rule monitors the creation of previously unknown cron jobs by monitoring for file creation events in the most common cron job task location directories.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible Investigation Steps\n\n- Investigate the cron job file that was created or modified.\n- Investigate whether any other files in any of the available cron job directories have been altered through OSQuery.\n - !{osquery{\"label\":\"Osquery - Retrieve File Listing Information\",\"query\":\"SELECT * FROM file WHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve rc-local.service File Information\",\"query\":\"SELECT * FROM file WHERE (\\n path = '/etc/cron.allow' OR\\n path = '/etc/cron.deny' OR\\n path = '/etc/crontab' OR\\n path = '/usr/sbin/cron' OR\\n path = '/usr/sbin/anacron'\\n)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Additional File Listing Information\",\"query\":\"SELECT\\n f.path,\\n u.username AS file_owner,\\n g.groupname AS group_owner,\\n datetime(f.atime, 'unixepoch') AS file_last_access_time,\\n datetime(f.mtime, 'unixepoch') AS file_last_modified_time,\\n datetime(f.ctime, 'unixepoch') AS file_last_status_change_time,\\n datetime(f.btime, 'unixepoch') AS file_created_time,\\n f.size AS size_bytes\\nFROM\\n file f\\n LEFT JOIN users u ON f.uid = u.uid\\n LEFT JOIN groups g ON f.gid = g.gid\\nWHERE (\\n path LIKE '/etc/cron.allow.d/%' OR\\n path LIKE '/etc/cron.d/%' OR\\n path LIKE '/etc/cron.hourly/%' OR\\n path LIKE '/etc/cron.daily/%' OR\\n path LIKE '/etc/cron.weekly/%' OR\\n path LIKE '/etc/cron.monthly/%'\\n)\\n\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. \n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n- Investigate abnormal behaviors by the subject process/user such as network connections, file modifications, and any other spawned child processes.\n - Investigate listening ports and open sockets to look for potential command and control traffic or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n - Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n\n### False Positive Analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator who uses cron jobs for administrative purposes, consider adding exceptions for this specific administrator user account. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Related Rules\n\n- Suspicious File Creation in /etc for Persistence - 1c84dd64-7e6c-4bad-ac73-a5014ee37042\n- Potential Persistence Through Run Control Detected - 0f4d35e4-925e-4959-ab24-911be207ee6f\n- Potential Persistence Through init.d Detected - 474fd20e-14cc-49c5-8160-d9ab4ba16c8b\n- New Systemd Timer Created - 7fb500fa-8e24-4bd1-9480-2a819352602c\n- New Systemd Service Created by Previously Unknown Process - 17b0a495-4d9f-414c-8ad0-92f018b8e001\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Delete the service/timer or restore its original configuration.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "host.os.type : \"linux\" and event.action : (\"change\" or \"file_modify_event\" or \"creation\" or \"file_create_event\") and \nfile.path : (/etc/cron.allow or /etc/cron.deny or /etc/cron.d/* or /etc/cron.hourly/* or /etc/cron.daily/* or \n/etc/cron.weekly/* or /etc/cron.monthly/* or /etc/crontab or /usr/sbin/cron or /usr/sbin/anacron) \nand not (\n (process.name : (\"dpkg\" or \"dockerd\" or \"rpm\" or \"snapd\" or \"yum\" or \"exe\" or \"dnf\" or \"podman\" or \n \"dnf-automatic\" or puppet or autossl_check )) or \n (file.extension : (\"swp\" or \"swpx\")) or \n (process.name : \"sed\" and file.name : sed*) or \n (process.name : \"perl\" and file.name : e2scrub_all.tmp*) or\n (process.executable : /var/lib/dpkg*)\n)\n", "references": ["https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "file.extension", "type": "keyword"}, {"ecs": true, "name": "file.name", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}, {"ecs": true, "name": "process.name", "type": "keyword"}], "risk_score": 47, "rule_id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [{"id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/"}]}]}], "timestamp_override": "event.ingested", "type": "new_terms", "version": 9}, "id": "ff10d4d8-fea7-422d-afb1-e5a2702369a9_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce.json b/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce.json deleted file mode 100644 index db594006f18..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.", "false_positives": ["Bucket components may be deleted or adjusted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "note": "## Triage and Analysis\n\n### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added\n\nThis rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.\n\n#### Detailed Investigation Steps\n\n- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added.\n - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.\n- **Analyze the Lifecycle Configuration**:\n - **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.\n - **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status.\n- **User Identity and Activity**:\n - **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.\n - **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.\n- **Source IP and User Agent**:\n - **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user\u2019s known locations.\n - **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.\n\n#### Possible Indicators of Compromise or Misuse\n\n- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.\n- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.\n\n### False Positive Analysis\n\n- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.\n\n### Response and Remediation\n\n- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.\n- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.\n- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.\n\n### Additional Information\n\nFor further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).\n", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"s3.amazonaws.com\" and\n event.action: PutBucketLifecycle and event.outcome: success and\n aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "ff320c56-f8fa-11ee-8c44-f661ea17fbce", "setup": "This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 2}, "id": "ff320c56-f8fa-11ee-8c44-f661ea17fbce", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce_1.json b/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce_1.json deleted file mode 100644 index 7b306a13135..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff320c56-f8fa-11ee-8c44-f661ea17fbce_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies an expiration lifecycle configuration added to an S3 bucket. Lifecycle configurations can be used to manage objects in a bucket, including setting expiration policies. This rule detects when a lifecycle configuration is added to an S3 bucket, which could indicate that objects in the bucket will be automatically deleted after a specified period of time. This could be used to evade detection by deleting objects that contain evidence of malicious activity.", "false_positives": ["Bucket components may be deleted or adjusted by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."], "from": "now-60m", "index": ["filebeat-*", "logs-aws.cloudtrail*"], "interval": "10m", "language": "kuery", "license": "Elastic License v2", "name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "note": "\n## Triage and Analysis\n\n### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added\n\nThis rule detects when an expiration lifecycle configuration is added to an S3 bucket in AWS. Such configurations can automate the deletion of objects within a bucket after a specified period, potentially obfuscating evidence of unauthorized access or malicious activity by automatically removing logs or other data.\n\n#### Detailed Investigation Steps\n\n- **Review the Affected S3 Bucket**: Check the bucket details (`bucketName`) where the lifecycle configuration has been added.\n - Determine the contents and importance of the data stored in this bucket to assess the impact of the lifecycle policy.\n- **Analyze the Lifecycle Configuration**:\n - **Expiration Policy**: Note the `Days` parameter under `Expiration` in the lifecycle rule. This indicates how long after creation data will remain in the bucket before being automatically deleted.\n - **Rule ID and Status**: Review the `ID` and `Status` of the lifecycle rule to understand its operational scope and activation status.\n- **User Identity and Activity**:\n - **User Details**: Investigate the user (`user_identity.arn`) who made the change. Determine whether this user's role typically involves managing S3 bucket configurations.\n - **Authentication Details**: Examine the authentication method and whether the access key used (`access_key_id`) is routinely used for such configurations or if it has deviated from normal usage patterns.\n- **Source IP and User Agent**:\n - **Source IP Address**: The IP address (`source.ip`) from which the request was made can provide clues about the geographical location of the requester. Determine if this location aligns with the user\u2019s known locations.\n - **User Agent**: Analyze the user agent string to understand the type of client or service that made the request, which can help identify scripted automation versus manual changes.\n\n#### Possible Indicators of Compromise or Misuse\n\n- **Frequent Changes**: Look for frequent modifications to lifecycle policies in the same or multiple buckets, which can indicate attempts to manipulate data retention dynamically.\n- **Unusual User Activity**: Activities that do not correlate with the user's typical behavior patterns, such as making changes during odd hours or from unusual locations, should be flagged for further investigation.\n\n### False Positive Analysis\n\n- Verify the operational requirements that might necessitate such lifecycle policies, especially in environments where data retention policies are strictly governed for compliance and cost-saving reasons.\n\n### Response and Remediation\n\n- **Immediate Review**: If the change was unauthorized, consider reverting the lifecycle configuration change immediately to prevent potential data loss.\n- **Enhance Monitoring**: Implement monitoring to alert on changes to lifecycle configurations across your S3 environments.\n- **User Education**: Ensure that users with access to critical resources like S3 buckets are aware of the best practices and company policies regarding data retention and security.\n\n### Additional Information\n\nFor further guidance on managing S3 lifecycle policies and ensuring compliance with organizational data retention and security policies, refer to the AWS official documentation on [S3 Lifecycle Configuration](https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html).\n", "query": "event.dataset: \"aws.cloudtrail\" and event.provider: \"s3.amazonaws.com\" and\n event.action: PutBucketLifecycle and event.outcome: success and\n aws.cloudtrail.request_parameters: (*LifecycleConfiguration* and *Expiration=*)\n", "references": ["https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-expire-general-considerations.html"], "related_integrations": [{"integration": "cloudtrail", "package": "aws", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "aws.cloudtrail.request_parameters", "type": "keyword"}, {"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 21, "rule_id": "ff320c56-f8fa-11ee-8c44-f661ea17fbce", "setup": "This rule requires S3 data events to be logged to CloudTrail. CloudTrail trails can be configured to log S3 data events in the AWS Management Console or using the AWS CLI.", "severity": "low", "tags": ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Data Source: Amazon S3", "Use Case: Asset Visibility", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1070", "name": "Indicator Removal", "reference": "https://attack.mitre.org/techniques/T1070/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 1}, "id": "ff320c56-f8fa-11ee-8c44-f661ea17fbce_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff.json deleted file mode 100644 index 520e521c2af..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Security\\\\EFR\\\\EFRService.exe\",\n \"?:\\\\Program Files (x86)\\\\CyberCNSAgent\\\\osqueryi.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpnagent.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\aciseagent.exe\",\n \"?:\\\\Program Files (x86)\\\\cisco\\\\cisco anyconnect secure mobility client\\\\vpndownloader.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\microsoft intune management extension\\\\microsoft.management.services.intunewindowsagent.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Tanium\\\\Tanium Client\\\\TaniumClient.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\TMASutility.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\agentbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiSSLVPNdaemon.exe\",\n \"?:\\\\Program Files\\\\Goverlan Inc\\\\GoverlanAgent\\\\GovAgentx64.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Malwarebytes\\\\Anti-Malware\\\\MBAMService.exe\",\n \"?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\*\\\\pmfexe.exe\", \n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\smart-x\\\\controlupagent\\\\version*\\\\cuagent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\Trend Micro\\\\Deep Security Agent\\\\netagent\\\\tm_netagent.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Program Files\\\\Windows Defender Advanced Threat Protection\\\\MsSense.exe\",\n \"?:\\\\Program Files\\\\Wise\\\\Wise Memory Optimizer\\\\WiseMemoryOptimzer.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\"\n ) and not ?process.code_signature.trusted == false\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 10}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json deleted file mode 100644 index e5e2c7df567..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\"\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json deleted file mode 100644 index 32eea6eb4a9..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\"\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 2}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json deleted file mode 100644 index 03fb6ac7578..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not process.executable : \n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\", \n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\", \n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\", \n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\", \n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\", \n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\", \n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\", \n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\", \n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\", \n \"?:\\\\Windows\\\\System32\\\\MRT.exe\", \n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\", \n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\", \n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\", \n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\", \n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\", \n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\", \n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\", \n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\", \n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 3}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json deleted file mode 100644 index 0faeed05980..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not process.executable : \n (\"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\", \n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\", \n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\", \n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\", \n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\", \n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\", \n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\", \n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\", \n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\", \n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\", \n \"?:\\\\Windows\\\\System32\\\\MRT.exe\", \n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\", \n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\", \n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\", \n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\", \n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\", \n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\", \n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\", \n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\", \n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\", \n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\", \n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\", \n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\")\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 4}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json deleted file mode 100644 index 52c630d47ac..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_5.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 5}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_5", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_6.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_6.json deleted file mode 100644 index e0c5c530e8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_6.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 6}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_6", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json deleted file mode 100644 index 6ad4bc7e6c3..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_7.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.api-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\"\n ) and process.code_signature.trusted == true\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 7}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_7", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_8.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_8.json deleted file mode 100644 index f23a04971d1..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_8.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\"\n ) and not ?process.code_signature.trusted == false\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 8}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_8", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_9.json b/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_9.json deleted file mode 100644 index 74d652b534f..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff_9.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.", "from": "now-9m", "index": ["logs-endpoint.events.api-*", "logs-m365_defender.event-*"], "language": "eql", "license": "Elastic License v2", "name": "LSASS Process Access via Windows API", "note": "## Triage and analysis\n\n### Investigating LSASS Process Access via Windows API\n\nThe Local Security Authority Subsystem Service (LSASS) is a critical Windows component responsible for managing user authentication and security policies. Adversaries may attempt to access the LSASS handle to dump credentials from its memory, which can be used for lateral movement and privilege escalation.\n\nThis rule identifies attempts to access LSASS by monitoring for specific API calls (OpenProcess, OpenThread) targeting the \"lsass.exe\" process.\n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n\n### Possible investigation steps\n\n- Investigate other alerts associated with the user/host during the past 48 hours.\n- Investigate the process execution chain (parent process tree) of the process that accessed the LSASS handle.\n - Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.\n - Determine the first time the process executable was seen in the environment and if this behavior happened in the past.\n - Validate the activity is not related to planned patches, updates, network administrator activity, or legitimate software installations.\n - Investigate any abnormal behavior by the subject process, such as network connections, DLLs loaded, registry or file modifications, and any spawned child processes.\n- Assess the access rights (`process.Ext.api.parameters.desired_access`field) requested by the process. This [Microsoft documentation](https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights) may be useful to help the interpretation.\n- If there are traces of LSASS memory being successfully dumped, investigate potentially compromised accounts. Analysts can do this by searching for login events (e.g., 4624) to the target host.\n- Examine the host for derived artifacts that indicate suspicious activities:\n - Analyze the executables of the processes using a private sandboxed analysis system.\n - Observe and collect information about the following activities in both the sandbox and the alert subject host:\n - Attempts to contact external domains and addresses.\n - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process's `process.entity_id`.\n - Examine the DNS cache for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve DNS Cache\",\"query\":\"SELECT * FROM dns_cache\"}}\n - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.\n - Examine the host services for suspicious or anomalous entries.\n - !{osquery{\"label\":\"Osquery - Retrieve All Services\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Services Running on User Accounts\",\"query\":\"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\\nuser_account == null)\\n\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Service Unsigned Executables with Virustotal Link\",\"query\":\"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\\n\"}}\n - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\n\n\n### False positive analysis\n\n- If this rule is noisy in your environment due to expected activity, consider adding exceptions \u2014 preferably with a combination of `process.executable`, `process.code_signature.subject_name` and `process.Ext.api.parameters.desired_access_numeric` conditions.\n\n### Related Rules\n\n- Suspicious Lsass Process Access - 128468bf-cab1-4637-99ea-fdf3780a4609\n- Potential Credential Access via DuplicateHandle in LSASS - 02a4576a-7480-4284-9327-548a806b5e48\n- LSASS Memory Dump Handle Access - 208dbe77-01ed-4954-8d44-1e5751cb20de\n\n### Response and Remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n - If malicious activity is confirmed, perform a broader investigation to identify the scope of the compromise and determine the appropriate remediation steps.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Reimage the host operating system or restore the compromised files to clean versions.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\" and \n not \n (\n process.executable : (\n \"?:\\\\ProgramData\\\\GetSupportService*\\\\Updates\\\\Update_*.exe\",\n \"?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\*\\\\MsMpEng.exe\",\n \"?:\\\\Program Files (x86)\\\\Asiainfo Security\\\\OfficeScan Client\\\\NTRTScan.exe\",\n \"?:\\\\Program Files (x86)\\\\Blackpoint\\\\SnapAgent\\\\SnapAgent.exe\",\n \"?:\\\\Program Files (x86)\\\\eScan\\\\reload.exe\",\n \"?:\\\\Program Files (x86)\\\\Google\\\\Update\\\\GoogleUpdate.exe\",\n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\*\\\\avp.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Reactive\\\\bin\\\\NableReactiveManagement.exe\",\n \"?:\\\\Program Files (x86)\\\\N-able Technologies\\\\Windows Agent\\\\bin\\\\agent.exe\",\n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\*\\\\CCSF\\\\TmCCSF.exe\",\n \"?:\\\\Program Files*\\\\Windows Defender\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Bitdefender\\\\Endpoint Security\\\\EPSecurityService.exe\",\n \"?:\\\\Program Files\\\\Cisco\\\\AMP\\\\*\\\\sfc.exe\",\n \"?:\\\\Program Files\\\\Common Files\\\\McAfee\\\\AVSolution\\\\mcshield.exe\",\n \"?:\\\\Program Files\\\\EA\\\\AC\\\\EAAntiCheat.GameService.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\agentbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\metricbeat.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\osqueryd.exe\",\n \"?:\\\\Program Files\\\\Elastic\\\\Agent\\\\data\\\\elastic-agent-*\\\\components\\\\packetbeat.exe\",\n \"?:\\\\Program Files\\\\ESET\\\\ESET Security\\\\ekrn.exe\",\n \"?:\\\\Program Files\\\\Fortinet\\\\FortiClient\\\\FortiProxy.exe\",\n \"?:\\\\Program Files\\\\Huntress\\\\HuntressAgent.exe\",\n \"?:\\\\Program Files\\\\LogicMonitor\\\\Agent\\\\bin\\\\sbshutdown.exe\",\n \"?:\\\\Program Files\\\\Microsoft Security Client\\\\MsMpEng.exe\",\n \"?:\\\\Program Files\\\\Qualys\\\\QualysAgent\\\\QualysAgent.exe\",\n \"?:\\\\Program Files\\\\TDAgent\\\\ossec-agent\\\\ossec-agent.exe\",\n \"?:\\\\Program Files\\\\Topaz OFD\\\\Warsaw\\\\core.exe\",\n \"?:\\\\Program Files\\\\VMware\\\\VMware Tools\\\\vmtoolsd.exe\",\n \"?:\\\\Windows\\\\AdminArsenal\\\\PDQDeployRunner\\\\*\\\\exec\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\Sysmon.exe\",\n \"?:\\\\Windows\\\\Sysmon64.exe\",\n \"?:\\\\Windows\\\\System32\\\\csrss.exe\",\n \"?:\\\\Windows\\\\System32\\\\MRT.exe\",\n \"?:\\\\Windows\\\\System32\\\\msiexec.exe\",\n \"?:\\\\Windows\\\\System32\\\\taskhostw.exe\",\n \"?:\\\\Windows\\\\System32\\\\RtkAudUService64.exe\",\n \"?:\\\\Windows\\\\System32\\\\wbem\\\\WmiPrvSE.exe\",\n \"?:\\\\Windows\\\\SysWOW64\\\\wbem\\\\WmiPrvSE.exe\", \n \"?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\*\\\\pmfexe.exe\", \n \"?:\\\\Program Files\\\\Goverlan Inc\\\\GoverlanAgent\\\\GovAgentx64.exe\", \n \"?:\\\\Program Files (x86)\\\\CheckPoint\\\\Endpoint Security\\\\EFR\\\\EFRService.exe\", \n \"?:\\\\Program Files (x86)\\\\CyberCNSAgent\\\\osqueryi.exe\", \n \"?:\\\\Program Files (x86)\\\\Trend Micro\\\\Security Agent\\\\TMASutility.exe\", \n \"?:\\\\Program Files (x86)\\\\Kaspersky Lab\\\\KES*\\\\avp.exe\", \n \"?:\\\\Program Files\\\\Wise\\\\Wise Memory Optimizer\\\\WiseMemoryOptimzer.exe\", \n \"?:\\\\Windows\\\\tenable_mw_scan_142a90001fb65e0beb1751cc8c63edd0.exe\"\n ) and not ?process.code_signature.trusted == false\n )\n", "references": ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "m365_defender", "version": "^2.0.0"}], "required_fields": [{"ecs": false, "name": "Target.process.name", "type": "unknown"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.Ext.api.name", "type": "unknown"}, {"ecs": true, "name": "process.code_signature.trusted", "type": "boolean"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Execution", "Data Source: Elastic Defend", "Data Source: Microsoft Defender for Endpoint"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0006", "name": "Credential Access", "reference": "https://attack.mitre.org/tactics/TA0006/"}, "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": "https://attack.mitre.org/techniques/T1003/", "subtechnique": [{"id": "T1003.001", "name": "LSASS Memory", "reference": "https://attack.mitre.org/techniques/T1003/001/"}]}]}, {"framework": "MITRE ATT&CK", "tactic": {"id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/"}, "technique": [{"id": "T1106", "name": "Native API", "reference": "https://attack.mitre.org/techniques/T1106/"}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 9}, "id": "ff4599cb-409f-4910-a239-52e4e6f532ff_9", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json deleted file mode 100644 index d905448b911..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", "false_positives": ["A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 206}, "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json deleted file mode 100644 index fbf94f941a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", "false_positives": ["A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 101}, "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_101", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json deleted file mode 100644 index a4eb8034562..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", "false_positives": ["A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^1.3.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 102}, "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_102", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json deleted file mode 100644 index 478c7555d8a..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", "false_positives": ["A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json b/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json deleted file mode 100644 index 9e94aa89336..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies a transport rule creation in Microsoft 365. As a best practice, Exchange Online mail transport rules should not be set to forward email to domains outside of your organization. An adversary may create transport rules to exfiltrate data.", "false_positives": ["A new transport rule may be created by a system or network administrator. Verify that the configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "from": "now-30m", "index": ["filebeat-*", "logs-o365*"], "language": "kuery", "license": "Elastic License v2", "name": "Microsoft 365 Exchange Transport Rule Creation", "note": "", "query": "event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:\"New-TransportRule\" and event.outcome:success\n", "references": ["https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"], "related_integrations": [{"package": "o365", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}, {"ecs": true, "name": "event.outcome", "type": "keyword"}, {"ecs": true, "name": "event.provider", "type": "keyword"}], "risk_score": 47, "rule_id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02", "setup": "The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0010", "name": "Exfiltration", "reference": "https://attack.mitre.org/tactics/TA0010/"}, "technique": [{"id": "T1537", "name": "Transfer Data to Cloud Account", "reference": "https://attack.mitre.org/techniques/T1537/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 105}, "id": "ff4dd44a-0ac6-44c4-8609-3f81bc820f02_105", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029.json b/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029.json deleted file mode 100644 index 6407d343b9c..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "query": "any where host.os.type == \"windows\" and event.category in (\"file\", \"process\") and \n (\n (event.type == \"creation\" and file.path regex~ \"\"\"[A-Z]:\\\\:.+\"\"\") or \n (event.type == \"start\" and process.executable regex~ \"\"\"[A-Z]:\\\\:.+\"\"\")\n )\n", "references": ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029_1.json b/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029_1.json deleted file mode 100644 index 50528b2def5..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff6cf8b9-b76c-4cc1-ac1b-4935164d1029_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies the creation of an Alternate Data Stream (ADS) at a volume root directory, which can indicate the attempt to hide tools and malware, as ADSs created in this directory are not displayed by system utilities.", "from": "now-9m", "index": ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*"], "language": "eql", "license": "Elastic License v2", "name": "Alternate Data Stream Creation/Execution at Volume Root Directory", "query": "any where host.os.type == \"windows\" and event.category in (\"file\", \"process\") and \n (\n (event.type == \"creation\" and file.path regex~ \"\"\"[A-Z]:\\\\:.+\"\"\") or \n (event.type == \"start\" and process.executable regex~ \"\"\"[A-Z]:\\\\:.+\"\"\")\n )\n", "references": ["https://www.crowdstrike.com/blog/anatomy-of-alpha-spider-ransomware/"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}, {"package": "windows", "version": "^1.5.0"}], "required_fields": [{"ecs": true, "name": "event.category", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "file.path", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": true, "name": "process.executable", "type": "keyword"}], "risk_score": 47, "rule_id": "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": "https://attack.mitre.org/techniques/T1564/", "subtechnique": [{"id": "T1564.004", "name": "NTFS File Attributes", "reference": "https://attack.mitre.org/techniques/T1564/004/"}]}]}], "timestamp_override": "event.ingested", "type": "eql", "version": 1}, "id": "ff6cf8b9-b76c-4cc1-ac1b-4935164d1029_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json deleted file mode 100644 index 6de5f1f4e79..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", "false_positives": ["Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 104}, "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json b/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json deleted file mode 100644 index d835d2755e6..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "Identifies when a firewall rule is deleted in Google Cloud Platform (GCP) for Virtual Private Cloud (VPC) or App Engine. These firewall rules can be configured to allow or deny connections to or from virtual machine (VM) instances or specific applications. An adversary may delete a firewall rule in order to weaken their target's security controls.", "false_positives": ["Firewall rules may be deleted by system administrators. Verify that the firewall configuration change was expected. Exceptions can be added to this rule to filter expected behavior."], "index": ["filebeat-*", "logs-gcp*"], "language": "kuery", "license": "Elastic License v2", "name": "GCP Firewall Rule Deletion", "note": "", "query": "event.dataset:gcp.audit and event.action:(*.compute.firewalls.delete or google.appengine.*.Firewall.Delete*Rule)\n", "references": ["https://cloud.google.com/vpc/docs/firewalls", "https://cloud.google.com/appengine/docs/standard/python/understanding-firewalls"], "related_integrations": [{"integration": "audit", "package": "gcp", "version": "^2.0.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.dataset", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1", "setup": "The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.", "severity": "medium", "tags": ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/"}, "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/"}]}], "timestamp_override": "event.ingested", "type": "query", "version": 103}, "id": "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1_103", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b.json deleted file mode 100644 index f76c03b02ef..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Token Manipulation via Process Injection", "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.type == \"start\" and event.action == \"exec\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", "references": ["https://github.com/nongiach/sudo_inject"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "type": "eql", "version": 5}, "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json deleted file mode 100644 index ff49ca4c706..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Token Manipulation via Process Injection", "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", "references": ["https://github.com/nongiach/sudo_inject"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "type": "eql", "version": 1}, "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_1", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json deleted file mode 100644 index 2ec8e156c0d..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Token Manipulation via Process Injection", "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", "references": ["https://github.com/nongiach/sudo_inject"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "type": "eql", "version": 2}, "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_2", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json deleted file mode 100644 index bfb7ab754a8..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Token Manipulation via Process Injection", "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", "references": ["https://github.com/nongiach/sudo_inject"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click Add integrations.\n- In the query bar, search for Elastic Defend and select the integration to see more details about it.\n- Click Add Elastic Defend.\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click Save and Continue.\n- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "type": "eql", "version": 3}, "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_3", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json b/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json deleted file mode 100644 index 6e00d93bad7..00000000000 --- a/packages/security_detection_engine/kibana/security_rule/ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4.json +++ /dev/null @@ -1 +0,0 @@ -{"attributes": {"author": ["Elastic"], "description": "This rule detects potential sudo token manipulation attacks through process injection by monitoring the use of a debugger (gdb) process followed by a successful uid change event during the execution of the sudo process. A sudo token manipulation attack is performed by injecting into a process that has a valid sudo token, which can then be used by attackers to activate their own sudo token. This attack requires ptrace to be enabled in conjunction with the existence of a living process that has a valid sudo token with the same uid as the current user.", "from": "now-9m", "index": ["logs-endpoint.events.*"], "language": "eql", "license": "Elastic License v2", "name": "Potential Sudo Token Manipulation via Process Injection", "query": "sequence by host.id, process.session_leader.entity_id with maxspan=15s\n[ process where host.os.type == \"linux\" and event.action == \"exec\" and event.type == \"start\" and \n process.name == \"gdb\" and process.user.id != \"0\" and process.group.id != \"0\" ]\n[ process where host.os.type == \"linux\" and event.action == \"uid_change\" and event.type == \"change\" and \n process.name == \"sudo\" and process.user.id == \"0\" and process.group.id == \"0\" ]\n", "references": ["https://github.com/nongiach/sudo_inject"], "related_integrations": [{"package": "endpoint", "version": "^8.2.0"}], "required_fields": [{"ecs": true, "name": "event.action", "type": "keyword"}, {"ecs": true, "name": "event.type", "type": "keyword"}, {"ecs": true, "name": "host.id", "type": "keyword"}, {"ecs": true, "name": "host.os.type", "type": "keyword"}, {"ecs": false, "name": "process.group.id", "type": "unknown"}, {"ecs": true, "name": "process.name", "type": "keyword"}, {"ecs": true, "name": "process.session_leader.entity_id", "type": "keyword"}, {"ecs": true, "name": "process.user.id", "type": "keyword"}], "risk_score": 47, "rule_id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b", "setup": "\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n\n", "severity": "medium", "tags": ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"], "threat": [{"framework": "MITRE ATT&CK", "tactic": {"id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/"}, "technique": [{"id": "T1055", "name": "Process Injection", "reference": "https://attack.mitre.org/techniques/T1055/", "subtechnique": [{"id": "T1055.008", "name": "Ptrace System Calls", "reference": "https://attack.mitre.org/techniques/T1055/008/"}]}, {"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [{"id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/"}]}]}], "type": "eql", "version": 4}, "id": "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b_4", "type": "security-rule"} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index fb12b0de488..4242e6f0abf 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -6,7 +6,7 @@ conditions: - security subscription: basic kibana: - version: ^8.17.0 + version: ^8.16.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: From 46c047e79213d163ecfc34119bf7da8d1c4cab2c Mon Sep 17 00:00:00 2001 From: Shashank K S Date: Wed, 27 Nov 2024 20:30:17 +0530 Subject: [PATCH 2/2] Fixing versions and changelog --- packages/security_detection_engine/changelog.yml | 4 ++-- packages/security_detection_engine/manifest.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index b9e5e92ff8a..f63444ff91f 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,10 +1,10 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production -- version: 8.16.2-beta.1 +- version: 8.16.2-beta.2 changes: - description: Release security rules update type: enhancement - link: https://github.com/elastic/integrations/pulls/0000 + link: https://github.com/elastic/integrations/pull/11900 - version: 8.16.2-beta.1 changes: - description: Release security rules update for testing smart limits diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index 4242e6f0abf..a9bed3c3b72 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -21,4 +21,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.16.2-beta.1 +version: 8.16.2-beta.2